Fortinet black logo

Handbook

DHCP servers and relays

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:709255
Download PDF

DHCP servers and relays

A DHCP server provides an address, from a defined address range, to a client on the network that requests it.

An interface can't provide both a server and a relay for connections of the same type (regular or IPsec). However, you can configure a regular DHCP server on an interface only if the interface is a physical interface with a static IP address. You can configure an IPsec DHCP server on an interface that has either a static or a dynamic IP address.

You can configure one or more DHCP servers on any FortiGate interface. A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their IP addresses using DHCP.

If an interface is connected to multiple networks through routers, you can add a DHCP server for each network. The IP range of each DHCP server must match the network address range. The routers must be configured for DHCP relay.

You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the unit.

DHCP server options aren't available in transparent mode.

Configuring DHCP servers

To add a DHCP server, go to Network > Interfaces. Edit the interface, and select DHCP in the addressing mode.

Field

Description

Address Range

By default, the FortiGate unit assigns an address range based on the address of the interface for the complete scope of the address.

For example, if the interface address is 172.20.120.230, the default range created is 172.20.120.231 to 172.20.120.254.

Select the range and select Edit to adjust the range or select Create New to add a different range.

Netmask

Enter the netmask of the addresses that the DHCP server assigns.

Default Gateway

Select this to use either Same as Interface IP or select Specify and enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.

DNS Server

Select this to use Same as system DNS, Same as Interface IP or select Specify and enter the IP address of the DNS server.

Mode

Select the type of DHCP server FortiGate will be. By default, it is a Server. Select Relay if needed. When Relay is selected, the above configuration is replaced by a field to enter the DHCP Server IP address.

DHCP Server IP

This appears only when Mode is Relay. Enter the IP address of the DHCP server where FortiGate obtains the requested IP address.

Type

Select this to use the DHCP in Regular or IPsec mode.

Additional DHCP Options

Use this to create new DHCP options.

MAC Address + Access Control

Select this to match an IP address from the DHCP server to a specific client or device using its MAC address.

In a typical situation, an IP address is assigned ad hoc to a client, and that assignment times out after a specific time of inactivity from the client, known as the lease time. To ensure a client or device always has the same IP address (there is no lease time), use IP reservation.

Add from DHCP Client List

If the client is currently connected and using an IP address from the DHCP server, you can select this option to select the client from the list.

Configuring the DHCP relay agent option

You can configure the DHCP relay agent option (option 82 in RFC 3046). This option is disabled by default. However, when you enable dhcp-relay-service, dhcp-relay-agent-option is enabled.

To configure the DHCP relay agent option, use the following CLI commands:

config system interface

edit <interface>

set vdom root

set dhcp-relay-service enable

set dhcp-relay-ip <ip>

set dhcp-relay-agent-option enable

set vlanid <id>

next

end

For more information about the DHCP relay option, see RFC 3046 (DHCP Relay Agent Information Option).

Configuring DHCP with IPv6

You can use DHCP with IPv6, using the CLI. To configure DHCP, ensure IPv6 is enabled by going to System > Feature Visibility and enable IPv6 under Basic Features. Use the following CLI command:

config system dhcp6 server

For more information about the configuration options, see the FortiOS CLI Reference.

DHCPv6 prefix delegation

FortiGate supports prefix delegation for DHCP for IPv6 addressing. It’s not practical to manually provision networks on a large scale in IPv6 networking. You can use DHCPv6 prefix delegation to assign a network address prefix, and automate the configuration and provisioning of the public routable addresses for the network.

To enable the prefix delegation - CLI:

config system interface

edit "wan1"

config ipv6

set ip6-mode dhcp

set ip6-allowaccess ping

set dhcp6-prefix-delegation enable

next

next

end

Range for DHCPv6 prefix delegation

You can configure a range for DHCPv6 server prefix delegation. You can add a prefix range (starting and ending prefixes) and a prefix length. The prefix length determines the length of the prefix that the FortiGate sends downstream.

To configure a range for DHCPv6 prefix delegation – CLI:

config system dhcp6 server

edit <id>

config prefix-range

edit <id>

set start-prefix <prefix>

set end-prefix <prefix>

set prefix-length <length>

next

next

next

end

DHCPv6 prefix hint

This feature is used to "hint" to upstream DCHPv6 servers a desired prefix length for their subnet to be assigned in response to its request.

There is a possibility of duplicate prefixes being sent by ISP when using a /64 bit subnet because the first 64 bits of the address are derived from the MAC address of the interface. This could cause an issue if the system administrator wishes to divide the host networks into 2 /64 bit subnets.

By receiving a /60 bit (for example) network address, the administrator can then divide the internal host works without the danger of creating duplicate subnets.

Also included in the new feature, are preferred times for the life and valid life of the DHCP lease.

