Hello
Is it possible for a FortiGate to both act as the DHCP server and relay?
The reason I would want this is because I have a NAC solution that would use the relay information to profiling the endpoint and the endpoint also needs to get an IP address from the FortiGate DHCP server.
I have tested this in a Lab, but I am getting this error:
FORTINET-FW (CISCO-CORP-LAN) # set dhcp-relay-service enable
FORTINET-FW (CISCO-CORP-LAN) # set dhcp-relay-ip 10.0.1.51
FORTINET-FW (CISCO-CORP-LAN) # set dhcp-relay-agent-option enable
FORTINET-FW (CISCO-CORP-LAN) # show
config system interface
edit "CISCO-CORP-LAN"
set vdom "root"
set dhcp-relay-service enable
set ip 10.100.100.1 255.255.255.0
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 7
set dhcp-relay-ip "10.0.1.51"
set interface "port4"
set vlanid 100
next
end
FORTINET-FW (CISCO-CORP-LAN) # next
dhcp server 2 of type Ethernet already exists on this interface, cannot add relay!
object set operator error, -76 discard the setting
Command fail. Return code 1
config system dhcp server
edit 2
set dns-service default
set default-gateway 10.100.100.1
set netmask 255.255.255.0
set interface "CISCO-CORP-LAN"
config ip-range
edit 1
set start-ip 10.100.100.50
set end-ip 10.100.100.254
next
end
next
Regards
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
As your test shown, you can have only one option, server or relay.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/709255/dhcp-servers-and-relays
"An interface can't provide both a server and a relay for connections of the same type (regular or IPsec)."
Moderator note/edit: This is no longer the case as of FortiGate v7.0.5. FortiGate v7.0.5 and higher versions now support having both a server and a relay for connections of the same type. See this document.
Hello,
As your test shown, you can have only one option, server or relay.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/709255/dhcp-servers-and-relays
"An interface can't provide both a server and a relay for connections of the same type (regular or IPsec)."
Moderator note/edit: This is no longer the case as of FortiGate v7.0.5. FortiGate v7.0.5 and higher versions now support having both a server and a relay for connections of the same type. See this document.
Hey Mike,
perhaps if you elaborate a bit as to what you're trying to achieve?
A DHCP relay makes sense if you want the DHCP requests to be relayed from the FortiGate interface to a different DHCP server which handles the actual IP assignment. A DHCP server on the FortiGate interface makes sense if you want the FortiGate to assign an IP.
Having two DHCP servers assign IPs to the same client (the FortiGate plus whatever DHCP server is reached through relay) would cause significant issues in my eyes.
Do you want FortiGate to forward its DHCP information to another server for monitoring/profiling information?
-> I'm not certain that's possible
Or do you want the NAC to act as DHCP server, and just have FortiGate forward DHCP requests to the NAC?
-> in this case, create DCHP server configuration on your NAC solution, scrap the DHCP server on the FortiGate interface, and just set up a relay
The FortiGate will be the DHCP server.
The NAC solution will use the DHCP relay information to profile/classify an endpoint. The NAC server would never reply with an address assignment. It would just profile the device as an Apple Smartphone, Windows endpoint or Kali Linux laptop or something like that.
The only solution, for now, is to have a separate DHCP server and then create two DHCP relays on the FortiGate, one to the NAC, and one to the actual DHCP server.
On Fortigate 7.0.5, you can set an interface as both DHCP server and relay.
https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/783526/dhcp-server
and it looks like it's added to help in this particular type of setup :)
A FortiGate interface can be configured to work in DHCP server mode to lease out addresses, and at the same time relay the DHCP packets to another device, such as a FortiNAC to perform device profiling.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.