FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fsaleh
Staff
Staff

Description

This article explains how to configure multiple DHCP IP pools on the same interface of a FortiGate acting as a DHCP server for DHCP relay servers.

The CLI must be used to set up this configuration because it is not possible to edit multiple pools on the same interface using the GUI.


Solution

Network diagram

fgilloteau_FD33842_a_FD33842_diagram_DHCP.jpg
FortiGate DHCP Server Configuration

1. Network Interfaces
config system interface
   edit "internal" // Interface connected to the DHCP relay
      set vdom "root"
      set ip 10.36.0.113 255.255.252.0
      set allowaccess ping https ssh http telnet fgfm
      set type physical
   next
end
2. DHCP

The CLI must be used to configure multiple DHCP pools on one interface as this cannot be done using the GUI.

config system dhcp server
   edit 1 // Pool 1 is in the 10.129 network
      set auto-configuration disable
      set conflicted-ip-timeout 1800
      set default-gateway 10.129.0.113
      set dns-service specify
      set domain ''
      set enable enable
      set interface "internal"
         config ip-range
            edit 1
               set end-ip 10.129.0.20
               set start-ip 10.129.0.10
            next
            end
      set lease-time 604800
      set netmask 255.255.252.0
      set next-server 0.0.0.0
      set option1 0
      set option2 0
      set option3 0
      set server-type regular
      set vci-match disable
      set wins-server1 0.0.0.0
      set wins-server2 0.0.0.0
      set dns-server1 0.0.0.0
      set dns-server2 0.0.0.0
      set dns-server3 0.0.0.0
next


edit 2 // Pool 2 is in the 10.38 network
      set auto-configuration enable
      set conflicted-ip-timeout 1800
      set default-gateway 10.38.0.113
      set dns-service specify
      set domain ''
      set enable enable
      set interface "internal"
          config ip-range
            edit 1
               set end-ip 10.38.0.20
               set start-ip 10.38.0.10
            next
          end
      set lease-time 604800
      set netmask 255.255.252.0
      set next-server 0.0.0.0
      set option1 0
      set option2 0
      set option3 0
      set server-type regular
      set vci-match disable
      set wins-server1 0.0.0.0
      set wins-server2 0.0.0.0
      set dns-server1 0.0.0.0
      set dns-server2 0.0.0.0
      set dns-server3 0.0.0.0
next
end

3. Routing

These routes permit the routing to the DHCP relay interfaces which have forwarded the request.
config router static
edit 2
    set blackhole disable
    set comment ''
    set device "internal"
    set distance 10
    set dst 10.129.0.241 255.255.255.255
    set dynamic-gateway disable
    set gateway 10.36.0.241
    set priority 0
    set weight 0
next
edit 3
    set blackhole disable
    set comment ''
    set device "internal"
    set distance 10
    set dst 10.38.0.241 255.255.255.255
    set dynamic-gateway disable
    set gateway 10.36.0.241
    set priority 0
    set weight 0
next
FortiGate DHCP relay configuration.

1. Network interfaces
config system interface
    edit "wan1" // Interface connected to the DHCP server
        set vdom "root"
        set dhcp-relay-ip "10.36.0.113"
        set ip 10.36.0.241 255.255.252.0
        set allowaccess ping https ssh http telnet
        set type physical
    next
    edit "dmz" // Interface in network 10.129 using DHCP relay
        set vdom "root"
        set dhcp-relay-service enable
        set dhcp-relay-ip "10.36.0.113"
        set ip 10.129.0.241 255.255.252.0
        set allowaccess ping https ssh http telnet
        set type physical
    next
    edit "internal" // Interface in network 10.38 using DHCP relay
        set vdom "root"
        set dhcp-relay-service enable
        set dhcp-relay-ip "10.36.0.113"
        set ip 10.38.0.241 255.255.252.0
        set allowaccess ping https ssh http telnet
        set type physical
    next
end
2. Verification

PC connected behind the DMZ interface of the DHCP relay FortiGate.

Debug the DHCP activity on the DHCP server.

FG50BH-3 # diagnose debug application dhcps -1
FG50BH-3 # [warn]got an interrupt
[debug]calling handler[icmp]
[debug]calling handler[fallback]
[debug]calling handler[internal]
[debug]locate_network prhtype(1) pihtype(1)
[debug]find_lease(): leaving function WITHOUT a lease
[debug]htyp packet 1, htype hw_addr 224
[note]DHCPDISCOVER from 00:05:5d:01:84:e3 via 10.129.0.241(ethernet)
[note]there's no free leases in memory on subnet internal, try to allocate new one from range list
[debug]Start dumping IP address range:
[debug]IP Range from 10.129.0.11 to 10.129.0.20
[debug]found a new lease of ip 10.129.0.10
[debug]added ip 10.129.0.10 mac 00:05:5d:01:84:e3 in vd root
[note]reach value MSFT 5.0
[debug]packet length 292
[debug]op = 1 htype = 1 hlen = 6 hops = 1
[debug]xid = fb1566f5 secs = 0 flags = 80
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 0.0.0.0
[debug]giaddr = 10.129.0.241
[debug]chaddr = 00:05:5d:01:84:e3
[debug]filename =
[debug]server_name =
[debug] host-name = "mis-PC"
[debug] dhcp-message-type = 1
[debug] dhcp-parameter-request-list = 1,15,3,6,44,46,47,31,33,121,249,43
[debug] dhcp-class-identifier = "MSFT 5.0"
[debug] dhcp-client-identifier = 1:0:5:5d:1:84:e3
[debug] option-82 = 1:3:64:6d:7a
[debug]
PC connected behind the internal interface of the DHCP relay FortiGate.

Debug the DHCP activity on the DHCP server.

FG50BH-3 # diagnose debug application dhcps -1
FG50BH-3 # [debug]calling handler[icmp]
[debug]calling handler[fallback]
[debug]calling handler[internal]
[debug]locate_network prhtype(1) pihtype(1)
[debug]find_lease(): packet contains preferred client IP, cip.s_addr is 10.38.0.10
[debug]search through all subnets to find an ip lease (10.38.0.10)
[debug]Start dumping IP address range:
[debug]IP Range from 10.38.0.11 to 10.38.0.20
[debug]found a new lease of ip 10.38.0.10
[debug]find_lease(): leaving function with lease set
[debug]find_lease(): the lease's IP is 10.38.0.10
[note]DHCPREQUEST for 10.38.0.10 from 00:05:5d:01:84:e3 via 10.38.0.241(ethernet)
[debug]added ip 10.38.0.10 mac 00:05:5d:01:84:e3 in vd root
[note]reach value MSFT 5.0
[debug]packet length 314
[debug]op = 1 htype = 1 hlen = 6 hops = 1
[debug]xid = 6c6f17b3 secs = 0 flags = 80
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 0.0.0.0
[debug]giaddr = 10.38.0.241
[debug]chaddr = 00:05:5d:01:84:e3
[debug]filename =
[debug]server_name =
[debug] host-name = "mis-PC"
[debug] dhcp-requested-address = 10.38.0.10
[debug] dhcp-message-type = 3
[debug] dhcp-parameter-request-list = 1,15,3,6,44,46,47,31,33,121,249,43
[debug] dhcp-class-identifier = "MSFT 5.0"
[debug] dhcp-client-identifier = 1:0:5:5d:1:84:e3
[debug] option-81 = 0:0:0:6d:69:73:2d:50:43
[debug] option-82 = 1:8:69:6e:74:65:72:6e:61:6c
[debug]

 

  

 

Contributors