DHCPv6 hint for the prefix length:

set dhcp6-prefix-hint <DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server>

DHCPv6 hint for the preferred life time:

set dhcp6-prefix-hint-plt <integer> 1 ~ 4294967295 seconds or "0" for unlimited lease time

DHCPv6 hint for the valid life time:

set dhcp6-prefix-hint-vlt <integer> 1 ~ 4294967295 seconds or "0" for unlimited lease time

Service

On low-end FortiGate units, a DHCP server is configured on the internal interface, by default, with the following values:

Field

Value

Address Range

192.168.1.110 to 192.168.1.210

Netmask

255.255.255.0

Default Gateway

192.168.1.99

Lease Time

7 days

DNS Server 1

192.168.1.99

These settings are appropriate for the default internal interface IP address of 192.168.1.99. If you change this address to a different network, you need to change the DHCP server settings to match.

Alternatively, after the FortiGate unit assigns an address, you can go to Monitor > DHCP Monitor and locate the specific user. Right-click and select Create/Edit IP Reservation.

Configuring the lease time

The lease time determines the length of time an IP address remains assigned to a client. Once the lease expires, the address is released for allocation to the next client that requests an IP address.

To configure the lease time, use the following CLI commands:

config system dhcp server

edit <server_entry_number>

set lease-time <seconds>

next

end

The default lease time is seven days. To have an unlimited lease time, set the value to zero.

Configuring TFTP servers

You can configure multiple Trivial File Transfer Protocol (TFTP) servers for a Dynamic Host Configuration Protocol (DHCP) server. For example, you may want to configure a main TFTP server and a backup TFTP server.

The tftp-server command allows you to configure the TFTP servers, using either their hostnames or IP addresses. Separate multiple server entries with spaces.

To configure TFTP servers - CLI:

config system dhcp server

edit <server ID>

set tftp-server <hostname/IP address> <hostname/IP address>

next

end

Configuring the DHCP renew time

You can set a minimum DHCP renew time. This option is available only when mode is set to dhcp.

To set the DHCP renew time - CLI:

config system interface

edit <name>

set mode dhcp

set dhcp-renew-time <seconds>

next

end

The possible values for dhcp-renew-time are 300 to 605800 seconds (five minutes to seven days). To use the renew time that the server provides, set this entry to 0.

DHCP options

When you add a DHCP server, you can include DHCP codes and options. The DHCP options are BOOTP vendor information fields that provide additional vendor‑independent configuration parameters to manage the DHCP server. For example, you may need to configure a FortiGate DHCP server that gives out a separate option, as well as an IP address, such as an environment that needs to support PXE boot with Windows images.

The option numbers and codes are specific to a particular application. The documentation for the application should provide the values you should use. Option codes are represented in option value and HEX value pairs. The option is a value between 1 and 255.

You can add up to three DHCP code/option pairs per DHCP server.

To configure option 252 with value http://192.168.1.1/wpad.dat - CLI:

config system dhcp server

edit <server_entry_number>

set option1 252 687474703a2f2f3139322e3136382e312e312f777061642e646174

next

end

For more information about DHCP options, see RFC 2132 (DHCP Options and BOOTP Vendor Extensions).

FortiGate DHCP works with DDNS to allow FQDN connectivity to leased IP addresses

As clients are assigned IP addresses, they send back information that would be found in an A record to the FortiGate DHCP server, which can take this information and pass it back to a corporate DNS server so that even devices using leased IP address can be reached using FQDNs. You can configure the settings for this feature using the ddns-update CLI command and some other ddns related options.

DHCP server option fields

In place of specific fields, the DHCP server maintains a table for the potential options. The FortiOS DHCP server supports up to a maximum of 30 custom options.These optional fields are set in the CLI.

To get to the DHCP server - CLI:

config system dhcp server

edit <integer - ID of the specific DHCP server>

To configure the options, use the following CLI command:

config options

Once you are in the options context, create an ID for the table entry, using the following CLI commands:

edit <integer>

set code <integer between 0 - 4294967295 to determine the DHCP option>

set type [ hex | string | ip ]

set value <option content for DHCP option types hex and string>

set ip <option content for DHCP option type ip>

end

Excluding addresses in DHCP

If you have a large address range for the DHCP server, you can block a range of addresses that won't be included in the available addresses for the connecting users.

To exclude addresses in DHCP - CLI:

config system dhcp server

edit <server_entry_number>

config exclude-range

edit <sequence_number>

set start-ip <address>

set end-ip <address>

next

next

next

end

Viewing information about DHCP server connections

To view information about DHCP server connections, go to Monitor > DHCP Monitor. On this page, you can also add IP addresses to the reserved IP address list.

Breaking an address lease

If you need to end an IP address lease, you can break the lease. This is useful if you have limited addresses and longer lease times when some leases are no longer necessary, for example, with corporate visitors.

