Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Najmi
New Contributor

VLAN/DHCP relay over Site to site VPN

Currently, we have multiple sites, The basic topology I am using is Hub and spoke IPsec tunnel between the Head office and branch sites. We have multiple branch sites more than 10. 

Currently, we have separate AD/DHCP servers on each site, As we are adding new branches connected to the head office, we are not planning to add separate AD/DHCP servers on small branches. And all the data AD/DHCP manage from the Head office via the IPSec tunnel. 

 

The issue is the DHCP scope is created on the Hub site but the branch site is not able to get DHCP IP. As we have already configured the DHCP relay on the branch site LAN FW . But still not been able to get through and DHCP request at the spoke user end. 

 

adding topology for reference.topology.jpeg

7 REPLIES 7
saneeshpv_FTNT

Hi,

 

First thing you need to enable DHCP relay on your Branch FortiGate LAN interface so it could relay the DHCP packets to your DHCP Server unicast. Attached screenshot for your reference. I think you have already performed this step in your firewall and already have DHCP Scope defined on the DHCP server for each Branch subnet. 

 

Now you need to look into your Firewall policy and confirm that it is allowing DHCP packets across the tunnel interfaces to your HUB Side and vice versa. Also check if you have the proper route in your Branch and HUB firewall so that these traffic is properly entering the IPsec tunnel from each side during the request and response. 

 

A packet capture for capturing DHCP packet can be helpful to identify the communication to and fro

# diag sniffer packet any "udp port 67 or udp port 68" 4

# diag sniffer packet any "relay-Agent-IP" 4

 

 

Please check this and let me know the feedback.

 

Best Regards,

 

asengar
Staff
Staff

Hi @Najmi 

Thanks for posting.

As I can see you mentioned that DHCP relay in configured on the Branch FW, Kindly confirm if the switch is acting as L2.

If not kindly configure the dhcp relay on the L3 switch and check once.

 

Also share the below output from the Branch FW

dia sniffer packet any 'port 67 or port 68' 4 0 a

 

Thanks

@bhishek
Najmi
New Contributor

Hi @asengar ,

 

We have installed a layer 3 switch in the branch site with a different VLAN created and a default route toward Firewall. 

Guide what configuration needs to be done on Layer3 switch Vlan. Currently, the IP helper address configures on the VLAN interface of the branch.

 

Snapshot for the diagnosis, we received a packet to the CHQ. 

 

Diag-Branch.jpgDiag-HQ.jpg

saneeshpv_FTNT

Hi,


What is this IP address 172.28.12.254? If this is your Layer3 switch interface IP address connecting to the Firewall, then I could see as per your diagram it has a different range which is 172.28.20.x. Anyway below are some points to check.

 

For DHCP relay to work, you need to define the IP-helper address(DHCP Server) on the Layer 3 switch on all the VLAN/Interface on which you need DHCP relay service. Once this is done, your Layer3 device (Switch here) will listen for DHCP broadcast on all these interfaces and then forward this packet as unicast to DHCP server IP address (IP-Helper Address defined on the interface). Switch will use its Interface IP address facing Fortigate (Default Gateway) as the Source IP for this unicast traffic (Relay Agent IP).


From the capture you are receiving the DHCP packet on the HQ FGT if got it correct. Now you need to verify if your DHCP server is able to reach back the IP address of your Switch interface (Fortigate facing interface-Relay Agent IP address) via the IPSec tunnel. From the capture we are not able to see this return traffic from Source 172.17.5.1 or .3.

 

So make sure on your HQ you have proper routing in place to forward reply packet back to respective tunnels as you have more than one Branch.

 

Best Regards,

 

 

Najmi

Hi, 

 

172.28.12.254 is the Vlan interface IP of the branch user end. In Diagram, there is a bit mistake. 172.28.10.200 is Firewall IP > 172.28.10.151 is branch L3 switch and then 172.28.0.0/20 subnets within the interface configured. L# switch configuration is added for reference. 

 

Most importantly how to check if the server end is offering DHCP IPs or not. The scope is created of all the branch VLAN with Gateway 172.28.12.254

 

PARAWT01DS151#wr
Building configuration...
[OK]
PARAWT01DS151#sh ru
PARAWT01DS151#sh running-config
Building configuration...

