Description
This article explains how to configure multiple DHCP IP pools on the same interface of a FortiGate acting as a DHCP server for DHCP relay servers.
The CLI must be used to set up this configuration because it is not possible to edit multiple pools on the same interface using the GUI.
The CLI must be used to set up this configuration because it is not possible to edit multiple pools on the same interface using the GUI.
Scope
FortiGate.
Solution
Network diagram
FortiGate DHCP Server Configuration
- Network Interfaces.
config system interface
edit "internal" <- Interface connected to the DHCP relay.
set vdom "root"
set ip 10.36.0.113 255.255.252.0
set allowaccess ping https ssh http telnet fgfm
set type physical
next
end
edit "internal" <- Interface connected to the DHCP relay.
set vdom "root"
set ip 10.36.0.113 255.255.252.0
set allowaccess ping https ssh http telnet fgfm
set type physical
next
end
- DHCP
The CLI must be used to configure multiple DHCP pools on one interface as this cannot be done using the GUI.
config system dhcp server
edit 1 <- Pool 1 is in the 10.129 network.
set auto-configuration disable
set conflicted-ip-timeout 1800
set default-gateway 10.129.0.113
set dns-service specify
set domain ''
set status enable
set interface "internal"
config ip-range
edit 1
set end-ip 10.129.0.20
set start-ip 10.129.0.10
next
end
set lease-time 604800
set netmask 255.255.252.0
set next-server 0.0.0.0
set option1 0
set option2 0
set option3 0
set server-type regular
set vci-match disable
set wins-server1 0.0.0.0
set wins-server2 0.0.0.0
set dns-server1 0.0.0.0
set dns-server2 0.0.0.0
set dns-server3 0.0.0.0
next
edit 2 <- Pool 2 is in the 10.38 network.
set auto-configuration enable
set conflicted-ip-timeout 1800
set default-gateway 10.38.0.113
set dns-service specify
set domain ''
set status enable
set interface "internal"
config ip-range
edit 1
set end-ip 10.38.0.20
set start-ip 10.38.0.10
next
end
set lease-time 604800
set netmask 255.255.252.0
set next-server 0.0.0.0
set option1 0
set option2 0
set option3 0
set server-type regular
set vci-match disable
set wins-server1 0.0.0.0
set wins-server2 0.0.0.0
set dns-server1 0.0.0.0
set dns-server2 0.0.0.0
set dns-server3 0.0.0.0
next
end
- Routing:
These routes permit the routing to the DHCP relay interfaces which have forwarded the request.
config router static
edit 2
set blackhole disable
set comment ''
set device "internal"
set distance 10
set dst 10.129.0.241 255.255.255.255
set dynamic-gateway disable
set gateway 10.36.0.241
set priority 0
set weight 0
next
edit 3
set blackhole disable
set comment ''
set device "internal"
set distance 10
set dst 10.38.0.241 255.255.255.255
set dynamic-gateway disable
set gateway 10.36.0.241
set priority 0
set weight 0
next
edit 2
set blackhole disable
set comment ''
set device "internal"
set distance 10
set dst 10.129.0.241 255.255.255.255
set dynamic-gateway disable
set gateway 10.36.0.241
set priority 0
set weight 0
next
edit 3
set blackhole disable
set comment ''
set device "internal"
set distance 10
set dst 10.38.0.241 255.255.255.255
set dynamic-gateway disable
set gateway 10.36.0.241
set priority 0
set weight 0
next
FortiGate DHCP relay configuration.