To break a lease - CLI:

execute dhcp lease-clear <ip_address>

DHCP servers and relays

A DHCP server provides an address, from a defined address range, to a client on the network that requests it.

An interface can't provide both a server and a relay for connections of the same type (regular or IPsec). However, you can configure a regular DHCP server on an interface only if the interface is a physical interface with a static IP address. You can configure an IPsec DHCP server on an interface that has either a static or a dynamic IP address.

You can configure one or more DHCP servers on any FortiGate interface. A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their IP addresses using DHCP.

If an interface is connected to multiple networks through routers, you can add a DHCP server for each network. The IP range of each DHCP server must match the network address range. The routers must be configured for DHCP relay.

You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the unit.

DHCP server options aren't available in transparent mode.

Configuring DHCP servers

To add a DHCP server, go to Network > Interfaces. Edit the interface, and select DHCP in the addressing mode.

Field

Description

Address Range

By default, the FortiGate unit assigns an address range based on the address of the interface for the complete scope of the address.

For example, if the interface address is 172.20.120.230, the default range created is 172.20.120.231 to 172.20.120.254.

Select the range and select Edit to adjust the range or select Create New to add a different range.

Netmask

Enter the netmask of the addresses that the DHCP server assigns.

Default Gateway

Select this to use either Same as Interface IP or select Specify and enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.

DNS Server

Select this to use Same as system DNS, Same as Interface IP or select Specify and enter the IP address of the DNS server.

Mode

Select the type of DHCP server FortiGate will be. By default, it is a Server. Select Relay if needed. When Relay is selected, the above configuration is replaced by a field to enter the DHCP Server IP address.

DHCP Server IP

This appears only when Mode is Relay. Enter the IP address of the DHCP server where FortiGate obtains the requested IP address.

Type

Select this to use the DHCP in Regular or IPsec mode.

Additional DHCP Options

Use this to create new DHCP options.

MAC Address + Access Control

Select this to match an IP address from the DHCP server to a specific client or device using its MAC address.

In a typical situation, an IP address is assigned ad hoc to a client, and that assignment times out after a specific time of inactivity from the client, known as the lease time. To ensure a client or device always has the same IP address (there is no lease time), use IP reservation.

Add from DHCP Client List

If the client is currently connected and using an IP address from the DHCP server, you can select this option to select the client from the list.

Configuring the DHCP relay agent option

You can configure the DHCP relay agent option (option 82 in RFC 3046). This option is disabled by default. However, when you enable dhcp-relay-service, dhcp-relay-agent-option is enabled.

To configure the DHCP relay agent option, use the following CLI commands:

config system interface

edit <interface>

set vdom root

set dhcp-relay-service enable

set dhcp-relay-ip <ip>

set dhcp-relay-agent-option enable

set vlanid <id>

next

end

For more information about the DHCP relay option, see RFC 3046 (DHCP Relay Agent Information Option).

Configuring DHCP with IPv6

You can use DHCP with IPv6, using the CLI. To configure DHCP, ensure IPv6 is enabled by going to System > Feature Visibility and enable IPv6 under Basic Features. Use the following CLI command:

config system dhcp6 server

For more information about the configuration options, see the FortiOS CLI Reference.

DHCPv6 prefix delegation

FortiGate supports prefix delegation for DHCP for IPv6 addressing. It’s not practical to manually provision networks on a large scale in IPv6 networking. You can use DHCPv6 prefix delegation to assign a network address prefix, and automate the configuration and provisioning of the public routable addresses for the network.

To enable the prefix delegation - CLI:

config system interface

edit "wan1"

config ipv6

set ip6-mode dhcp

set ip6-allowaccess ping

set dhcp6-prefix-delegation enable

next

next

end

Range for DHCPv6 prefix delegation

You can configure a range for DHCPv6 server prefix delegation. You can add a prefix range (starting and ending prefixes) and a prefix length. The prefix length determines the length of the prefix that the FortiGate sends downstream.

To configure a range for DHCPv6 prefix delegation – CLI:

config system dhcp6 server

edit <id>

config prefix-range

edit <id>

set start-prefix <prefix>

set end-prefix <prefix>

set prefix-length <length>

next

next

next

end

DHCPv6 prefix hint

This feature is used to "hint" to upstream DCHPv6 servers a desired prefix length for their subnet to be assigned in response to its request.

There is a possibility of duplicate prefixes being sent by ISP when using a /64 bit subnet because the first 64 bits of the address are derived from the MAC address of the interface. This could cause an issue if the system administrator wishes to divide the host networks into 2 /64 bit subnets.

By receiving a /60 bit (for example) network address, the administrator can then divide the internal host works without the danger of creating duplicate subnets.

Also included in the new feature, are preferred times for the life and valid life of the DHCP lease.