Current configuration : 8767 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PARAWT01DS151
!
!

no aaa new-model
system mtu routing 1500
vtp domain ourvlan
vtp mode transparent
ip subnet-zero
ip routing
ip domain-name ****
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
name Time-Machine
!
vlan 4
name VOIP
!
vlan 5
name Server
!
vlan 6
name Server-Management-ILO
!
vlan 8
name CCTV-Security
!
vlan 9
name CCTV-DC
!
vlan 10
name Network-Management
!
vlan 11
name Wireless-LAN
!
vlan 12
name User-LAN
!
vlan 13
name AccessControl-FireAlarm
!
vlan 15
name Video-Conference
!
vlan 412
name Testing
!
interface GigabitEthernet0/1
description AWT-AP
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/2
description AWT-AP
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/3
description AWT-AP
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/4
description AWT-AP
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/5
description AWT-AP
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/6
description AWT-AP
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/7
description VC-Device
switchport access vlan 15
switchport mode access
!
interface GigabitEthernet0/8
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/9
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/10
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/11
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/12
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/13
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/14
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/15
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/16
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/17
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/18
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/19
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/20
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/21
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/22
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/23
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/24
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/25
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/26
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/27
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/28
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/29
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/30
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/31
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/32
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/33
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/34
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/35
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/36
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/37
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/38
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/39
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/40
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/41
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/42
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/43
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/44
description AWT-User-End-Points
switchport access vlan 412
switchport mode access
!
interface GigabitEthernet0/45
description Towards-Access-Switches
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/46
description Towards-Access-Switches
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/47
description Towards-Access-Switches
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/48
description Towards-AWT-Firewall
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/49
!
interface GigabitEthernet0/50
!
interface GigabitEthernet0/51
!
interface GigabitEthernet0/52
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 172.28.2.254 255.255.255.0
ip helper-address 172.17.5.3
ip helper-address 172.17.5.1
!
interface Vlan4
ip address 172.28.4.254 255.255.255.0
ip helper-address 172.17.5.1
ip helper-address 172.17.5.3
!
interface Vlan5
ip address 172.28.5.254 255.255.255.0
ip helper-address 172.17.5.1
ip helper-address 172.17.5.3
!
interface Vlan6
ip address 172.28.6.254 255.255.255.0
ip helper-address 172.17.5.1
ip helper-address 172.17.5.3
!
interface Vlan8
ip address 172.28.8.254 255.255.255.0
ip helper-address 172.17.5.1
ip helper-address 172.17.5.3
!
interface Vlan9
ip address 172.28.9.254 255.255.255.0
ip helper-address 172.17.5.1
ip helper-address 172.17.5.3
!
interface Vlan10
ip address 172.28.10.151 255.255.255.0
!
interface Vlan11
ip address 172.28.11.254 255.255.255.0
ip helper-address 172.17.5.3
ip helper-address 172.17.5.1
!
interface Vlan12
no ip address
ip helper-address 172.17.5.1
ip helper-address 172.17.5.3
shutdown
!
interface Vlan13
ip address 172.28.13.254 255.255.255.0
ip helper-address 172.17.5.1
ip helper-address 172.17.5.3
!
interface Vlan15
ip address 172.28.15.254 255.255.255.0
!
interface Vlan25
no ip address
shutdown
!
interface Vlan412
ip address 172.28.12.254 255.255.255.0
ip helper-address 172.17.5.3
!
ip default-gateway 172.28.10.200
ip classless
ip route 0.0.0.0 0.0.0.0 172.28.10.200
no ip http server
!
snmp-server view Nms9ocwrv internet included
snmp-server view Nms9ocwrv system included
snmp-server view Nms9ocwrv interfaces included
snmp-server location STOWER-DC
snmp-server contact Hassaan <hassaan.**
!
control-plane
!
!
line con 0
exec-timeout 9 0
logging synchronous
login local
stopbits 1
line vty 0 4
exec-timeout 9 0
login local
transport input all
line vty 5 15
exec-timeout 9 0
login local
transport input all
!
end

PARAWT01DS151#

Najmi

Hi, 

 

172.28.12.254 is the Vlan interface IP of the branch user end. In Diagram, there is a bit mistake. 172.28.10.200 is Firewall IP > 172.28.10.151 is branch L3 switch and then 172.28.0.0/20 subnets within the interface configured. L# switch configuration is added for reference. 

 

Most importantly how to check if the server end is offering DHCP IPs or not. The scope is created of all the branch VLAN with Gateway 172.28.12.254

vlan config.png

saneeshpv_FTNT

Hi Najm,

 

I could see you have multiple VLAN's and each are assigned with /24 IP subnet in the L3 switch. So if that is the case how you can give a a single Gateway (172.28.12.254) for all these VLAN's? this is not correct. On the server you need to split the scope for each VLAN subnet and each should have its own gateway which is the VLAN interface IP on the switch for each VLAN (ie 11.254, 12.254, 13.254 respectively for VLAN 11, 12 & 13). Now when the DHCP packet are relayed from the Layer 3 switch it should exit out of the VLAN 10 which is your Interface connecting to Firewall and source IP of this Unicast DHCP packet should be 172.28.10.151 (Switch IP) and Destination (DHCP Server 5.1 and 5.3). 

 

You can capture the traffic from FortiGate GUI or from the Server itself and analyze it using Wireshark to confirm if there are DHCP response with a lease. 

 

Best Regards,

 

Top Kudoed Authors