Helpful ReplyDHCP Option 43 on FortiGate for 3rd Party Vendor Details?

Author
tanr
Platinum Member
  • Total Posts : 804
  • Scores: 36
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
2018/10/01 11:55:05 (permalink) 5.6
0

DHCP Option 43 on FortiGate for 3rd Party Vendor Details?

Anybody successfully set up Additional DHCP Option 43 (config sys dhcp server > config options) to map a url to IP for a third party vendor?
 
I'm trying to make setting up some Ubiquity (UniFi) devices behind a FortiGate somewhat simpler, by providing info in DHCP Option 43 to point the UniFi devices to the UniFi controller (which is not on the same subnet).
 
Per the UniFi docs, I could do this by having DHCP Option 43 look like the following Linux example pulled from their docs:
 
# ...
option space ubnt;
option ubnt.unifi-address code 1 = ip-address;
class "ubnt" {
    match if substring (option vendor-class-identifier, 0,
    option vendor-class-identifier "ubnt";
    vendor-option-space ubnt;
}
subnet 10.10.10.0 netmask 255.255.255.0 {
    range 10.10.10.100 10.10.10.160;
    option ubnt.unifi-address 201.10.7.31; ### Unifi Controller IP ###
    option routers 10.10.10.2;
    option broadcast-address 10.10.10.255;
    option domain-name-servers 168.95.1.1, 8.8.8.8; #
}
 
From what I've been able to see of the DHCP Option the FortiGate exposes, I probably can't do this without a separate DNS server.  Thought I'd check, though, since otherwise I'll have to SSH to each device and point it manually.
 
Another option is to map the hostname "unifi" through DNS, but I don't believe I can do that with the FortiGate either, as it requires a domain to be specified and the UniFi gear needs it without a domain.
#1
Dave Hall
Expert Member
  • Total Posts : 1724
  • Scores: 178
  • Reward points: 0
  • Joined: 2012/05/11 07:55:58
  • Location: Canada
  • Status: offline
Re: DHCP Option 43 on FortiGate for 3rd Party Vendor Details? 2018/10/01 14:35:17 (permalink)
0
See KB#FD40183, which is a similar option 43 setup for FortiWLC AP devices, but I am assuming should work similarly. 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
#2
tanr
Platinum Member
  • Total Posts : 804
  • Scores: 36
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: DHCP Option 43 on FortiGate for 3rd Party Vendor Details? 2018/10/01 15:51:51 (permalink)
0
Thanks Dave.  Looks like UniFi devices want sub-option 1, so specifying a hex value of:
 
01040A0B0C0D where 01 specifies the sub-option, 04 specifies number of bytes for the data, and 0A0B0C0D is the IP in hex might do it.  Hope to test it Wednesday.
 
There's still the catch that the FortiGate can't reply with this Option 43 data based on vendor ID, so it will be sending this out to anything asking for DHCP on this interface.  Luckily its separate from the hosts, so should be fine.
 
Will let people know if it works.
#3
tanr
Platinum Member
  • Total Posts : 804
  • Scores: 36
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: DHCP Option 43 on FortiGate for 3rd Party Vendor Details? 2018/10/01 18:37:18 (permalink)
0
And... this is actually trickier, if http://blog.schertz.name/2012/05/understanding-dhcp-option-43/ is correct, since the KB article uses a non-standard way to specify IPs.
 
Hex value as transmitted should be something like 2B0601040A0B0C0D (2B specifies option 43, 06 is total number of bytes in the following data) but that depends on if the FortiGate adds more of its own values to this which would change the length.  Time for packet traces and wireshark.  Tomorrow.
 
#4
xBytez
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/03 05:55:12
  • Status: offline
Re: DHCP Option 43 on FortiGate for 3rd Party Vendor Details? 2018/10/03 05:59:09 (permalink) ☄ Helpfulby tanr 2018/10/03 07:33:23
3 (1)
Hiya,
 
I ran into the same issue as you and I just got this working using the following settings with a UniFi AP AC Pro:

 
The hex value is built this way:
01: suboption
04: length of the payload (4 bytes)
c0a80001: 192.168.0.1 in hex


You can convert your IP-address to hex with this tool: http://www.ipaddresslocation.org/convertip.php
 
I found this on the UBNT forums: https://community.ubnt.com/t5/UniFi-Wireless/Mikrotik-DHCP-option-43-How-to/m-p/259954#M13526
 
Hope this was any help. :)
post edited by xBytez - 2018/10/03 08:05:33
#5
tanr
Platinum Member
  • Total Posts : 804
  • Scores: 36
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: DHCP Option 43 on FortiGate for 3rd Party Vendor Details? 2018/10/03 07:35:12 (permalink)
0
Thanks @xBytez!  That matches what I'm planning to test today.  Odd thing is that it's totally different than Fortinet's KB on using Option 43, which shows setting the hex value from to CLI to include 2B (43 decimal) as the first byte.
#6
Toshi Esumi
Expert Member
  • Total Posts : 2741
  • Scores: 273
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: DHCP Option 43 on FortiGate for 3rd Party Vendor Details? 2018/10/03 08:33:20 (permalink)
0
That's true. With older versions, we couldn't configure IP or ASCII, and only option for those was HEX. In those cases, we never needed to configure option code itself in the hex value, like option 66, 150, etc.
#7
tanr
Platinum Member
  • Total Posts : 804
  • Scores: 36
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: DHCP Option 43 on FortiGate for 3rd Party Vendor Details? 2018/10/04 07:47:03 (permalink)
0
Was able to test this, and it does work setting the hex value to 0104IPIPIPIP as @xBytez specified.  The Unifi devices pick up the IP and properly connect to the UniFi controller in the other subnet.
 
Still wish that the FortiGate supported setting the vendor for Option 43, as this is supposed to be a value just for a specific vendor.
#8
ddskier
Gold Member
  • Total Posts : 402
  • Scores: 16
  • Reward points: 0
  • Joined: 2007/04/10 08:18:06
  • Location: Chicago, IL
  • Status: offline
Re: DHCP Option 43 on FortiGate for 3rd Party Vendor Details? 2018/10/04 09:15:31 (permalink)
0
Alternatively you could also set a "DNS" record of "Unifi" to point to your controller server.    

-DDSkier

FCNSA, FCNSP
FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
#9
tanr
Platinum Member
  • Total Posts : 804
  • Scores: 36
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: DHCP Option 43 on FortiGate for 3rd Party Vendor Details? 2018/10/04 11:02:16 (permalink)
0
Since this is a small installation the FortiGate is the DNS server.  As far as I know it only allows me to set names with a specific domain, and it requires a domain name.  So I get unifi.mycompany.local or similar, and the nslookup won't resolve just unifi by itself.  If you're aware of a way to map a local name without the domain let me know.
#10
Jump to:
© 2021 APG vNext Commercial Version 5.5