DHCPv6 hint for the prefix length:

set dhcp6-prefix-hint <DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server>

DHCPv6 hint for the preferred life time:

set dhcp6-prefix-hint-plt <integer> 1 ~ 4294967295 seconds or "0" for unlimited lease time

DHCPv6 hint for the valid life time:

set dhcp6-prefix-hint-vlt <integer> 1 ~ 4294967295 seconds or "0" for unlimited lease time

Service

On low-end FortiGate units, a DHCP server is configured on the internal interface, by default, with the following values:

Field

Value

Address Range

192.168.1.110 to 192.168.1.210

Netmask

255.255.255.0

Default Gateway

192.168.1.99

Lease Time

7 days

DNS Server 1

192.168.1.99

These settings are appropriate for the default internal interface IP address of 192.168.1.99. If you change this address to a different network, you need to change the DHCP server settings to match.

Alternatively, after the FortiGate unit assigns an address, you can go to Monitor > DHCP Monitor and locate the specific user. Right-click and select Create/Edit IP Reservation.

Configuring the lease time

The lease time determines the length of time an IP address remains assigned to a client. Once the lease expires, the address is released for allocation to the next client that requests an IP address.

To configure the lease time, use the following CLI commands:

config system dhcp server

edit <server_entry_number>

set lease-time <seconds>

next

end

The default lease time is seven days. To have an unlimited lease time, set the value to zero.

Configuring TFTP servers

You can configure multiple Trivial File Transfer Protocol (TFTP) servers for a Dynamic Host Configuration Protocol (DHCP) server. For example, you may want to configure a main TFTP server and a backup TFTP server.

The tftp-server command allows you to configure the TFTP servers, using either their hostnames or IP addresses. Separate multiple server entries with spaces.

To configure TFTP servers - CLI:

config system dhcp server

edit <server ID>

set tftp-server <hostname/IP address> <hostname/IP address>

next

end

Configuring the DHCP renew time

You can set a minimum DHCP renew time. This option is available only when mode is set to dhcp.

To set the DHCP renew time - CLI:

config system interface

edit <name>

set mode dhcp

set dhcp-renew-time <seconds>

next

end

The possible values for dhcp-renew-time are 300 to 605800 seconds (five minutes to seven days). To use the renew time that the server provides, set this entry to 0.

DHCP options

When you add a DHCP server, you can include DHCP codes and options. The DHCP options are BOOTP vendor information fields that provide additional vendor‑independent configuration parameters to manage the DHCP server. For example, you may need to configure a FortiGate DHCP server that gives out a separate option, as well as an IP address, such as an environment that needs to support PXE boot with Windows images.

The option numbers and codes are specific to a particular application. The documentation for the application should provide the values you should use. Option codes are represented in option value and HEX value pairs. The option is a value between 1 and 255.

You can add up to three DHCP code/option pairs per DHCP server.

To configure option 252 with value http://192.168.1.1/wpad.dat - CLI:

config system dhcp server

edit <server_entry_number>

set option1 252 687474703a2f2f3139322e3136382e312e312f777061642e646174

next

end

For more information about DHCP options, see RFC 2132 (DHCP Options and BOOTP Vendor Extensions).

FortiGate DHCP works with DDNS to allow FQDN connectivity to leased IP addresses

As clients are assigned IP addresses, they send back information that would be found in an A record to the FortiGate DHCP server, which can take this information and pass it back to a corporate DNS server so that even devices using leased IP address can be reached using FQDNs. You can configure the settings for this feature using the ddns-update CLI command and some other ddns related options.

DHCP server option fields

In place of specific fields, the DHCP server maintains a table for the potential options. The FortiOS DHCP server supports up to a maximum of 30 custom options.These optional fields are set in the CLI.

To get to the DHCP server - CLI:

config system dhcp server

edit <integer - ID of the specific DHCP server>

To configure the options, use the following CLI command:

config options

Once you are in the options context, create an ID for the table entry, using the following CLI commands:

edit <integer>

set code <integer between 0 - 4294967295 to determine the DHCP option>

set type [ hex | string | ip ]

set value <option content for DHCP option types hex and string>

set ip <option content for DHCP option type ip>

end

Excluding addresses in DHCP

If you have a large address range for the DHCP server, you can block a range of addresses that won't be included in the available addresses for the connecting users.

To exclude addresses in DHCP - CLI:

config system dhcp server

edit <server_entry_number>

config exclude-range

edit <sequence_number>

set start-ip <address>

set end-ip <address>

next

next

next

end

Viewing information about DHCP server connections

To view information about DHCP server connections, go to Monitor > DHCP Monitor. On this page, you can also add IP addresses to the reserved IP address list.

Breaking an address lease

If you need to end an IP address lease, you can break the lease. This is useful if you have limited addresses and longer lease times when some leases are no longer necessary, for example, with corporate visitors.

To break a lease - CLI:

execute dhcp lease-clear <ip_address>