Hi, I have some trouble with DHCP for the secondary IP on the internal Interface. So far as I could read it seems that the DHCP-Server only listen for request at the main IP but not on the secondary.
My Device is the FG/60D with V5.2.5
Does the scope of DHCP only for the main ip of the Interface or is it a bug? Normaly DHCP makes a broadcast request so it goes regardless which IP is defined to the DHCP listener (in this case the internal interface). The main ip here is 192.168.1.250 the secondary is 10.10.90.250 both with mask 255.255.255.0 The ping on both networks works as expected.
The policy rule allow all services in both networks. When I configure the remote device with static Ip for the 10.10.90.x Network
it works but on DHCP it will never receives an IP.
When I configure the DHCP with Network 192.168.1.x DHCP works.
I have seen solutions who says to create a new interface which was on the subnet
or VLAN but I belive that there must be give another way to solve this. Do I have overlook something important? Any help is appreciated.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Ok, I further found Cisco's documentation explaining this matter Option1 in the previous quote wouldn't work. Only separate vlan or smart-relay are the options:
http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/27470-100.html
The core part of this article is below:
"By default, DHCP has a limitation in that the reply packets are sent only if the request is received from the interface configured with the primary IP address. DHCP traffic uses the broadcast address. When the DHCP request is received by the router interface, it forwards it to the DHCP server (when IP helper-address is configured) with a source address of the primary IP configured on the interface to let the DHCP server know which IP pool it must use (for the client) in the DHCP reply packet."
Looks like it's by design. Below discussion is for cisco devices to overcome this issue. I'm not sure this can apply to FortiGate though.
Ok, I further found Cisco's documentation explaining this matter Option1 in the previous quote wouldn't work. Only separate vlan or smart-relay are the options:
http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/27470-100.html
The core part of this article is below:
"By default, DHCP has a limitation in that the reply packets are sent only if the request is received from the interface configured with the primary IP address. DHCP traffic uses the broadcast address. When the DHCP request is received by the router interface, it forwards it to the DHCP server (when IP helper-address is configured) with a source address of the primary IP configured on the interface to let the DHCP server know which IP pool it must use (for the client) in the DHCP reply packet."
Hi Toshi, nice to see you again. ;-) I have google around until now. Sadly it is as I feared and you said it too. I have read your very interesting links which acknowledge what I already thought. The Wiki says also that a Router do not forwards DHCP broadcasting (discover). That is also probably the cause why DHCP requests never reaches the second Subnet-Ip. It is by design. The solution would be a DHCP-Relay Agent but this is in my case overkill. So it was easier for me to create a new Interface with the subnet and activate the DHCP. Now it works. Learning never stops ;-) Thanks for help again. sincerely Chris
With "create a new Interface" do you mean a new VLAN interface? If so, do you need to change anything else on your (secondary) network, like tagging the traffic?
Hi Ede, no, I have not created a vlan. I took a port from the switch and then create a new Interface (type hardware Switch). I know it also runs with a software-switch but I tried it with hardware switch. In the next step I created two policy-rules for each subnet (no NAT !)
to allow all traffic in both subnets. Note that you don't NAT these rules.
And finally create a recursive rule in DNS-Servers for the new interface. Thats important because dns request otherwise not be answered by the new interface.
This is in my case because i use the DNS Database.
If you not use them i mean you must select Mode "forward to system DNS"
Thats all.
I have attached a picture to show what i have done.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.