New to Fortigate: DHCP question.

brandonbelew · ‎10-13-2017

Hello!

We are replacing our Juniper SRX220 with a Fortigate 600D in the next couple months. I'm playing with getting it setup but I ran into a hiccup. I'm new to FortiGate and describe my overall knowledge of firewalls as fair - i've used them for years but only really ever needed to touch them for the occasional firewall policy or once every 5 years or so replacing one.

Our firewall is accessed internally on the 172.16.0.0 network, all of our devices sit on various subnets in the 10.0.0.0 range.

When I create the interface on the LAN side of the 600D it gives me the option to set it as a DHCP server -- but it doesn't give me the option to add our 10. networks.

Anyone know of a way around that?

Will it let me just setup another interface set it with an IP in our 10.0.0.0/23 - enable DHCP and then add all of the different pools there and then dhcp-helper on our HP switches to point to that IP?

Thanks!

Andre_Machado_da_Sil · ‎10-13-2017

Brendon.

Do you have a topology ?

I think I ca help.

You cannot define two DHCP the same interface, but you can create a relay server. And other ways to overcome this issue.

OK ?
[cid:image002.png@01D27BE5.48C82850] http://www.amsinetworks.com

Andre Silva - andre@amsinetworks.com<mailto:andre@amsinetworks.com>
Direto: +55 (21) 3500 8100
RJ: +55 (21) 2223 6446 - SP: +55 (11) 2824 6114
Skype:andre_ams
US/CA: +1 (604) 500 2170
SIP/H323: 867322101@amsi.call.sl<mailto:867322101@amsi.call.sl>
[Click-to-Call me] https://portal.starleaf.com/webrtc?target=andre%40amsi.com.br

From: Brandon Belew via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: October 13, 2017 12:21 PM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - New to Fortigate: DHCP question.

Hello!

We are replacing our Juniper SRX220 with a Fortigate 600D in the next couple months. I'm playing with getting it setup but I ran into a hiccup. I'm new to FortiGate and describe my overall knowledge of firewalls as fair - i've used them for years but only really ever needed to touch them for the occasional firewall policy or once every 5 years or so replacing one.

Our firewall is accessed internally on the 172.16.0.0 network, all of our devices sit on various subnets in the 10.0.0.0 range.

When I create the interface on the LAN side of the 600D it gives me the option to set it as a DHCP server -- but it doesn't give me the option to add our 10. networks.

Anyone know of a way around that?

Will it let me just setup another interface set it with an IP in our 10.0.0.0/23 - enable DHCP and then add all of the different pools there and then dhcp-helper on our HP switches to point to that IP?

Thanks!

-----End Original Message-----

-- Andre Machado da Silva - AMS Informatica Tel (21) 2253 5976 - Fax (21) 2233 0561 Novo SITE: http://www.amsi.com.br

brandonbelew · ‎10-13-2017

Attaching a rough layout of our network. It's a tad outdated, a few things have changed. But basically the connection from our core switch to the firewall is on a seperate vlan - which puts the firewall internally on 172.16.0.2. Our internal network is all 10.0.0.0. I have vlans for each segment of the building for our wireless network, as well as vlans for our wired network.

Currently in our juniper I have all of our dhcp scopes setup in it and I just do an dhcp helper pointing back to 172.16.0.2.

Thanks!

Andre_Machado_da_Sil · ‎10-13-2017

Do you want DHCP for all VLAN ?

The port form Fortigate to Core is a vlan Trunk ? If yes, in this case, you have to create vlan’s sub-interfaces (with the same number) on the internal port and create a DHCP server for each VLAN.

Is the fortigate replacing the SRX220 or the lightspeed content filter ?

[cid:image002.png@01D27BE5.48C82850] http://www.amsinetworks.com

Andre Silva - andre@amsinetworks.com<mailto:andre@amsinetworks.com>
Direto: +55 (21) 3500 8100
RJ: +55 (21) 2223 6446 - SP: +55 (11) 2824 6114
Skype:andre_ams
US/CA: +1 (604) 500 2170
SIP/H323: 867322101@amsi.call.sl<mailto:867322101@amsi.call.sl>
[Click-to-Call me] https://portal.starleaf.com/webrtc?target=andre%40amsi.com.br

From: Brandon Belew via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: October 13, 2017 1:53 PM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - RE: New to Fortigate: DHCP question.

Attaching a rough layout of our network. It's a tad outdated, a few things have changed. But basically the connection from our core switch to the firewall is on a seperate vlan - which puts the firewall internally on 172.16.0.2. Our internal network is all 10.0.0.0. I have vlans for each segment of the building for our wireless network, as well as vlans for our wired network.

Currently in our juniper I have all of our dhcp scopes setup in it and I just do an dhcp helper pointing back to 172.16.0.2.

Thanks!

-----End Original Message-----

-- Andre Machado da Silva - AMS Informatica Tel (21) 2253 5976 - Fax (21) 2233 0561 Novo SITE: http://www.amsi.com.br

DrWolfgangBeneicke1 · ‎10-13-2017

hi,

I assume you have already set up the LAN port with a static address. You can now create a DHCP server which serves addresses from that subnet.

As DHCP relies on broadcasts, the server needs to have a port in the address space which he delivers. That is the case with all networking equipment.

On a FGT, you can define a secondary address on the LAN port. You are then able to create a DHCP server for a subrange of it's address space. Those servers need to be set up in the CLI:

config system dhcp server

edit 0 # this will be replaced by the next higher free number

set default-gw ...

config ip-range

set start a.b.c.d

set end a.b.c.e

end

Here you can specify DNS, lease duration, NTP server, options...whatever you need.

Actually, you can create a lot of secondary IP addresses to an interface. In your case, you would only need one, like 10.0.0.1/16, to be able to create DHCP servers for subnets 10.0.a.0/24 where a=0..254. The main point is, the FGT port must be able to pick up the broadcast DHCP request from the client.

No need for DHCP relaying - this would shift the work onto other devices. The FGT handles multiple DHCP servers easily.

New to Fortigate: DHCP question.

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website