If an IP pool is defined but not used, it can still cause issues with DHCP if the IP pool's range overlaps with the DHCP range. This situation can lead to conflicts and unpredictable behavior in the network.

When a DHCP server assigns IP addresses to devices, it must ensure that the IP addresses fall within a specific range known as the DHCP range. If there is an overlap between the IP pool range and the DHCP range, it can result in two main problems:

IP Address Conflicts: When a DHCP server assigns an IP address that is already in use by another device in the network (possibly from the IP pool range), it creates an IP address conflict. This can lead to connectivity issues and make it difficult for devices to communicate properly on the network.

For example:

It will be possible to configure it without any errors. However, firewalls can misbehave due to this. This may be due to a change regarding the IP Pools in some versions of FortiOS.

The range in the IP Pool would be considered as owned by the FortiGate if 'arp reply' is enabled. When handing out a lease, the FortiGate will try and ping that address to verify if it is in use or not. The FortiGate will actually reply to itself, and will never give out a lease correctly.

This is seen while taking DHCPS debugs by running the following commands:

diagnose debug reset

diagnose debug application dhcps -1

diagnose debug enable

To disable debugs:

diagnose debug disable

diagnose debug reset

The following is the output from a sniffer showing the ping responding:

As soon as the ARP reply is disabled, the FortiGate can give out a lease:

To avoid such issues, it is essential to ensure that there is no overlap between the IP pool range and the DHCP range. The DHCP range should be carefully configured to provide a non-overlapping set of IP addresses that the DHCP server can use for dynamic IP address assignments. Meanwhile, the IP pool should be configured separately and not interfere with the DHCP range.