Fortinet black logo

FortiGate-7000E Handbook

Adding a flow rule to support DHCP relay

Adding a flow rule to support DHCP relay

The FortiGate-7000 default flow rules may not handle DHCP relay traffic correctly.

The default configuration includes the following flow rules for DHCP traffic:

config load-balance flow-rule

edit 7

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 67-67

set dst-l4port 68-68

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 server to client"

next

edit 8

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 68-68

set dst-l4port 67-67

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 client to server"

end

These flow rules handle traffic when the DHCP client sends requests to a DHCP server using port 68 and the DHCP server responds using port 67. However, if DHCP relay is involved, requests from the DHCP relay to the DHCP server and replies from the DHCP server to the DHCP relay both use port 67. If this DHCP relay traffic passes through the FortiGate-7000 you must add a flow rule similar to the following to support port 67 DHCP traffic in both directions:

config load-balance flow-rule

edit 8

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 67-67

set dst-l4port 67-67

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 relay"

next

Adding a flow rule to support DHCP relay

The FortiGate-7000 default flow rules may not handle DHCP relay traffic correctly.

The default configuration includes the following flow rules for DHCP traffic:

config load-balance flow-rule

edit 7

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 67-67

set dst-l4port 68-68

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 server to client"

next

edit 8

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 68-68

set dst-l4port 67-67

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 client to server"

end

These flow rules handle traffic when the DHCP client sends requests to a DHCP server using port 68 and the DHCP server responds using port 67. However, if DHCP relay is involved, requests from the DHCP relay to the DHCP server and replies from the DHCP server to the DHCP relay both use port 67. If this DHCP relay traffic passes through the FortiGate-7000 you must add a flow rule similar to the following to support port 67 DHCP traffic in both directions:

config load-balance flow-rule

edit 8

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 67-67

set dst-l4port 67-67

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 relay"

next