Fortinet white logo
Fortinet white logo

FortiGate-7000E Handbook

Adding flow rules to support DHCP relay

Adding flow rules to support DHCP relay

The FortiGate 7000E default flow rules may not handle DHCP relay traffic correctly.

The default configuration includes the following flow rules for DHCP traffic:

config load-balance flow-rule

edit 7

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 67-67

set dst-l4port 68-68

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 server to client"

next

edit 8

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 68-68

set dst-l4port 67-67

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 client to server"

end

These flow rules handle traffic when the DHCP client sends requests to a DHCP server using port 68 and the DHCP server responds using port 67. However, if DHCP relay is involved, requests from the DHCP relay to the DHCP server and replies from the DHCP server to the DHCP relay both use port 67. If this DHCP relay traffic passes through the FortiGate 7000E you must add a flow rule similar to the following to support port 67 DHCP traffic in both directions (the following example uses edit 0 to add the DHCP relay flow using the next available flow rule index number):

config load-balance flow-rule

edit 0

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 67-67

set dst-l4port 67-67

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 relay"

next

The default configuration also includes the following flow rules for IPv6 DHCP traffic:

    edit 13
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 547-547
        set dst-l4port 546-546
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv6 server to client"
    next
    edit 14
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 546-546
        set dst-l4port 547-547
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv6 client to server"
    next

These flow rules handle traffic when the IPv6 DHCP client sends requests to a DHCP server using port 547 and the DHCP server responds using port 546. However, if DHCP relay is involved, requests from the DHCP relay to the DHCP server and replies from the DHCP server to the DHCP relay both use port 547. If this DHCP relay traffic passes through the FortiGate 7000E you must add a flow rule similar to the following to support port 547 DHCP traffic in both directions (the following example uses edit 0 to add the DHCP relay flow using the next available flow rule index number):

config load-balance flow-rule

edit 0

set status enable

set vlan 0

set ether-type ipv6

set src-addr-ipv6 ::/0

set dst-addr-ipv6 ::/0

set protocol udp

set src-l4port 547-547

set dst-l4port 547-547

set action forward

set forward-slot master

set priority 5

set comment "dhcpv6 relay"

next

Adding flow rules to support DHCP relay

Adding flow rules to support DHCP relay

The FortiGate 7000E default flow rules may not handle DHCP relay traffic correctly.

The default configuration includes the following flow rules for DHCP traffic:

config load-balance flow-rule

edit 7

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 67-67

set dst-l4port 68-68

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 server to client"

next

edit 8

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 68-68

set dst-l4port 67-67

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 client to server"

end

These flow rules handle traffic when the DHCP client sends requests to a DHCP server using port 68 and the DHCP server responds using port 67. However, if DHCP relay is involved, requests from the DHCP relay to the DHCP server and replies from the DHCP server to the DHCP relay both use port 67. If this DHCP relay traffic passes through the FortiGate 7000E you must add a flow rule similar to the following to support port 67 DHCP traffic in both directions (the following example uses edit 0 to add the DHCP relay flow using the next available flow rule index number):

config load-balance flow-rule

edit 0

set status enable

set vlan 0

set ether-type ipv4

set src-addr-ipv4 0.0.0.0 0.0.0.0

set dst-addr-ipv4 0.0.0.0 0.0.0.0

set protocol udp

set src-l4port 67-67

set dst-l4port 67-67

set action forward

set forward-slot master

set priority 5

set comment "dhcpv4 relay"

next

The default configuration also includes the following flow rules for IPv6 DHCP traffic:

    edit 13
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 547-547
        set dst-l4port 546-546
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv6 server to client"
    next
    edit 14
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 546-546
        set dst-l4port 547-547
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv6 client to server"
    next

These flow rules handle traffic when the IPv6 DHCP client sends requests to a DHCP server using port 547 and the DHCP server responds using port 546. However, if DHCP relay is involved, requests from the DHCP relay to the DHCP server and replies from the DHCP server to the DHCP relay both use port 547. If this DHCP relay traffic passes through the FortiGate 7000E you must add a flow rule similar to the following to support port 547 DHCP traffic in both directions (the following example uses edit 0 to add the DHCP relay flow using the next available flow rule index number):

config load-balance flow-rule

edit 0

set status enable

set vlan 0

set ether-type ipv6

set src-addr-ipv6 ::/0

set dst-addr-ipv6 ::/0

set protocol udp

set src-l4port 547-547

set dst-l4port 547-547

set action forward

set forward-slot master

set priority 5

set comment "dhcpv6 relay"

next