Adding a flow rule to support DHCP relay
The FortiGate-6000 default flow rules may not handle DHCP relay traffic correctly.
The default configuration includes the following flow rules for DHCP traffic:
config load-balance flow-rule
edit 7
set status enable
set vlan 0
set ether-type ipv4
set src-addr-ipv4 0.0.0.0 0.0.0.0
set dst-addr-ipv4 0.0.0.0 0.0.0.0
set protocol udp
set src-l4port 67-67
set dst-l4port 68-68
set action forward
set forward-slot master
set priority 5
set comment "dhcpv4 server to client"
next
edit 8
set status enable
set vlan 0
set ether-type ipv4
set src-addr-ipv4 0.0.0.0 0.0.0.0
set dst-addr-ipv4 0.0.0.0 0.0.0.0
set protocol udp
set src-l4port 68-68
set dst-l4port 67-67
set action forward
set forward-slot master
set priority 5
set comment "dhcpv4 client to server"
end
These flow rules handle traffic when the DHCP client sends requests to a DHCP server using port 68 and the DHCP server responds using port 67. However, if DHCP relay is involved, requests from the DHCP relay to the DHCP server and replies from the DHCP server to the DHCP relay both use port 67. If this DHCP relay traffic passes through the FortiGate-6000 you must add a flow rule similar to the following to support port 67 DHCP traffic in both directions:
config load-balance flow-rule
edit 8
set status enable
set vlan 0
set ether-type ipv4
set src-addr-ipv4 0.0.0.0 0.0.0.0
set dst-addr-ipv4 0.0.0.0 0.0.0.0
set protocol udp
set src-l4port 67-67
set dst-l4port 67-67
set action forward
set forward-slot master
set priority 5
set comment "dhcpv4 relay"
next