Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tk34
New Contributor

DHCP crossing over VLANs

Fortigate 100D 5.6

I have LAN (VLAN1) and VOICE (VLAN2). VLAN1 is assigned to ports 1-14. Vlan2 is assigned to ports 15-16.

VLAN1: 192.168.1.1/24 DHCP Enabled 192.168.1.80 - 192.168.1.254

VLAN2: 192.168.0.1/24 DHCP Enabled 192.168.0.50 - 192.168.0.254

 

Port 15 is mirrored from Port 16. Nothing connected currently.

Port 16 is connected to it's own switch and devices.

Port 1 is connected to it's own switch and devices.

They are only linked by the firewall. The switches are not cross connected.

 

Somehow, PC's on VLAN1 have pulled an IP from VLAN2. I can't get them to drop this IP and it still works, as in they can traverse the network and get to the internet. I have tried unplugging their cables, Windows Troubleshoot and Repair, ip config /release and then renewing. Nothing works. I can tone down the connection and they are plugged into VLAN1.

 

Am I missing something? I should note, this is a fresh Fortigate 100D as the previous one bit the dust and had to be replaced.

Fortigate 100D 5.6

2 Solutions
emnoc
Esteemed Contributor III

Do some pcap  and  find the DHCP server and see if any    DHCP rogue server? Also double check the  server mac-address in the layer2  forwarding table

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

tanr
Valued Contributor II

Do you have security policies allowing traffic between the vlans? 

 

Is there a route between the vlans or are they both in a zone which allows intra-zone routing?

 

You should probably double-check your vlan settings on the FGT and your switch as well.  It could be that you just allowed both vlans through by accident.

View solution in original post

4 REPLIES 4
emnoc
Esteemed Contributor III

Do some pcap  and  find the DHCP server and see if any    DHCP rogue server? Also double check the  server mac-address in the layer2  forwarding table

 

PCNSE 

NSE 

StrongSwan  

tanr
Valued Contributor II

Do you have security policies allowing traffic between the vlans? 

 

Is there a route between the vlans or are they both in a zone which allows intra-zone routing?

 

You should probably double-check your vlan settings on the FGT and your switch as well.  It could be that you just allowed both vlans through by accident.

tk34
New Contributor

tanr wrote:

Do you have security policies allowing traffic between the vlans? 

 

Is there a route between the vlans or are they both in a zone which allows intra-zone routing?

 

You should probably double-check your vlan settings on the FGT and your switch as well.  It could be that you just allowed both vlans through by accident.

I have inter vlan communication enabled via policy. I had this on the previous fortigate unit, but this DHCP cross over never happened. I'll switch it over to a route after hours and see what happens.

Fortigate 100D 5.6

tk34
New Contributor

I just realized you assumed I had created vlans and zones. I didn't do that. I simply added subnet to hardware switches. Then added a policy allowing traffic between the two.

 

So I have created a new policy denying DHCP requests from VLAN2 to VLAN1 subnet. Hopefully that cures it.

Fortigate 100D 5.6