Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

brandonbelew
New Contributor

Created on ‎10-13-2017 05:21 AM

New to Fortigate: DHCP question.

Hello! 

We are replacing our Juniper SRX220 with a Fortigate 600D in the next couple months.   I'm playing with getting it setup but I ran into a hiccup.   I'm new to FortiGate and describe my overall knowledge of firewalls as fair - i've used them for years but only really ever needed to touch them for the occasional firewall policy or once every 5 years or so replacing one.

Our firewall is accessed internally on the 172.16.0.0 network,   all of our devices sit on various subnets in the 10.0.0.0 range.  

When I create the interface on the LAN side of the 600D it gives me the option to set it as a DHCP server -- but it doesn't give me the option to add our 10. networks.  

Anyone know of a way around that?   

Will it let me just setup another interface set it with an IP in our 10.0.0.0/23 - enable DHCP and then add all of the different pools there and then dhcp-helper on our HP switches to point to that IP?

Thanks!

Labels:
534
0 Kudos
4 REPLIES 4
Andre_Machado_da_Sil
New Contributor

Created on ‎10-13-2017 05:25 AM

Brendon.

Do you have a topology ?

I think I ca help.

You cannot define two DHCP the same interface, but you can create a relay server. And other ways to overcome this issue.

OK ?
[cid:image002.png@01D27BE5.48C82850] http://www.amsinetworks.com

Andre Silva - andre@amsinetworks.com<mailto:andre@amsinetworks.com>
Direto: +55 (21) 3500 8100
RJ: +55 (21) 2223 6446 - SP: +55 (11) 2824 6114
Skype:andre_ams
US/CA: +1 (604) 500 2170
SIP/H323: 867322101@amsi.call.sl<mailto:867322101@amsi.call.sl>
[Click-to-Call me] https://portal.starleaf.com/webrtc?target=andre%40amsi.com.br




From: Brandon Belew via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: October 13, 2017 12:21 PM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - New to Fortigate: DHCP question.


Hello!

We are replacing our Juniper SRX220 with a Fortigate 600D in the next couple months. I'm playing with getting it setup but I ran into a hiccup. I'm new to FortiGate and describe my overall knowledge of firewalls as fair - i've used them for years but only really ever needed to touch them for the occasional firewall policy or once every 5 years or so replacing one.

Our firewall is accessed internally on the 172.16.0.0 network, all of our devices sit on various subnets in the 10.0.0.0 range.

When I create the interface on the LAN side of the 600D it gives me the option to set it as a DHCP server -- but it doesn't give me the option to add our 10. networks.

Anyone know of a way around that?

Will it let me just setup another interface set it with an IP in our 10.0.0.0/23 - enable DHCP and then add all of the different pools there and then dhcp-helper on our HP switches to point to that IP?

Thanks!

-----End Original Message-----
-- Andre Machado da Silva - AMS Informatica Tel (21) 2253 5976 - Fax (21) 2233 0561 Novo SITE: http://www.amsi.com.br
-- Andre Machado da Silva - AMS Informatica Tel (21) 2253 5976 - Fax (21) 2233 0561 Novo SITE: http://www.amsi.com.br
529
0 Kudos
brandonbelew
New Contributor
In response to Andre_Machado_da_Sil

Created on ‎10-13-2017 06:53 AM

Attaching a rough layout of our network.  It's a tad outdated, a few things have changed.   But basically the connection from our core switch to the firewall is on a seperate vlan - which puts the firewall internally on 172.16.0.2.   Our internal network is all 10.0.0.0.    I have vlans for each segment of the building for our wireless network, as well as vlans for our wired network.   

Currently in our juniper I have all of our dhcp scopes setup in it and I just do an dhcp helper pointing back to 172.16.0.2.   

 

Thanks!

Preview file
67 KB
529
0 Kudos
Andre_Machado_da_Sil
New Contributor
In response to brandonbelew

Created on ‎10-13-2017 08:00 AM

Do you want DHCP for all VLAN ?

The port form Fortigate to Core is a vlan Trunk ? If yes, in this case, you have to create vlan’s sub-interfaces (with the same number) on the internal port and create a DHCP server for each VLAN.

Is the fortigate replacing the SRX220 or the lightspeed content filter ?

[cid:image002.png@01D27BE5.48C82850] http://www.amsinetworks.com

Andre Silva - andre@amsinetworks.com<mailto:andre@amsinetworks.com>
Direto: +55 (21) 3500 8100
RJ: +55 (21) 2223 6446 - SP: +55 (11) 2824 6114
Skype:andre_ams
US/CA: +1 (604) 500 2170
SIP/H323: 867322101@amsi.call.sl<mailto:867322101@amsi.call.sl>
[Click-to-Call me] https://portal.starleaf.com/webrtc?target=andre%40amsi.com.br




From: Brandon Belew via Firewall: [mailto:firewall@lists.fusecommunity.fortinet.com]
Sent: October 13, 2017 1:53 PM
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - RE: New to Fortigate: DHCP question.


Attaching a rough layout of our network. It's a tad outdated, a few things have changed. But basically the connection from our core switch to the firewall is on a seperate vlan - which puts the firewall internally on 172.16.0.2. Our internal network is all 10.0.0.0. I have vlans for each segment of the building for our wireless network, as well as vlans for our wired network.

Currently in our juniper I have all of our dhcp scopes setup in it and I just do an dhcp helper pointing back to 172.16.0.2.



Thanks!

-----End Original Message-----
-- Andre Machado da Silva - AMS Informatica Tel (21) 2253 5976 - Fax (21) 2233 0561 Novo SITE: http://www.amsi.com.br
-- Andre Machado da Silva - AMS Informatica Tel (21) 2253 5976 - Fax (21) 2233 0561 Novo SITE: http://www.amsi.com.br
529
0 Kudos
DrWolfgangBeneicke1
New Contributor III

Created on ‎10-13-2017 06:30 AM

hi,

I assume you have already set up the LAN port with a static address. You can now create a DHCP server which serves addresses from that subnet.

As DHCP relies on broadcasts, the server needs to have a port in the address space which he delivers. That is the case with all networking equipment.

On a FGT, you can define a secondary address on the LAN port. You are then able to create a DHCP server for a subrange of it's address space. Those servers need to be set up in the CLI:

config system dhcp server

edit 0   # this will be replaced by the next higher free number

set default-gw ...

config ip-range

set start a.b.c.d

set end a.b.c.e

end

end

Here you can specify DNS, lease duration, NTP server, options...whatever you need.

Actually, you can create a lot of secondary IP addresses to an interface. In your case, you would only need one, like 10.0.0.1/16, to be able to create DHCP servers for subnets 10.0.a.0/24 where a=0..254. The main point is, the FGT port must be able to pick up the broadcast DHCP request from the client.

No need for DHCP relaying - this would shift the work onto other devices. The FGT handles multiple DHCP servers easily.

529
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.