Hot!FortiGate DHCP

Author
kulas
Bronze Member
  • Total Posts : 33
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/09/28 19:28:08
  • Status: offline
2020/01/15 21:56:06 (permalink)
0

FortiGate DHCP

Hi Everyone!

Good day!
I was trying to work with this scenario and anyone could help me if this is possible? See attached test.jpg. I have a FortiGate, a core switch, distribution switch and client pc. The goal is that FortiGate must act as the DHCP server of all the VLANS (10,20,30). I've already tried to create vlans on the FortiGate (same vlans from the core switch) and enabled dhcp. I already tried to allow all vlans from the core switch (trunk) going to the firewall. The result, the test client in vlan 30 can obtain IP from the firewall, but cannot access internet even firewall policy was already configured on the firewall (virtual interface (vlan30) to WAN)).

Best Regards,
Kulas

Attached Image(s)

#1

8 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1928
    • Scores: 168
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: FortiGate DHCP 2020/01/15 22:38:54 (permalink)
    0
    The problem seems like the GW for all clients in three vlans are on the L3 core switch, which the FGT has direct L2 connection to all clients (that's how they get DHCP IPs). This means outgoing packets comes in vlan1 interface at the FGT, while returning/incoming packets are going out to each vlan10, 20, 30 interface from the FGT: asymmetric route -> drop. You need to move the GWs to the FGT on each vlan interface.
    #2
    kulas
    Bronze Member
    • Total Posts : 33
    • Scores: 2
    • Reward points: 0
    • Joined: 2017/09/28 19:28:08
    • Status: offline
    Re: FortiGate DHCP 2020/01/15 23:05:13 (permalink)
    0
    Thank you toshiesumi. If doing so, does ip routing on the core switch would still work? or Do I need to add intervlan policies on the fortigate? 
    #3
    ShawnZA
    Bronze Member
    • Total Posts : 50
    • Scores: 7
    • Reward points: 0
    • Joined: 2018/04/02 23:31:22
    • Location: Cape Town
    • Status: offline
    Re: FortiGate DHCP 2020/01/16 00:05:38 (permalink)
    0
    If you move the SVI's to the Fortigate then the core will not be doing any routing anymore.
    #4
    AdiMizil
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/28 13:01:17
    • Status: offline
    Re: FortiGate DHCP 2020/01/16 01:38:59 (permalink)
    0
    Hi Kulas,
     
    This configuration should work. I'm using a similar config, but not with a Cisco switch , but with a Pfsense router
     
    Caveats: Fortigate doesn;t support multi DHCP scope on 1 interface from GUI. You enable the first DHCP scope on the fortigate PHYSICAL interface , eg 192.168.1.1 , then the rest of the DHCP scope are configured from CLI.
     
    Cisco switch must have DHCP Helper enabled on each SVI  pointing to your Fortigate interface, e.g. 192.168.1.254.
     
    Switch(config)# interface vlan 10
    Switch(config-if)# ip address 192.168.10.1 255.255.255.0
    Switch(config-if)# ip helper-address 192.168.1.254
    Switch(config-if)# exit
     
    Yes, you need to add static routing to Fortigate so it will know how to reach the VLANs - via 192.168.1.1.
     
    I really like this setup as I have to configure only one DHCP server and I have 2 locations with a single internet breakout.
     
    Please paste Fortigate interface config here or see my example:
     
    CLI on fortigate and type :
     
    Config system dhcp server
    show
     
    Then you will see the list of DHCP servers configured;   see which numbers has that one on the trunk interface
     
    e.g. - if it's  on port 2 -  you will have something like
     
     (server) # show
    config system dhcp server
        edit 1
            set dns-service default
            set default-gateway 192.168.1.254
            set netmask 255.255.255.0
            set interface "port2"
            config ip-range
                edit 1
                    set start-ip 192.168.1.2

                    set end-ip 192.168.1.250

                next
            end
            set timezone-option default
        next
     
        edit 2
            set dns-service default
            set default-gateway 10.0.10.1
            set netmask 255.255.255.0
            set interface "port2"de
            config ip-range
                edit 1
                    set start-ip 10.0.10.10
                    set end-ip 10.0.10.100
                next
            end
        next
    end
     
    Regards,
    Adi
     
    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 1928
    • Scores: 168
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: FortiGate DHCP 2020/01/16 08:34:04 (permalink)
    0
    My personal preference is to make the core switch as L2 switch for those three vlans, which eliminate one hop and DHCP relays to mainteain. I don't see any benefit "routing" through the switch instead of "switching", while the FGT is still take care of most necessary work. For management, the core switch still have vlan1 to get in.
    #6
    kulas
    Bronze Member
    • Total Posts : 33
    • Scores: 2
    • Reward points: 0
    • Joined: 2017/09/28 19:28:08
    • Status: offline
    Re: FortiGate DHCP 2020/01/16 17:56:51 (permalink)
    0
    Hi Adi,
     
    I am currently using HP Procurve as L3 switch. Just to clarify, I still need to configure VLANs on the FortiGate and I will just configure 2 separate DHCP pool from the CLI from the commands you've provided. is that right? I will try your configuration to my lab environment and will give you feedback afterwards. 
     
    Regards,
    Kulas
    #7
    AdiMizil
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/28 13:01:17
    • Status: offline
    Re: FortiGate DHCP 2020/01/17 01:51:51 (permalink)
    0
    Hi Kulas,
     
    Let's assume you connect the HP L3 port1  switch to  Fortigate on port1.
     
    On Fortigate Port 1 interface -  you configured it as LAN , enable DHCP from GUI and configure scope as you need : 192.168.1.0/24 , fortigate 192.168.1.254 and DNS.
     
    On L3 switch Port1 - this one will be an ACCESS port , NO VLANs on this interconnect port.
     
    Search on HP admin manual how to enable DHCP relay on each VLAN interface - this should point to Fortigate port1 IP address.
     
    Don't forget to add  static routes on Fortigate  to learn path to VLANs via HP L3 switch IP address : 192.168.1.1 on port1 interface.
     
    Fortinet KB. https://kb.fortinet.com/kb/documentLink.do?externalID=FD33842
     
    Adi
    #8
    AdiMizil
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/28 13:01:17
    • Status: offline
    Re: FortiGate DHCP 2020/01/17 01:57:28 (permalink)
    0
    @ Toshi
     
    I also prefer to design small network design as you have mentioned - all the VLAN;s connected on the Fortigate , but in larger networks you can have bottlenecks when you send on a single  1Gb link user traffic, wifi traffic, server traffic, iSCSI traffic etc.
     
    I came up to this solution as I had to connect a remote site using LoS radio link and that remote location also had a couple of subnets - corporate lan, guest wifi, dmz and I said to have a easier DHCP and DNS management from one console - Fortigate 80E.
     
    Kind regards,
    Adi
    post edited by AdiMizil - 2020/01/17 01:59:05
    #9
    Jump to:
    © 2020 APG vNext Commercial Version 5.5