Anybody successfully set up Additional DHCP Option 43 (config sys dhcp server > config options) to map a url to IP for a third party vendor?
I'm trying to make setting up some Ubiquity (UniFi) devices behind a FortiGate somewhat simpler, by providing info in DHCP Option 43 to point the UniFi devices to the UniFi controller (which is not on the same subnet).
Per the UniFi docs, I could do this by having DHCP Option 43 look like the following Linux example pulled from their docs:
# ... option space ubnt; option ubnt.unifi-address code 1 = ip-address; class "ubnt" { match if substring (option vendor-class-identifier, 0, option vendor-class-identifier "ubnt"; vendor-option-space ubnt; } subnet 10.10.10.0 netmask 255.255.255.0 { range 10.10.10.100 10.10.10.160; option ubnt.unifi-address 201.10.7.31; ### Unifi Controller IP ### option routers 10.10.10.2; option broadcast-address 10.10.10.255; option domain-name-servers 168.95.1.1, 8.8.8.8; # }
From what I've been able to see of the DHCP Option the FortiGate exposes, I probably can't do this without a separate DNS server. Thought I'd check, though, since otherwise I'll have to SSH to each device and point it manually.
Another option is to map the hostname "unifi" through DNS, but I don't believe I can do that with the FortiGate either, as it requires a domain to be specified and the UniFi gear needs it without a domain.
Solved! Go to Solution.
Hiya,
I ran into the same issue as you and I just got this working using the following settings with a UniFi AP AC Pro:
The hex value is built this way:
01: suboption 04: length of the payload (4 bytes) c0a80001: 192.168.0.1 in hex
You can convert your IP-address to hex with this tool: http://www.ipaddresslocation.org/convertip.php
I found this on the UBNT forums: https://community.ubnt.com/t5/UniFi-Wireless/Mikrotik-DHCP-option-43-How-to/m-p/259954#M13526
Hope this was any help. :)
See KB#FD40183, which is a similar option 43 setup for FortiWLC AP devices, but I am assuming should work similarly.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Thanks Dave. Looks like UniFi devices want sub-option 1, so specifying a hex value of:
01040A0B0C0D where 01 specifies the sub-option, 04 specifies number of bytes for the data, and 0A0B0C0D is the IP in hex might do it. Hope to test it Wednesday.
There's still the catch that the FortiGate can't reply with this Option 43 data based on vendor ID, so it will be sending this out to anything asking for DHCP on this interface. Luckily its separate from the hosts, so should be fine.
Will let people know if it works.
And... this is actually trickier, if http://blog.schertz.name/2012/05/understanding-dhcp-option-43/ is correct, since the KB article uses a non-standard way to specify IPs.
Hex value as transmitted should be something like 2B0601040A0B0C0D (2B specifies option 43, 06 is total number of bytes in the following data) but that depends on if the FortiGate adds more of its own values to this which would change the length. Time for packet traces and wireshark. Tomorrow.
Hiya,
I ran into the same issue as you and I just got this working using the following settings with a UniFi AP AC Pro:
The hex value is built this way:
01: suboption 04: length of the payload (4 bytes) c0a80001: 192.168.0.1 in hex
You can convert your IP-address to hex with this tool: http://www.ipaddresslocation.org/convertip.php
I found this on the UBNT forums: https://community.ubnt.com/t5/UniFi-Wireless/Mikrotik-DHCP-option-43-How-to/m-p/259954#M13526
Hope this was any help. :)
Thanks @xBytez! That matches what I'm planning to test today. Odd thing is that it's totally different than Fortinet's KB on using Option 43, which shows setting the hex value from to CLI to include 2B (43 decimal) as the first byte.
That's true. With older versions, we couldn't configure IP or ASCII, and only option for those was HEX. In those cases, we never needed to configure option code itself in the hex value, like option 66, 150, etc.
Was able to test this, and it does work setting the hex value to 0104IPIPIPIP as @xBytez specified. The Unifi devices pick up the IP and properly connect to the UniFi controller in the other subnet.
Still wish that the FortiGate supported setting the vendor for Option 43, as this is supposed to be a value just for a specific vendor.
Alternatively you could also set a "DNS" record of "Unifi" to point to your controller server.
-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
Since this is a small installation the FortiGate is the DNS server. As far as I know it only allows me to set names with a specific domain, and it requires a domain name. So I get unifi.mycompany.local or similar, and the nslookup won't resolve just unifi by itself. If you're aware of a way to map a local name without the domain let me know.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.