FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
welnaggar
Staff
Staff
Description
This article describes how to push static routes from FortiGate DHCP server using RFC 3442 DHCP Option 121.

Solution
DHCP Option 121 uses hexadecimal representation of decimal values.
It is compatible with all Windows machines except XP and Server 2003.
Also Linux accepts routes learned by DHCP Option 121.

In DHCP Option 121, the syntax defines.

1) The Subnet mask in CIDR notation.
2) Destination subnet.
3) Next hop.

These are represented in concatenated hexadecimal values.
Assume to push three routes to a Windows 7 DHCP client:

1st route.
10.0.0.0/8 with gateway 192.168.2.1
Hex value has to be: /8=08, 10.0.0.0=0A, 192.168.2.1=C0A80201                        <----- Final value: 080AC0A80201.
2nd route.
172.16.0.0/16  with gateway 192.168.2.1
Hex value has to be: /16=10, 172.16.0.0=AC10, 192.168.2.1=C0A80201          <----- Final value: 10AC10C0A80201.

3rd route.
192.168.15.0/24  with gateway 192.168.2.1
Hex value has to be: /24=18, 192.168.15.0=C0A80F, 192.168.2.1=C0A80201      <----- Final value: 18C0A80FC0A80201.

On FortiGate, DHCP Options can be configured from the GUI or CLI.

From GUI.

Go to  Network -> Interfaces -> Edit Interface -> Advanced -> Create new' DHCP' option -> 'Option code' "specify Hexadecimal | 121", then add the hexadecimal values of the three routes without spaces 080AC0A8020110AC10C0A8020118C0A80FC0A80201.





From the CLI.
# config system dhcp server
    edit 1
        # config options
            edit 1
                set code 121
                set type hex
                set value "080AC0A8020110AC10C0A8020118C0A80FC0A80201"
            next
        end
    next
end
Finally, the three routes appear in the routing table of the Windows machine after renewing the IP configuration using the following command:
C:\users\fortinet>ipconfig/renew
Here is the final result when listing the routing table using Route print command:
C:\users\fortinet>route print



Contributors