Fortinet black logo

Administration Guide

DHCP servers and relays

DHCP servers and relays

A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their IP addresses using DHCP. You can configure one or more DHCP servers on any FortiGate interface.

A DHCP server can be in server or relay mode. In server mode, you can define one or more address ranges it assigns addresses from, and options such as the default gateway, DNS server, lease time, and other advanced options. In relay mode, the interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the unit.

If an interface is connected to multiple networks through routers, you can add a DHCP server for each network. The IP range of each DHCP server must match the network address range. The routers must be configured for DHCP relay.

Note

DHCP server options are not available in transparent mode.

Configure a DHCP server on an interface

A DHCP server can be configured on an interface in the GUI from Network > Interfaces.

To configure a DHCP server in the GUI:
  1. Go to Network > Interfaces.
  2. Edit an interface.
  3. Enable the DHCP Server option and configure the settings.
  4. Click OK.

Field

Description

Address Range

By default, the FortiGate unit assigns an address range based on the address of the interface for the complete scope of the address.

For example, if the interface address is 172.20.120.230, the default range created is 172.20.120.231 to 172.20.120.254.

Select the range and select Edit to adjust the range or select Create New to add a different range.

Netmask Enter the netmask of the addresses that the DHCP server assigns.
Default Gateway Select this to use either Same as Interface IP or select Specify and enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.
DNS Server Select this to use Same as system DNS, Same as Interface IP or select Specify and enter the IP address of the DNS server.
Mode Select the type of DHCP server FortiGate will be. By default, it is a Server. Select Relay if needed. When Relay is selected, the above configuration is replaced by a field to enter the DHCP Server IP address.
DNS Server IP This appears only when Mode is Relay. Enter the IP address of the DHCP server where FortiGate obtains the requested IP address.
Type Select this to use the DHCP in Regular or IPsec mode.

Additional DHCP Options

Use this to create new DHCP options.

Add from DHCP Client List If the client is currently connected and using an IP address from the DHCP server, you can select this option to select the client from the list.
To configure a DHCP server in the CLI:
config system dhcp server
    edit 1
        set dns-service default
        set default-gateway 192.168.1.2
        set netmask 255.255.255.0
        set interface "port1"
        config ip-range
            edit 1
                set start-ip 192.168.1.1
                set end-ip 192.168.1.1
            next
            edit 2
                set start-ip 192.168.1.3
                set end-ip 192.168.1.254
            next
        end
        set timezone-option default
        set tftp-server "172.16.1.2"
    next
end

Configure a DHCP relay on an interface

To configure a DHCP relay in the GUI:
  1. Go to Network > Interfaces.
  2. Edit an interface.
  3. Expand the Advanced section and set Mode to Relay.
  4. Enter the DHCP Server IP.
  5. Click OK.
To configure a DHCP relay in the CLI:
  1. Configure the interface, making sure to configure set dhcp-relay-ip:

    config system interface
        edit "port2"
            set vdom "root"
            set dhcp-relay-service enable
            set ip 10.1.1.5 255.255.255.0
            set allowaccess ping https ssh fabric
            set type physical
            set snmp-index 4
            set dhcp-relay-ip "192.168.20.10"
        next
    end
    

Configure a DHCP server and relay on an interface

A FortiGate interface can be configured to work in DHCP server mode to lease out addresses, and at the same time relay the DHCP packets to another device, such as a FortiNAC to perform device profiling.

The DHCP message to be forwarded to the relay server under the following conditions:

  • dhcp-relay-request-all-server is enabled

  • Message type is either DHCPDISCOVER or DHCPINFORM

  • Client IP address in client message is 0

  • Server ID is NULL in the client message

  • Server address is a broadcast address (255.255.255.255)

  • Server address is 0

Note

Configuring a DHCP server and relay on the same interface is currently only supported in the CLI.

