Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Chris
Contributor

Created on ‎12-18-2015 01:52 PM

(solved) Problem with DHCP for secondary IP on the same Interface

Hi, I have some trouble with DHCP for the secondary IP on the internal Interface. So far as I could read it seems that the DHCP-Server only listen for request at the main IP but not on the secondary.

 

My Device is the FG/60D with V5.2.5

Does the scope of DHCP only for the main ip of the Interface or is it a bug? Normaly DHCP makes a broadcast request so it goes regardless which IP is defined to the DHCP listener  (in this case the internal interface). The main ip here is 192.168.1.250 the secondary is 10.10.90.250 both with mask 255.255.255.0 The ping on both networks works as expected.

The policy rule allow all services in both networks. When I configure the remote device with static Ip for the 10.10.90.x Network

it works but on DHCP it will never receives an IP.

 

When I configure the DHCP with Network 192.168.1.x DHCP works.

I have seen solutions who says to create a new interface which was on the subnet

or VLAN but I belive that there must be give another way to solve this. Do I have overlook something important? Any help is appreciated.

Labels:
21289
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-18-2015 02:49 PM

Ok, I further found Cisco's documentation explaining this matter Option1 in the previous quote wouldn't work. Only separate vlan or smart-relay are the options:

 

http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/27470-100.html

 

The core part of this article is below:

"By default, DHCP has a limitation in that the reply packets are sent only if the request is received from the interface configured with the primary IP address. DHCP traffic uses the broadcast address. When the DHCP request is received by the router interface, it forwards it to the DHCP server (when IP helper-address is configured) with a source address of the primary IP configured on the interface to let the DHCP server know which IP pool it must use (for the client) in the DHCP reply packet."

 

View solution in original post

6953
0 Kudos
5 REPLIES 5
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-18-2015 02:35 PM

Looks like it's by design. Below discussion is for cisco devices to overcome this issue. I'm not sure this can apply to FortiGate though.

 

https://supportforums.cis...ry-ip-address-and-dhcp

6902
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-18-2015 02:49 PM

Ok, I further found Cisco's documentation explaining this matter Option1 in the previous quote wouldn't work. Only separate vlan or smart-relay are the options:

 

http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/27470-100.html

 

The core part of this article is below:

"By default, DHCP has a limitation in that the reply packets are sent only if the request is received from the interface configured with the primary IP address. DHCP traffic uses the broadcast address. When the DHCP request is received by the router interface, it forwards it to the DHCP server (when IP helper-address is configured) with a source address of the primary IP configured on the interface to let the DHCP server know which IP pool it must use (for the client) in the DHCP reply packet."

 

6954
0 Kudos
Chris
Contributor
In response to Toshi_Esumi

Created on ‎12-18-2015 05:57 PM

Hi Toshi, nice to see you  again. ;-) I have google around until now. Sadly it is as I feared and you said it too. I have read your very interesting links which acknowledge what I already thought. The Wiki says also that a Router do not forwards DHCP broadcasting (discover). That is also probably the cause why DHCP requests never reaches the second Subnet-Ip. It is by design. The solution would be a DHCP-Relay Agent but this is in my case overkill. So it was easier for me to create a new Interface with the subnet and activate the DHCP. Now it works. Learning never stops ;-) Thanks for help again. sincerely Chris

6902
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to Chris

Created on ‎12-19-2015 12:49 PM

With "create a new Interface" do you mean a new VLAN interface? If so, do you need to change anything else on your (secondary) network, like tagging the traffic?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
6902
0 Kudos
Chris
Contributor

Created on ‎12-19-2015 02:16 PM

Hi Ede, no, I  have not created a vlan. I took a port from the switch and then create a new Interface (type hardware Switch). I know it also runs with a software-switch but I tried it with hardware switch. In the next step I created two policy-rules for each subnet (no NAT !)

to allow all traffic in both subnets. Note that you don't NAT these rules.

And finally create a recursive rule in DNS-Servers for the new interface. Thats important because dns request otherwise not be answered by the new interface.

This is in my case because i use the DNS Database.

If you not use them i mean you must select Mode "forward to system DNS"

 

Thats all.

 

I have attached a picture to show what i have done.

Preview file
15 KB
6902
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.