Some LAN networks require an IP address through a DHCP server which is behind the FortiGate.

In such a scenario, FortiGate has to add a DHCP option 82 information while forwarding the DHCP requests to the correct server.

As per the above lab setup PC tries to get an IP address from the DHCP server connected behind FortiGate.

The PC generates a DHCP Discover message to the FortiGate interface port5, since the firewall is configured as a DHCP relay it has to add some information so the return packet can be received on the correct interface.

The DHCP uses an option 82 field which includes the relay agent information, in the above case port5 information since the request was received on the internal port5.

In the attached PCAP file it is possible to see that the relay agent information was inserted with option 82 by the FortiGate. This needs to be verified by the dhcprelay debug as well.

Lab_FG1 # diagnose debug application dhcprelay -1
Debug messages will be on for 30 minutes.

Lab_FG1 # diagnose debug enable

Lab_FG1 # (xid:818d98b4) received request message from 0.0.0.0:68 to 255.255.255.255 at Port5
(xid:818d98b4) got a DHCPDISCOVER
(xid:818d98b4) Warning! can't get server id from client message
Insert option(82), len(11)
found route to 172.26.3.245 via 10.10.20.10 iif=11 oif=10, mode=auto, ifname=
(xid:818d98b4) forwarding dhcp request from 172.16.58.1:67 to 172.26.3.245:67

In the above debug it shows option 82 was inserted and the packet was routed out to DHCP server 172.26.3.245.

The PCAP file and debug both should be shown with DHCP option 82 added/inserted before forwarding it out to the DHCP server.

Since the DHCP client will not be under the same LAN subnet as the DHCP server, it is important to configure another IP address pool in the DHCP server for the LAN (port5) subnet where the DHCP client belongs.

Related article: