Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kulas
New Contributor

FortiGate DHCP

Hi Everyone! Good day! I was trying to work with this scenario and anyone could help me if this is possible? See attached test.jpg. I have a FortiGate, a core switch, distribution switch and client pc. The goal is that FortiGate must act as the DHCP server of all the VLANS (10,20,30). I've already tried to create vlans on the FortiGate (same vlans from the core switch) and enabled dhcp. I already tried to allow all vlans from the core switch (trunk) going to the firewall. The result, the test client in vlan 30 can obtain IP from the firewall, but cannot access internet even firewall policy was already configured on the firewall (virtual interface (vlan30) to WAN)). Best Regards, Kulas

1 Solution
Toshi_Esumi
Esteemed Contributor III

My personal preference is to make the core switch as L2 switch for those three vlans, which eliminate one hop and DHCP relays to mainteain. I don't see any benefit "routing" through the switch instead of "switching", while the FGT is still take care of most necessary work. For management, the core switch still have vlan1 to get in.

View solution in original post

8 REPLIES 8
Toshi_Esumi
Esteemed Contributor III

The problem seems like the GW for all clients in three vlans are on the L3 core switch, which the FGT has direct L2 connection to all clients (that's how they get DHCP IPs). This means outgoing packets comes in vlan1 interface at the FGT, while returning/incoming packets are going out to each vlan10, 20, 30 interface from the FGT: asymmetric route -> drop. You need to move the GWs to the FGT on each vlan interface.

kulas

Thank you toshiesumi. If doing so, does ip routing on the core switch would still work? or Do I need to add intervlan policies on the fortigate? 

ShawnZA
Contributor II

If you move the SVI's to the Fortigate then the core will not be doing any routing anymore.

AdiMizil
New Contributor III

Hi Kulas,

 

This configuration should work. I'm using a similar config, but not with a Cisco switch , but with a Pfsense router

 

Caveats: Fortigate doesn;t support multi DHCP scope on 1 interface from GUI. You enable the first DHCP scope on the fortigate PHYSICAL interface , eg 192.168.1.1 , then the rest of the DHCP scope are configured from CLI.

 

Cisco switch must have DHCP Helper enabled on each SVI  pointing to your Fortigate interface, e.g. 192.168.1.254.

 

Switch(config)# interface vlan 10 Switch(config-if)# ip address 192.168.10.1 255.255.255.0 Switch(config-if)# ip helper-address 192.168.1.254 Switch(config-if)# exit

 

Yes, you need to add static routing to Fortigate so it will know how to reach the VLANs - via 192.168.1.1.

 

I really like this setup as I have to configure only one DHCP server and I have 2 locations with a single internet breakout.

 

Please paste Fortigate interface config here or see my example:

 

CLI on fortigate and type :

 

Config system dhcp server

show

 

Then you will see the list of DHCP servers configured;   see which numbers has that one on the trunk interface

 

e.g. - if it's  on port 2 -  you will have something like

 

 (server) # show

config system dhcp server

    edit 1

        set dns-service default

        set default-gateway 192.168.1.254

        set netmask 255.255.255.0

        set interface "port2"

        config ip-range

            edit 1

                set start-ip 192.168.1.2

                set end-ip 192.168.1.250

            next

        end

        set timezone-option default

    next

 

    edit 2

        set dns-service default

        set default-gateway 10.0.10.1

        set netmask 255.255.255.0

        set interface "port2"de

        config ip-range

            edit 1

                set start-ip 10.0.10.10

                set end-ip 10.0.10.100

            next

        end

    next

end

 

Regards,

Adi

 

Toshi_Esumi
Esteemed Contributor III

My personal preference is to make the core switch as L2 switch for those three vlans, which eliminate one hop and DHCP relays to mainteain. I don't see any benefit "routing" through the switch instead of "switching", while the FGT is still take care of most necessary work. For management, the core switch still have vlan1 to get in.

AdiMizil
New Contributor III

Hi Kulas,

 

Let's assume you connect the HP L3 port1  switch to  Fortigate on port1.

 

On Fortigate Port 1 interface -  you configured it as LAN , enable DHCP from GUI and configure scope as you need : 192.168.1.0/24 , fortigate 192.168.1.254 and DNS.

 

On L3 switch Port1 - this one will be an ACCESS port , NO VLANs on this interconnect port.

 

Search on HP admin manual how to enable DHCP relay on each VLAN interface - this should point to Fortigate port1 IP address.

 

Don't forget to add  static routes on Fortigate  to learn path to VLANs via HP L3 switch IP address : 192.168.1.1 on port1 interface.

 

Fortinet KB. https://kb.fortinet.com/kb/documentLink.do?externalID=FD33842

 

Adi

AdiMizil
New Contributor III

@ Toshi

 

I also prefer to design small network design as you have mentioned - all the VLAN;s connected on the Fortigate , but in larger networks you can have bottlenecks when you send on a single  1Gb link user traffic, wifi traffic, server traffic, iSCSI traffic etc.

 

I came up to this solution as I had to connect a remote site using LoS radio link and that remote location also had a couple of subnets - corporate lan, guest wifi, dmz and I said to have a easier DHCP and DNS management from one console - Fortigate 80E.

 

Kind regards, Adi

kulas
New Contributor

Hi Adi,

 

I am currently using HP Procurve as L3 switch. Just to clarify, I still need to configure VLANs on the FortiGate and I will just configure 2 separate DHCP pool from the CLI from the commands you've provided. is that right? I will try your configuration to my lab environment and will give you feedback afterwards. 

 

Regards,

Kulas

Labels
Top Kudoed Authors