To configure a DHCP server and relay in the CLI:
  1. Configure the interface:

    config system interface
        edit "port2"
            set vdom "root"
            set dhcp-relay-service enable
            set ip 10.1.1.5 255.255.255.0
            set allowaccess ping https ssh fabric
            set type physical
            set snmp-index 4
            set dhcp-relay-ip "192.168.20.10"
            set dhcp-relay-request-all-server enable
        next
    end
  2. Configure the DHCP server settings:

    config system dhcp server
        edit 17
            set status enable
            set dns-service default
            set default-gateway 10.1.1.5
            set netmask 255.255.255.0
            set interface "port2"
            config ip-range
                edit 1
                    set start-ip 10.1.1.6
                    set end-ip 10.1.1.254
                next
            end
        next
    end

Default DHCP server for low-end FortiGates

On low-end FortiGate units, a DHCP server is configured on the internal interface, by default, with the following values:

Field

Value

Address Range 192.168.1.110 to 192.168.1.210
Netmask 255.255.255.0
Default Gateway 192.168.1.99
Lease Time 7 days
DNS Server 1 192.168.1.99

These settings are appropriate for the default internal interface IP address of 192.168.1.99. If you change this address to a different network, you need to change the DHCP server settings to match.

Configuring the lease time

The lease time determines the length of time an IP address remains assigned to a client. Once the lease expires, the address is released for allocation to the next client that requests an IP address.

To configure the lease time:
config system dhcp server
    edit <server_entry_number>
        set interface <interface>
        set netmask <netmask>
        set lease-time <seconds>
    next
end

The default lease time is seven days. To have an unlimited lease time, set the value to zero.

The lease time can also be configured in the GUI in the Lease time field within the DHCP server section of the Edit Interface dialog.

Configuring TFTP servers

You can configure multiple TFTP servers for a DHCP server. For example, you may want to configure a main TFTP server and a backup TFTP server.

The tftp-server command allows you to configure the TFTP servers, using either their hostnames or IP addresses. Separate multiple server entries with spaces.

To configure TFTP servers:
config system dhcp server
    edit <server ID>
        set interface <interface>
        set netmask <netmask>
        set tftp-server <hostname/IP address> <hostname/IP address>
    next
end

TFTP servers can also be configured in the GUI in the TFTP server(s) field within the DHCP server > Advanced section of the Edit Interface dialog.

Configuring the DHCP renew time

You can set a minimum DHCP renew time for an interface acting as a DHCP client. This option is available only when mode is set to DCHP.

To set the DHCP renew time:
config system interface
    edit <name>
        set vdom <vdom>
        set interface <interface>
        set mode dhcp
        set dhcp-renew-time <seconds>
    next
end

The possible values for dhcp-renew-time are 300 to 605800 seconds (five minutes to seven days). To use the renew time that the server provides, set this entry to 0.

FortiGate DHCP works with DDNS to allow FQDN connectivity to leased IP addresses

As clients are assigned IP addresses, they send back information that would be found in an A record to the FortiGate DHCP server, which can take this information and pass it back to a corporate DNS server so that even devices using leased IP address can be reached using FQDNs. You can configure the settings for this feature using the ddns-update CLI command and some other DDNS related options. Please refer to DDNS update override in the DDNS topic for further details.

Breaking an address lease

If you need to end an IP address lease, you can break the lease. This is useful if you have limited addresses and longer lease times when some leases are no longer necessary, for example, with corporate visitors.

To break a lease:
# execute dhcp lease-clear <ip_address>
To break a lease for all IP addresses for the DHCP servers in the current VDOM:
# execute dhcp lease-clear all

Excluding addresses in DHCP

If you have a large address range for the DHCP server, you can block a range of addresses that will not be included in the available addresses for the connecting users using the config exclude-range subcommand.

To exclude addresses in DHCP:
config system dhcp server
    edit <server_entry_number>
        config exclude-range
            edit <sequence_number>
                set start-ip <address>
                set end-ip <address>
            next
        end
    next
end

Viewing information about DHCP server connections

To view information about DHCP server connections, go to Dashboard > Network and expand the DHCP monitor widget. On this page, you can also add IP addresses to the reserved IP address list.

DHCP servers and relays

A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their IP addresses using DHCP. You can configure one or more DHCP servers on any FortiGate interface.

A DHCP server can be in server or relay mode. In server mode, you can define one or more address ranges it assigns addresses from, and options such as the default gateway, DNS server, lease time, and other advanced options. In relay mode, the interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the unit.

