Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tanr
Valued Contributor II

DHCP Option 43 on FortiGate for 3rd Party Vendor Details?

Anybody successfully set up Additional DHCP Option 43 (config sys dhcp server > config options) to map a url to IP for a third party vendor?

 

I'm trying to make setting up some Ubiquity (UniFi) devices behind a FortiGate somewhat simpler, by providing info in DHCP Option 43 to point the UniFi devices to the UniFi controller (which is not on the same subnet).

 

Per the UniFi docs, I could do this by having DHCP Option 43 look like the following Linux example pulled from their docs:

 

# ... option space ubnt; option ubnt.unifi-address code 1 = ip-address; class "ubnt" {     match if substring (option vendor-class-identifier, 0,     option vendor-class-identifier "ubnt";     vendor-option-space ubnt; } subnet 10.10.10.0 netmask 255.255.255.0 {     range 10.10.10.100 10.10.10.160;     option ubnt.unifi-address 201.10.7.31; ### Unifi Controller IP ###     option routers 10.10.10.2;     option broadcast-address 10.10.10.255;     option domain-name-servers 168.95.1.1, 8.8.8.8; # }

 

From what I've been able to see of the DHCP Option the FortiGate exposes, I probably can't do this without a separate DNS server.  Thought I'd check, though, since otherwise I'll have to SSH to each device and point it manually.

 

Another option is to map the hostname "unifi" through DNS, but I don't believe I can do that with the FortiGate either, as it requires a domain to be specified and the UniFi gear needs it without a domain.

1 Solution
xBytez
New Contributor

Hiya,

 

I ran into the same issue as you and I just got this working using the following settings with a UniFi AP AC Pro:

 

The hex value is built this way:

01: suboption 04: length of the payload (4 bytes) c0a80001: 192.168.0.1 in hex

You can convert your IP-address to hex with this tool: http://www.ipaddresslocation.org/convertip.php

 

I found this on the UBNT forums: https://community.ubnt.com/t5/UniFi-Wireless/Mikrotik-DHCP-option-43-How-to/m-p/259954#M13526

 

Hope this was any help. :)

View solution in original post

9 REPLIES 9
Dave_Hall
Honored Contributor

See KB#FD40183, which is a similar option 43 setup for FortiWLC AP devices, but I am assuming should work similarly. 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

tanr
Valued Contributor II

Thanks Dave.  Looks like UniFi devices want sub-option 1, so specifying a hex value of:

 

01040A0B0C0D where 01 specifies the sub-option, 04 specifies number of bytes for the data, and 0A0B0C0D is the IP in hex might do it.  Hope to test it Wednesday.

 

There's still the catch that the FortiGate can't reply with this Option 43 data based on vendor ID, so it will be sending this out to anything asking for DHCP on this interface.  Luckily its separate from the hosts, so should be fine.

 

Will let people know if it works.

tanr
Valued Contributor II

And... this is actually trickier, if http://blog.schertz.name/2012/05/understanding-dhcp-option-43/ is correct, since the KB article uses a non-standard way to specify IPs.

 

Hex value as transmitted should be something like 2B0601040A0B0C0D (2B specifies option 43, 06 is total number of bytes in the following data) but that depends on if the FortiGate adds more of its own values to this which would change the length.  Time for packet traces and wireshark.  Tomorrow.

 

xBytez
New Contributor

Hiya,

 

I ran into the same issue as you and I just got this working using the following settings with a UniFi AP AC Pro:

 

The hex value is built this way:

01: suboption 04: length of the payload (4 bytes) c0a80001: 192.168.0.1 in hex

You can convert your IP-address to hex with this tool: http://www.ipaddresslocation.org/convertip.php

 

I found this on the UBNT forums: https://community.ubnt.com/t5/UniFi-Wireless/Mikrotik-DHCP-option-43-How-to/m-p/259954#M13526

 

Hope this was any help. :)

View solution in original post

tanr
Valued Contributor II

Thanks @xBytez!  That matches what I'm planning to test today.  Odd thing is that it's totally different than Fortinet's KB on using Option 43, which shows setting the hex value from to CLI to include 2B (43 decimal) as the first byte.

Toshi_Esumi
Esteemed Contributor

That's true. With older versions, we couldn't configure IP or ASCII, and only option for those was HEX. In those cases, we never needed to configure option code itself in the hex value, like option 66, 150, etc.

tanr
Valued Contributor II

Was able to test this, and it does work setting the hex value to 0104IPIPIPIP as @xBytez specified.  The Unifi devices pick up the IP and properly connect to the UniFi controller in the other subnet.

 

Still wish that the FortiGate supported setting the vendor for Option 43, as this is supposed to be a value just for a specific vendor.

ddskier

Alternatively you could also set a "DNS" record of "Unifi" to point to your controller server.    

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

tanr
Valued Contributor II

Since this is a small installation the FortiGate is the DNS server.  As far as I know it only allows me to set names with a specific domain, and it requires a domain name.  So I get unifi.mycompany.local or similar, and the nslookup won't resolve just unifi by itself.  If you're aware of a way to map a local name without the domain let me know.