Separating fixed (reserved) and dynamic DHCP addresses

ivan_s · ‎03-14-2018

Hello,

we are migrating to FortiGate and I am trying to implement the common scenario with DHCP which we use. We want to have reserved IP addresses for known clients, but assign a dedicated sub-range for unknown clients. E.g. on interface 192.168.1.0/24 we have reserved addresses for known clients from lower half 192.168.1.2-127. But for unknown clients I need DHCP to assign addresses higher than 128, e.g. 192.168.1.129. I have implemented this using various DHCP servers without problem in the past (even cheap routers).

I tried to set this up the way I used to on other devices by restricted DHCP range and reservations out of this range. But GUI complains that reserved address is out of DHCP range. I have been searching the forum and it seems that FortGate isn't able to fulfil this requirement. But I would like to confirm this before I start thinking about workarounds.

The main reason for this scenario is to preserve the simplicity of DHCP, but give unknown clients slightly more strict policies.

Thanks for any help.

FortiGate 200E fw: v5.6.3 build1547 (GA)

rwpatterson · ‎03-14-2018

What I believe he is asking is if a DHCP range can be set up where there is an exclusion within where a certain range will not be assigned even if free, as in M$ Windows and 'cheap routers'.

For example, DHCP lease range is 192.168.255.1-192.168.255.253.

192.168.255.1-192.168.255.150 is for open lease assignments

192.168.255.151-192.168.255.253 is held back for reserved current and future

I am not aware of this feature unless you "pre-stack" the reserved range with bogus MAC addresses so that the server will not give them out.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

ede_pfau · ‎03-15-2018

I think your work flow needs adjustment. The FGT is well able to fulfill your requirements.

You create a (large) range of addresses for DHCP assignment. Any client will get one of these if requesting.

Then, you exclude a (smaller) range for 'known hosts'. Now any client (known or unknown) will get only one of the remaining addresses, none of the excluded ones.

Now if you want to integrate a 'known' host you need to

1- reduce the exclude range by 1 address

2- combine this address with the MAC of the known host (that is, reserve it)

You can do this one host after the other (as hosts become 'known') or bulk via script for a whole bunch of known hosts.

Main thing is, both the exclude range and the range of reserved addresses need to lie completely within the DHCP address range, and you need to remove an address from the exclusion before you can reserve it.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Toshi_Esumi · ‎03-14-2018

FortiGate DHCP can segregate some devices from others to assign IP from a sub-range of the entire range by exact match of MAC address. If you know MAC address of those devices you can define one IP to each within reserved-address config. It doesn't seem to take any wild card to match like only OUI part and allocate an IP from a pool. Likely you have to separate them by vlan and configure access-port at the port of your switch terminating each device's cable if they're wired.

ericli_FTNT · ‎03-14-2018

Hi ivan_s:

Here is a config sample of reserved IP. For client1 (aa:bb:cc:dd:ee:11), a fixed IP will be assigned and same procedure to client2.

config system dhcp server
    edit 1
        set dns-service default
        set default-gateway 10.1.100.81
        set netmask 255.255.255.0
        set interface "port1"
        config ip-range
            edit 1
                set start-ip 10.1.100.1
                set end-ip 10.1.100.80
            next
            edit 2
                set start-ip 10.1.100.82
                set end-ip 10.1.100.254
            next
        end
        set timezone-option default
        config reserved-address
            edit 1
                set ip 10.1.100.171
                set mac aa:bb:cc:dd:ee:11
                set description "client1"
            next
            edit 2
                set ip 10.1.100.172
                set mac aa:bb:cc:dd:ee:12
                set description "client2"
            next
        end
    next
end

rwpatterson · ‎03-14-2018

What I believe he is asking is if a DHCP range can be set up where there is an exclusion within where a certain range will not be assigned even if free, as in M$ Windows and 'cheap routers'.

For example, DHCP lease range is 192.168.255.1-192.168.255.253.

192.168.255.1-192.168.255.150 is for open lease assignments

192.168.255.151-192.168.255.253 is held back for reserved current and future

I am not aware of this feature unless you "pre-stack" the reserved range with bogus MAC addresses so that the server will not give them out.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Toshi_Esumi · ‎03-14-2018

If that's the case "exclude-range" should work like below:

config system dhcp server edit n set default-gateway 10.100.0.1 set netmask 255.255.255.0 set interface "xxx-interface" config ip-range edit 1 set start-ip 10.100.0.2 set end-ip 10.100.0.254 next end config exclude-range edit 1 set start-ip 10.100.0.100 set end-ip 10.100.0.199 next end end

rwpatterson · ‎03-14-2018

Thank you. I learned a bit.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

ivan_s · ‎03-15-2018

Hello, thanks everyone for help. rwpatterson has understood my requirement well. Unfortunately, the solution with exclusions proposed by Toshi Esumi does not work: # show system dhcp server ... edit 5 set dns-service default set ntp-service default set default-gateway 10.5.1.65 set netmask 255.255.255.224 set interface "LOC2_WRK3" config ip-range edit 1 set start-ip 10.5.1.66 set end-ip 10.5.1.94 next end set timezone-option default config exclude-range edit 1 set start-ip 10.5.1.66 set end-ip 10.5.1.91 next end next ... # config system dhcp server (server) # edit 5 (5) # config reserved-address (reserved-address) # edit 0 new entry '0' added (0) # set ip 10.5.1.66 IP address is excluded node_check_object fail! for ip 10.5.1.66 value parse error before '10.5.1.66' Command fail. Return code -8 Pre-stacking the reserved range with bogus MAC addresses as proposed by rwpatterson would work. I will consider this option. The reason for all this is to simplify things with preserving reliability and security but, pre-stacking is not really in-line with these requirements.

ede_pfau · ‎03-15-2018

I think your work flow needs adjustment. The FGT is well able to fulfill your requirements.

You create a (large) range of addresses for DHCP assignment. Any client will get one of these if requesting.

Then, you exclude a (smaller) range for 'known hosts'. Now any client (known or unknown) will get only one of the remaining addresses, none of the excluded ones.

Now if you want to integrate a 'known' host you need to

1- reduce the exclude range by 1 address

2- combine this address with the MAC of the known host (that is, reserve it)

You can do this one host after the other (as hosts become 'known') or bulk via script for a whole bunch of known hosts.

Main thing is, both the exclude range and the range of reserved addresses need to lie completely within the DHCP address range, and you need to remove an address from the exclusion before you can reserve it.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

ivan_s · ‎03-15-2018

Thank you for your reply. The problem with this approach is that, the dynamic and fixed range changes with each connected workstation. That would require the administrator to change the firewall policies because, these two groups of workstations have different access restrictions. In the end it would be much easier to completely disable dynamic DHCP. It should be possible to achieve this by set mac-acl-default-action block if I understand the hints correctly.