- Network interfaces.
config system interface
edit "wan1" <- Interface connected to the DHCP server.
set vdom "root"
set dhcp-relay-ip "10.36.0.113"
set ip 10.36.0.241 255.255.252.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "dmz" <- Interface in network 10.129 using DHCP relay.
set vdom "root"
set dhcp-relay-service enable
set dhcp-relay-ip "10.36.0.113"
set ip 10.129.0.241 255.255.252.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "internal" <- Interface in network 10.38 using DHCP relay.
set vdom "root"
set dhcp-relay-service enable
set dhcp-relay-ip "10.36.0.113"
set ip 10.38.0.241 255.255.252.0
set allowaccess ping https ssh http telnet
set type physical
next
end
edit "wan1" <- Interface connected to the DHCP server.
set vdom "root"
set dhcp-relay-ip "10.36.0.113"
set ip 10.36.0.241 255.255.252.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "dmz" <- Interface in network 10.129 using DHCP relay.
set vdom "root"
set dhcp-relay-service enable
set dhcp-relay-ip "10.36.0.113"
set ip 10.129.0.241 255.255.252.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "internal" <- Interface in network 10.38 using DHCP relay.
set vdom "root"
set dhcp-relay-service enable
set dhcp-relay-ip "10.36.0.113"
set ip 10.38.0.241 255.255.252.0
set allowaccess ping https ssh http telnet
set type physical
next
end
- Verification.
The PC is connected behind the DMZ interface of the DHCP relay FortiGate.
Debug the DHCP activity on the DHCP server.
diagnose debug application dhcps -1
FG50BH-3 # [warn]got an interrupt
[debug]calling handler[icmp]
[debug]calling handler[fallback]
[debug]calling handler[internal]
[debug]locate_network prhtype(1) pihtype(1)
[debug]find_lease(): leaving function WITHOUT a lease
[debug]htyp packet 1, htype hw_addr 224
[note]DHCPDISCOVER from 00:05:5d:01:84:e3 via 10.129.0.241(ethernet)
[note]there's no free leases in memory on subnet internal, try to allocate new one from range list
[debug]Start dumping IP address range:
[debug]IP Range from 10.129.0.11 to 10.129.0.20
[debug]found a new lease of ip 10.129.0.10
[debug]added ip 10.129.0.10 mac 00:05:5d:01:84:e3 in vd root
[note]reach value MSFT 5.0
[debug]packet length 292
[debug]op = 1 htype = 1 hlen = 6 hops = 1
[debug]xid = fb1566f5 secs = 0 flags = 80
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 0.0.0.0
[debug]giaddr = 10.129.0.241
[debug]chaddr = 00:05:5d:01:84:e3
[debug]filename =
[debug]server_name =
[debug] host-name = "mis-PC"
[debug] dhcp-message-type = 1
[debug] dhcp-parameter-request-list = 1,15,3,6,44,46,47,31,33,121,249,43
[debug] dhcp-class-identifier = "MSFT 5.0"
[debug] dhcp-client-identifier = 1:0:5:5d:1:84:e3
[debug] option-82 = 1:3:64:6d:7a
[debug]
[debug]calling handler[icmp]
[debug]calling handler[fallback]
[debug]calling handler[internal]
[debug]locate_network prhtype(1) pihtype(1)
[debug]find_lease(): leaving function WITHOUT a lease
[debug]htyp packet 1, htype hw_addr 224
[note]DHCPDISCOVER from 00:05:5d:01:84:e3 via 10.129.0.241(ethernet)
[note]there's no free leases in memory on subnet internal, try to allocate new one from range list
[debug]Start dumping IP address range:
[debug]IP Range from 10.129.0.11 to 10.129.0.20
[debug]found a new lease of ip 10.129.0.10
[debug]added ip 10.129.0.10 mac 00:05:5d:01:84:e3 in vd root
[note]reach value MSFT 5.0
[debug]packet length 292
[debug]op = 1 htype = 1 hlen = 6 hops = 1
[debug]xid = fb1566f5 secs = 0 flags = 80
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 0.0.0.0
[debug]giaddr = 10.129.0.241
[debug]chaddr = 00:05:5d:01:84:e3
[debug]filename =
[debug]server_name =
[debug] host-name = "mis-PC"
[debug] dhcp-message-type = 1
[debug] dhcp-parameter-request-list = 1,15,3,6,44,46,47,31,33,121,249,43
[debug] dhcp-class-identifier = "MSFT 5.0"
[debug] dhcp-client-identifier = 1:0:5:5d:1:84:e3
[debug] option-82 = 1:3:64:6d:7a
[debug]
The PC is connected behind the internal interface of the DHCP relay FortiGate.
