Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
empty
New Contributor

DHCP Discover on VLAN100

Hello everyone - Happy New Year !!! I'm new to Fortinet/Fortigate and I might be doing something wrong - so I’m calling for your help and advices.   I'm trying to replace my Internet FAI BBox by my Fortigate 60F. The Fortigate will be plugged in ethernet directly to the FAI Fiber GPON. This is feasible with some Network and DHCP tweaks and used to worked with an OpenWRT. So my issue here is more about how to set these options up on my Fortigate rather than improving the tweaks.   Net and DHCP required tweaks are : Set 801.q VLAN 100 ; the interface mac address set to the one from the FAI BBox (MAC Spoofing) ; DHCP client must use Vendor Class identifier (option 60) set to BYGTELIAD ; the DHCP Client identifier (option 61) set to the BBox mac ;   Here are my settings (I simplified the code here, removing the next and end...)   I have an interface wan2 plugged to my FAI GPON:
set macaddr xx:xx:xx:xx:xx:xx
(whatever my BBox MAC is) Then I add a VLAN Interface "InetVlan100" with the following options
set mode dhcp</p>
<p>set dhcp-client-identifier "xx:xx:xx:xx:xx:xx"
config client-options
  edit 1
    set code 60
    set type string
    set value "BYGTELIAD"</p>
<p>set interface "wan2"</p>
<p>set vlanid 100
After some failed tries, I even tried to add
config client-options</p>
<p>  edit 2
    set code 61
    set type hex
    set value 1xxxxxxxxxxxx (whatever my MAC is, with the prefix x01 for ethernet)
And this doesn't work   When capturing the packets (using the GUI) I see the DHCP discover packets going out. However they are NOT taggued 801.q with the VLAN id 100 (as seen in Wireshark) How should I make sure that all packets going out that interface are taggued VLAN100 dot1q ? Am I doing something wrong in the VLAN definition ?
1 Solution
Toshi_Esumi
Esteemed Contributor III

I don't know about DHCP options but at least I can tell about pcap. The GUI pcap wouldn't show vlan header, either stripping off or more likely it's already stripped off when the input is coming into the GUI process.

If you want to see it, you need to use CLI sniffer, like below. My main wan1 is encapsulated in vlan 201 (on a vlan sub-interface in the root vdom [muti-vdom env]), so when I do simple sniffing on wan1, I don't see anything but below:

 

 

fg50e-utm (root) # diag sniffer packet wan1 interfaces=[wan1] filters=[none] pcap_lookupnet: wan1: no IPv4 address assigned 1.275398 802.1Q vlan#201 P0 1.275494 802.1Q vlan#201 P0 1.277193 802.1Q vlan#201 P6 1.281916 802.1Q vlan#201 P0 1.281966 802.1Q vlan#201 P0 1.835575 802.1Q vlan#201 P0 1.881255 802.1Q vlan#201 P0 If you want to see it in wirehsark, you need to run like

  diag sniffer packet <physical_int> none 6

And copy the output into a file, then convert it to a pacp file using fgt2eth.exe (if windows) described in the KB:

https://kb.fortinet.com/kb/documentLink.do?externalID=11186

 

View solution in original post

2 REPLIES 2
Toshi_Esumi
Esteemed Contributor III

I don't know about DHCP options but at least I can tell about pcap. The GUI pcap wouldn't show vlan header, either stripping off or more likely it's already stripped off when the input is coming into the GUI process.

If you want to see it, you need to use CLI sniffer, like below. My main wan1 is encapsulated in vlan 201 (on a vlan sub-interface in the root vdom [muti-vdom env]), so when I do simple sniffing on wan1, I don't see anything but below:

 

 

fg50e-utm (root) # diag sniffer packet wan1 interfaces=[wan1] filters=[none] pcap_lookupnet: wan1: no IPv4 address assigned 1.275398 802.1Q vlan#201 P0 1.275494 802.1Q vlan#201 P0 1.277193 802.1Q vlan#201 P6 1.281916 802.1Q vlan#201 P0 1.281966 802.1Q vlan#201 P0 1.835575 802.1Q vlan#201 P0 1.881255 802.1Q vlan#201 P0 If you want to see it in wirehsark, you need to run like

  diag sniffer packet <physical_int> none 6

And copy the output into a file, then convert it to a pacp file using fgt2eth.exe (if windows) described in the KB:

https://kb.fortinet.com/kb/documentLink.do?externalID=11186

 

empty

Thank you for your answer ! I now understand that my issue is NOT regarding 802.1q... I’ll have to dig further in the dhcp discover / request side Unfortunately, comparing side by side a network dump from a Linux client that works well, and the fortigate dump, I don’t see any difference. Maybe something on the firewall rule set (which is empty - so only the built in Local In rule set)
Labels
Top Kudoed Authors