Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MacquoijSteven
New Contributor II

VLAN/DHCP over Site to site VPN

Currently we have 2 sites that we connect through a Site to site VPN, this is already up and running. All of our servers are on Site1. We would like to have our printers and access controllers on Site2 get an ip address (and communicate with) from the server on Site1 without adress translation or a static route. Is this possible? And what should I do for this and/or what am I doing wrong because it is not working.

 

My apologies if this is a stupid question, if anyone feels like taking a look at this dummy problem with us, we are immensely grateful.... SiteToSitVPN.pngSiteToSitVPN2.pngSiteToSitVPN3.png

1 Solution
sw2090
Honored Contributor

I think there is a logical problem in your diagram.

You could do DHCP if you enabled a DHCP relay on the vlan 60 and also on vlan 204 interface on the FGT on Site2 and have it relay DNS Requests to the corresponding server on site1. That will work because DHCP is basically UDP broadcasting.

However you will not be able to route traffic because you have the same subnets on both sides at least in VLAN  204. 

This works between switches but not over a vpn. 

So I would recommend to have the DHCP Servers on SIte1 to have a pool for SIte2 that has a different subnet (Vlan 60 seems to be class B anyways already, 204 on Site1 might need a secondary IP on the vlan interface on site1 FGT) and also configure it to hand the FGT on site1 as gateway. Then the FGT on Site2 needs the DHCP relays and a route back to those new subnets over the S2S Tunnel.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
5 REPLIES 5
aahmadzada
Staff
Staff

Well, when it comes to the getting IP address from a remote DHCP server you can configure the DHCP relay:
https://docs.fortinet.com/document/fortiswitch/7.2.3/administration-guide/559601/configuring-a-dhcp-...

While configuring it, make sure to configure IP addresses on the IPSEC tunnels.
As it is mandatory for the DHCP relay to work. 


When it comes to the absence of static routes, try to use any dynamic routing protocol, so it will take care of the distributing the routing information between sites

Ahmad

Ahmad
MacquoijSteven

Thanks a lot!!! There's no way around it but I think we're almost there ;)

(but not quite there yet)

 

DHCP RELAY on SITE2 interface:
SiteToSitVPN7.png

 

 

IP on VPN interface on Site1: (Site2 is: 10.41.1.1)

SiteToSitVPN5.png

 

 

Static ROUTE from site2 to Site1

SiteToSitVPN6.png

 

Static Route from site1 to site2

SiteToSitVPN9.png

IPsec Monitor on Site1:

SiteToSitVPN10.png

MacquoijSteven

@aahmadzada Ok, I replaced the static routes with a policy route which allows me to ping perfectly from the server to the remote VPN-ip (10.41.1.1) and vice versa. Unfortunately I can't ping to the remote interface of the same VLAN (204) on site 2.SMIK.png

sw2090
Honored Contributor

I think there is a logical problem in your diagram.

You could do DHCP if you enabled a DHCP relay on the vlan 60 and also on vlan 204 interface on the FGT on Site2 and have it relay DNS Requests to the corresponding server on site1. That will work because DHCP is basically UDP broadcasting.

However you will not be able to route traffic because you have the same subnets on both sides at least in VLAN  204. 

This works between switches but not over a vpn. 

So I would recommend to have the DHCP Servers on SIte1 to have a pool for SIte2 that has a different subnet (Vlan 60 seems to be class B anyways already, 204 on Site1 might need a secondary IP on the vlan interface on site1 FGT) and also configure it to hand the FGT on site1 as gateway. Then the FGT on Site2 needs the DHCP relays and a route back to those new subnets over the S2S Tunnel.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
FredPaul
New Contributor III

What you're looking for is called VXLAN if I understand your question correctly:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/38079/vxlan

 

This requires some configuration, of course.

-Fredrik
-Fredrik
Labels
Top Kudoed Authors