Debug the DHCP activity on the DHCP server.
Debug the DHCP activity on the DHCP server.
diagnose debug application dhcps -1
FG50BH-3 # [debug]calling handler[icmp]
[debug]calling handler[fallback]
[debug]calling handler[internal]
[debug]locate_network prhtype(1) pihtype(1)
[debug]find_lease(): packet contains preferred client IP, cip.s_addr is 10.38.0.10
[debug]search through all subnets to find an ip lease (10.38.0.10)
[debug]Start dumping IP address range:
[debug]IP Range from 10.38.0.11 to 10.38.0.20
[debug]found a new lease of ip 10.38.0.10
[debug]find_lease(): leaving function with lease set
[debug]find_lease(): the lease's IP is 10.38.0.10
[note]DHCPREQUEST for 10.38.0.10 from 00:05:5d:01:84:e3 via 10.38.0.241(ethernet)
[debug]added ip 10.38.0.10 mac 00:05:5d:01:84:e3 in vd root
[note]reach value MSFT 5.0
[debug]packet length 314
[debug]op = 1 htype = 1 hlen = 6 hops = 1
[debug]xid = 6c6f17b3 secs = 0 flags = 80
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 0.0.0.0
[debug]giaddr = 10.38.0.241
[debug]chaddr = 00:05:5d:01:84:e3
[debug]filename =
[debug]server_name =
[debug] host-name = "mis-PC"
[debug] dhcp-requested-address = 10.38.0.10
[debug] dhcp-message-type = 3
[debug] dhcp-parameter-request-list = 1,15,3,6,44,46,47,31,33,121,249,43
[debug] dhcp-class-identifier = "MSFT 5.0"
[debug] dhcp-client-identifier = 1:0:5:5d:1:84:e3
[debug] option-81 = 0:0:0:6d:69:73:2d:50:43
[debug] option-82 = 1:8:69:6e:74:65:72:6e:61:6c
[debug]
[debug]calling handler[fallback]
[debug]calling handler[internal]
[debug]locate_network prhtype(1) pihtype(1)
[debug]find_lease(): packet contains preferred client IP, cip.s_addr is 10.38.0.10
[debug]search through all subnets to find an ip lease (10.38.0.10)
[debug]Start dumping IP address range:
[debug]IP Range from 10.38.0.11 to 10.38.0.20
[debug]found a new lease of ip 10.38.0.10
[debug]find_lease(): leaving function with lease set
[debug]find_lease(): the lease's IP is 10.38.0.10
[note]DHCPREQUEST for 10.38.0.10 from 00:05:5d:01:84:e3 via 10.38.0.241(ethernet)
[debug]added ip 10.38.0.10 mac 00:05:5d:01:84:e3 in vd root
[note]reach value MSFT 5.0
[debug]packet length 314
[debug]op = 1 htype = 1 hlen = 6 hops = 1
[debug]xid = 6c6f17b3 secs = 0 flags = 80
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 0.0.0.0
[debug]giaddr = 10.38.0.241
[debug]chaddr = 00:05:5d:01:84:e3
[debug]filename =
[debug]server_name =
[debug] host-name = "mis-PC"
[debug] dhcp-requested-address = 10.38.0.10
[debug] dhcp-message-type = 3
[debug] dhcp-parameter-request-list = 1,15,3,6,44,46,47,31,33,121,249,43
[debug] dhcp-class-identifier = "MSFT 5.0"
[debug] dhcp-client-identifier = 1:0:5:5d:1:84:e3
[debug] option-81 = 0:0:0:6d:69:73:2d:50:43
[debug] option-82 = 1:8:69:6e:74:65:72:6e:61:6c
[debug]
