DHCP Relay configuration (FGT 60C, fw 5.2.1)

comas17 · ‎12-03-2014

Hi all

I have a FGT60C in our remote office and I need to configure a DHCP relay so our VOIP telephones can connect to their DHCP server, installed on our headquarter (HQ and remote office will be connected using a site to site VPN with a FGT60C and a FGT60D)

I found these instructions on the FortiOS handbook

To configure DHCP relay on a FortiGate interface

1. Go to System > Network > Interfaces and select the interface that you want to relay DHCP. 2. Under DHCP Server, select Enable and create a new DHCP Address Range and Netmask. 3. Open the Advanced... menu and select Relay for the Mode option. 4. For the Type, select IPsec. 5. Select OK. but in my FGT60C (firmware 5.2.1) I cannot find the "advanced" menu or the "Type" in my internal interface settings; if I enable the DHCP Server I can only define the starting IP and the end IP Whan am I missing ? Thank you

ede_pfau · ‎12-04-2014

hi,

first you have to enable the 'Advanced...' option in the CLI:

config system global

set gui-dhcp-advanced enable

endIf you enter the 'Interface' menu now you will see the 'Advanced' link right below the 'DNS Server' line (see image).

Ede

"Kernel panic: Aiee, killing interrupt handler!"

comas17 · ‎12-04-2014

Hi ede_pfau thank you, I can see now the Advanced options As it is related to DHCP relay configuration, I have another question, maybe you can help me (it is related to this post, where you already helped me: [link]https://forum.fortinet.com/tm.aspx?m=116480)[/link] In my Headquarter I have a Fortigate 60D Fortigate 60D firmware 5.2.1 Internal lan 192.168.20.0/24 Fortigate internal interface 192.168.20.252 We have also a VOICE LAN (used for VOIP telephones); DHCP Server is an Alcatel switchboard, ip 192.168.1.2 (all telephones are 192.168.1.xx) I have configured in my Headquarter FGT60D a VLAN (in the internal interface) to be used for telephones and its address is 192.168.1.252 I suppose I will have few problems configuring the "data/PC" VPN using the wizard available, but I have doubts regarding the telephones, and particularly their DHCP In my Remote Office I have a Fortigate 60C Fortigate 60C firmware 5.2.1 (planned) Internal lan 192.168.120.0/24 (planned) Fortigate internal interface 192.168.120.252 I'm planning to configure in the Remote Office FGT a VLAN (linked to the internal interface) and use as addresses 192.168.101.X Is it possible ? I mean, can the remote office telephones (lan 192.168.101.x) access their DHCP server (192.168.1.2) ? My idea is to enable DHCP relay and set as DHCP Server IP 192.168.1.2

Is it correct ? Thank you

ede_pfau · ‎12-04-2014

I don't see why DHCP relay over a VPN should not work. DHCP relay is explicitly crafted to be used across routers. The fact that the connection is a VPN and not plain wire doesn't change anything.

Of course, the VPN must carry both LAN address spaces (use 2 phase2's on the phase1, one for each subnet).

DHCP discovery via broadcast on the other hand will definitely not work (broadcast is not routed).

Ede

"Kernel panic: Aiee, killing interrupt handler!"

comas17 · ‎12-04-2014

Thank you What is not still clear to me is: which address will have a telephone in the remote office ? I mean, the DHCP server (installed in my HQ) will release addresses in the 192.168.1.x network A telephone connected in the Branch office network will have a 192.168.1.y address ? (for example 192.168.1.20) ? As the Branch office vlan (for voip) is 192.168.101.x (with default gateway 192.168.101.252) how can it work later ? Thank you

rwpatterson · ‎12-04-2014

A decent DHCP server will be able to serve addresses in other subnets, not just the one attached. Windows does this all day. My DHCP server on 192.168.200.1/29 is serving addresses in the following subnets:

192.168.39.0/26

192.168.39.128/27

192.168.39.192/27

192.168.251.0/24

192.168.252.0/24

192.168.253.0/24

192.168.254.0/24

All these are using relays in my Fortigate 80C on their individual VLANs. Works all day. Just make sure each VLAN has the helper DHCP address defined, and you're good to go.

Note ** I need to add that I'm still on version 4.3.x

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

comas17 · ‎12-04-2014

Hi rwpatterson

thank you. In this case the DHCP server (for telephones) is not a Windows Server but an Alcatel switchboard. I'll ask our provider if it is possible to configure it as a DHCP server also for other networks

Please explain better what is the "helper DHCP address"... is it the "DHCP Server IP" when I configure the interface/VLAN as DHCP Server in mode "Relay" ?

Thank you

rwpatterson · ‎12-04-2014

Yes, it can. In my prior organization, we configured over a dozen subnets on our OmniPCX 4400. The phones at the remote sites were able to pull addresses from the switch successfully. Granted, they were routed over 6600s and 6850s, but relay DHCP is a standard. We had a half dozen remote sites routed over IPSec from our FGT1000A to various smaller FGT units. We served IP addresses to our remote smart terminals over this IPSec tunnel using the FGTs as well. The Windows server hosted over a dozen subnets there too.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Chris · ‎06-18-2015

sri, don't has seen the other answers.