- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FortiGate DHCP Server and Relay on SVI
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate DHCP Server and Relay on SVI
Hello
Is it possible for a FortiGate to both act as the DHCP server and relay?
The reason I would want this is because I have a NAC solution that would use the relay information to profiling the endpoint and the endpoint also needs to get an IP address from the FortiGate DHCP server.
I have tested this in a Lab, but I am getting this error:
FORTINET-FW (CISCO-CORP-LAN) # set dhcp-relay-service enable
FORTINET-FW (CISCO-CORP-LAN) # set dhcp-relay-ip 10.0.1.51
FORTINET-FW (CISCO-CORP-LAN) # set dhcp-relay-agent-option enable
FORTINET-FW (CISCO-CORP-LAN) # show
config system interface
edit "CISCO-CORP-LAN"
set vdom "root"
set dhcp-relay-service enable
set ip 10.100.100.1 255.255.255.0
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 7
set dhcp-relay-ip "10.0.1.51"
set interface "port4"
set vlanid 100
next
end
FORTINET-FW (CISCO-CORP-LAN) # next
dhcp server 2 of type Ethernet already exists on this interface, cannot add relay!
object set operator error, -76 discard the setting
Command fail. Return code 1
config system dhcp server
edit 2
set dns-service default
set default-gateway 10.100.100.1
set netmask 255.255.255.0
set interface "CISCO-CORP-LAN"
config ip-range
edit 1
set start-ip 10.100.100.50
set end-ip 10.100.100.254
next
end
next
Regards
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
As your test shown, you can have only one option, server or relay.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/709255/dhcp-servers-and-relays
"An interface can't provide both a server and a relay for connections of the same type (regular or IPsec)."
Moderator note/edit: This is no longer the case as of FortiGate v7.0.5. FortiGate v7.0.5 and higher versions now support having both a server and a relay for connections of the same type. See this document.
Adrian
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
As your test shown, you can have only one option, server or relay.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/709255/dhcp-servers-and-relays
"An interface can't provide both a server and a relay for connections of the same type (regular or IPsec)."
Moderator note/edit: This is no longer the case as of FortiGate v7.0.5. FortiGate v7.0.5 and higher versions now support having both a server and a relay for connections of the same type. See this document.
Adrian
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Mike,
perhaps if you elaborate a bit as to what you're trying to achieve?
A DHCP relay makes sense if you want the DHCP requests to be relayed from the FortiGate interface to a different DHCP server which handles the actual IP assignment. A DHCP server on the FortiGate interface makes sense if you want the FortiGate to assign an IP.
Having two DHCP servers assign IPs to the same client (the FortiGate plus whatever DHCP server is reached through relay) would cause significant issues in my eyes.
Do you want FortiGate to forward its DHCP information to another server for monitoring/profiling information?
-> I'm not certain that's possible
Or do you want the NAC to act as DHCP server, and just have FortiGate forward DHCP requests to the NAC?
-> in this case, create DCHP server configuration on your NAC solution, scrap the DHCP server on the FortiGate interface, and just set up a relay
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The FortiGate will be the DHCP server.
The NAC solution will use the DHCP relay information to profile/classify an endpoint. The NAC server would never reply with an address assignment. It would just profile the device as an Apple Smartphone, Windows endpoint or Kali Linux laptop or something like that.
The only solution, for now, is to have a separate DHCP server and then create two DHCP relays on the FortiGate, one to the NAC, and one to the actual DHCP server.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On Fortigate 7.0.5, you can set an interface as both DHCP server and relay.
https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/783526/dhcp-server
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
and it looks like it's added to help in this particular type of setup :)
A FortiGate interface can be configured to work in DHCP server mode to lease out addresses, and at the same time relay the DHCP packets to another device, such as a FortiNAC to perform device profiling.
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Related Posts
- TLS 1.2 and 1.3 query at... 188 Views
- Port forward fail 54 Views
- Virtual server and SSL inspection 86 Views
- IPSec VPN with Azure/Entra mfa 112 Views
- TLS server supports deprecated protocols: TLSv1.1... 65 Views
Labels
-
FortiGate
6,746 -
FortiClient
1,341 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
345 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
88 -
FortiCloud Products
85 -
IPsec
83 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
32 -
SD-WAN
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
22 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Logging
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.