Skip to main content
ivan_s
ivan_s
New Member
March 14, 2018
Solved

Separating fixed (reserved) and dynamic DHCP addresses

  • March 14, 2018
  • 2 replies
  • 20073 views

Hello,

we are migrating to FortiGate and I am trying to implement the common scenario with DHCP which we use. We want to have reserved IP addresses for known clients, but assign a dedicated sub-range for unknown clients. E.g. on interface 192.168.1.0/24 we have reserved addresses for known clients from lower half 192.168.1.2-127. But for unknown clients I need DHCP to assign addresses higher than 128, e.g. 192.168.1.129. I have implemented this using various DHCP servers without problem in the past (even cheap routers).

I tried to set this up the way I used to on other devices by restricted DHCP range and reservations out of this range. But GUI complains that reserved address is out of DHCP range. I have been searching the forum and it seems that FortGate isn't able to fulfil this requirement. But I would like to confirm this before I start thinking about workarounds.

The main reason for this scenario is to preserve the simplicity of DHCP, but give unknown clients slightly more strict policies.

Thanks for any help.

FortiGate 200E fw: v5.6.3 build1547 (GA)  
Best answer by ede_pfau

I think your work flow needs adjustment. The FGT is well able to fulfill your requirements.

 

You create a (large) range of addresses for DHCP assignment. Any client will get one of these if requesting.

Then, you exclude a (smaller) range for 'known hosts'. Now any client (known or unknown) will get only one of the remaining addresses, none of the excluded ones.

Now if you want to integrate a 'known' host you need to

1- reduce the exclude range by 1 address

2- combine this address with the MAC of the known host (that is, reserve it)

 

You can do this one host after the other (as hosts become 'known') or bulk via script for a whole bunch of known hosts.

Main thing is, both the exclude range and the range of reserved addresses need to lie completely within the DHCP address range, and you need to remove an address from the exclusion before you can reserve it.

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
March 14, 2018

FortiGate DHCP can segregate some devices from others to assign IP from a sub-range of the entire range by exact match of MAC address. If you know MAC address of those devices you can define one IP to each within reserved-address config. It doesn't seem to take any wild card to match like only OUI part and allocate an IP from a pool. Likely you have to separate them by vlan and configure access-port at the port of your switch terminating each device's cable if they're wired.

 

ericli_FTNT
Staff
ericli_FTNT
Staff
March 14, 2018

Hi ivan_s:

 

Here is a config sample of reserved IP. For client1 (aa:bb:cc:dd:ee:11), a fixed IP will be assigned and same procedure to client2.

 

 

config system dhcp server
    edit 1
        set dns-service default
        set default-gateway 10.1.100.81
        set netmask 255.255.255.0
        set interface "port1"
        config ip-range
            edit 1
                set start-ip 10.1.100.1
                set end-ip 10.1.100.80
            next
            edit 2
                set start-ip 10.1.100.82
                set end-ip 10.1.100.254
            next
        end
        set timezone-option default
        config reserved-address
            edit 1
                set ip 10.1.100.171
                set mac aa:bb:cc:dd:ee:11
                set description "client1"
            next
            edit 2
                set ip 10.1.100.172
                set mac aa:bb:cc:dd:ee:12
                set description "client2"
            next
        end
    next
end

 

rwpatterson
rwpatterson
New Member
March 14, 2018

What I believe he is asking is if a DHCP range can be set up where there is an exclusion within where a certain range will not be assigned even if free, as in M$ Windows and 'cheap routers'.

 

For example, DHCP lease range is 192.168.255.1-192.168.255.253.

192.168.255.1-192.168.255.150 is for open lease assignments

192.168.255.151-192.168.255.253 is held back for reserved current and future

 

I am not aware of this feature unless you "pre-stack" the reserved range with bogus MAC addresses so that the server will not give them out.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
March 14, 2018

If that's the case "exclude-range" should work like below:

config system dhcp server     edit n         set default-gateway 10.100.0.1         set netmask 255.255.255.0         set interface "xxx-interface"         config ip-range             edit 1                 set start-ip 10.100.0.2                 set end-ip 10.100.0.254             next         end         config exclude-range             edit 1                 set start-ip 10.100.0.100                 set end-ip 10.100.0.199             next         end end

Terms & ConditionsAccessibility statement