Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
athirat
Staff
Staff

Created on ‎06-24-2024 11:06 PM

Article Id 322231

Troubleshooting Tip: DHCP Discover packets dropped despite dhcp-relay-service enabled on ingress interface after upgrading FortiOS to v7.0.1 and above

Description

 

This article describes how to fix issues with DHCP relay setups not working after upgrading to FortiOS v7.0.1 onwards when local-in policies are in use.

 

Scope

 

FortiOS v7.0.1 onwards.

 

Solution

 

After the upgrade of FortiGate setup as DHCP relay agent to v7.0.1 and above, DHCP Discover packets are being dropped with the below recorded in flow debugs :

 

config system interface
    edit "port1"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 10.1.1.1 255.255.255.224
        set allowaccess ping
        set description "LAN"
        set snmp-index 119
        set dhcp-relay-ip "10.2.1.1"
    next
end

 

diag sniffer packet any "port 67" 4 o a
2023-07-19 08:33:04.987276 port1 in 0.0.0.0.68 -> 255.255.255.255.67: udp 300
2023-07-19 08:33:20.986618 port1 in 0.0.0.0.68 -> 255.255.255.255.67: udp 300
2023-07-19 08:35:03.610983 port1 in 0.0.0.0.68 -> 255.255.255.255.67: udp 300
2023-07-19 08:35:07.605345 port1 in 0.0.0.0.68 -> 255.255.255.255.67: udp 300

 

2023-07-19 11:50:16 id=20085 trace_id=1045 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=17, 0.0.0.0:68->255.255.255.255:67) tun_id=0.0.0.0 from port1. "
2023-07-19 11:50:16 id=20085 trace_id=1045 func=init_ip_session_common line=6023 msg="allocate a new session-0060f9a7, tun_id=0.0.0.0"
2023-07-19 11:50:16 id=20085 trace_id=1045 func=vf_ip_route_input_common line=2605 msg="find a route: flag=90000000 gw-255.255.255.255 via root"
2023-07-19 11:50:16 id=20085 trace_id=1045 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 4, drop"

 

This is because from v7.0.1 onwards, the DHCP relay daemon listens on the Layer 3 socket and hence the incoming DHCP DISCOVER packets are checked against the local-in policies.

 

config firewall local-in-policy

.

.
    edit 4
        set intf "any"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        set schedule "always"
    next
end

 

So if using a deny all local-in policy configured, it is necessary to have a local-in policy above the deny policy to accept traffic on UDP destination port 67 as below :

 

config firewall local-in-policy

.

.

    edit 5 

        set intf "port1"
        set srcaddr all
        set dstaddr all
        set action accept
        set service "DHCP"
        set schedule "always"
    next
    edit 4
        set intf "any"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        set schedule "always"
    next
end

Labels:
704
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.