Hi papapuff, I' m not sure if what you want to do is possible. When you configure the address range of the DHCP server it needs to be in the same subnet as the interface, not the secondary IP address. When I try this out in my lab I can see the FortiGate warning me about this.

I agree with Neonbit -- not sure what papapuff is trying to accomplish with trying to create a dhcp pool on a different subnet to the Interface, unless he is trying to set up some sort of NAT loopback or NAT hairpinning.

hi, thanks for reply. why I don' t see any warning on my FG? and can be saved. FW version is 5.02 thanks

I' m guessing that the check feature was added on the newer versions. I' m running 5.2.1 (the latest version), I' m not sure if your 5.02 means 5.2.0 or 5.0.2, if it' s 5.0.2 I would recommend upgrading at least to 5.0.7 (preferably to 5.0.9) since it fixes the heart bleed vulnerability. Or live life in the fast lane and goto 5.2.1 :)

hi, the version is: FG100D-5.00-build252 thank you.

I think DHCP works only to main IP, as you told before. :D for security reason, which one is better: option 1. I use 2 interface, 1 interface for dhcp so guests/public devices can access internet over DHCP without interrupt internal network. option 2, use 1 interface, with main IP is for DHCP (so public devices will use this IP segment), and secondary IP is for internal network. thank you

Since we haven' t got a network diagram and the network requirement it' s a little hard to confirm the best approach, but if it' s possible to put the guest/public users on a different interface I would definitely recommend that. Separate them physically and logically from your internal network whenever possible. This way you would have a policy from guest > wan, and a policy from trust > wan. It will make it much easier to track usage and control policies. Also you' re currently running 5.0.5, this is vulnerable to heartbleed. I would recommend you look into upgrading the device to 5.0.7 at a minimum (with 5.0.9 more ideal). You can upgrade the device to 5.0.7 directly, but will require it to be 5.0.7 before going to 5.0.9. The 5.0.9 release notes can be found here: http://docs.fortinet.com/d/fortios-5.0.9-release-notes

hi, suddenly dhcp not work. clients can get IP from DHCP. now I set some ports into LAN (not as interface), and enable dhcp on that interface (LAN). is the FG auto-update? if I do upgrade, do I need to re-setup again? vpn, policy and so on? thanks.