If an interface is connected to multiple networks through routers, you can add a DHCP server for each network. The IP range of each DHCP server must match the network address range. The routers must be configured for DHCP relay.

Note

DHCP server options are not available in transparent mode.

Configure a DHCP server on an interface

A DHCP server can be configured on an interface in the GUI from Network > Interfaces.

To configure a DHCP server in the GUI:
  1. Go to Network > Interfaces.
  2. Edit an interface.
  3. Enable the DHCP Server option and configure the settings.
  4. Click OK.

Field

Description

Address Range

By default, the FortiGate unit assigns an address range based on the address of the interface for the complete scope of the address.

For example, if the interface address is 172.20.120.230, the default range created is 172.20.120.231 to 172.20.120.254.

Select the range and select Edit to adjust the range or select Create New to add a different range.

Netmask Enter the netmask of the addresses that the DHCP server assigns.
Default Gateway Select this to use either Same as Interface IP or select Specify and enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.
DNS Server Select this to use Same as system DNS, Same as Interface IP or select Specify and enter the IP address of the DNS server.
Mode Select the type of DHCP server FortiGate will be. By default, it is a Server. Select Relay if needed. When Relay is selected, the above configuration is replaced by a field to enter the DHCP Server IP address.
DNS Server IP This appears only when Mode is Relay. Enter the IP address of the DHCP server where FortiGate obtains the requested IP address.
Type Select this to use the DHCP in Regular or IPsec mode.

Additional DHCP Options

Use this to create new DHCP options.

Add from DHCP Client List If the client is currently connected and using an IP address from the DHCP server, you can select this option to select the client from the list.
To configure a DHCP server in the CLI:
config system dhcp server
    edit 1
        set dns-service default
        set default-gateway 192.168.1.2
        set netmask 255.255.255.0
        set interface "port1"
        config ip-range
            edit 1
                set start-ip 192.168.1.1
                set end-ip 192.168.1.1
            next
            edit 2
                set start-ip 192.168.1.3
                set end-ip 192.168.1.254
            next
        end
        set timezone-option default
        set tftp-server "172.16.1.2"
    next
end

Configure a DHCP relay on an interface

To configure a DHCP relay in the GUI:
  1. Go to Network > Interfaces.
  2. Edit an interface.
  3. Expand the Advanced section and set Mode to Relay.
  4. Enter the DHCP Server IP.
  5. Click OK.
To configure a DHCP relay in the CLI:
  1. Configure the interface, making sure to configure set dhcp-relay-ip:

    config system interface
        edit "port2"
            set vdom "root"
            set dhcp-relay-service enable
            set ip 10.1.1.5 255.255.255.0
            set allowaccess ping https ssh fabric
            set type physical
            set snmp-index 4
            set dhcp-relay-ip "192.168.20.10"
        next
    end
    

Configure a DHCP server and relay on an interface

A FortiGate interface can be configured to work in DHCP server mode to lease out addresses, and at the same time relay the DHCP packets to another device, such as a FortiNAC to perform device profiling.

The DHCP message to be forwarded to the relay server under the following conditions:

  • dhcp-relay-request-all-server is enabled

  • Message type is either DHCPDISCOVER or DHCPINFORM

  • Client IP address in client message is 0

  • Server ID is NULL in the client message

  • Server address is a broadcast address (255.255.255.255)

  • Server address is 0

Note

Configuring a DHCP server and relay on the same interface is currently only supported in the CLI.

To configure a DHCP server and relay in the CLI:
  1. Configure the interface:

    config system interface
        edit "port2"
            set vdom "root"
            set dhcp-relay-service enable
            set ip 10.1.1.5 255.255.255.0
            set allowaccess ping https ssh fabric
            set type physical
            set snmp-index 4
            set dhcp-relay-ip "192.168.20.10"
            set dhcp-relay-request-all-server enable
        next
    end
  2. Configure the DHCP server settings:

    config system dhcp server
        edit 17
            set status enable
            set dns-service default
            set default-gateway 10.1.1.5
            set netmask 255.255.255.0
            set interface "port2"
            config ip-range
                edit 1
                    set start-ip 10.1.1.6
                    set end-ip 10.1.1.254
                next
            end
        next
    end

Default DHCP server for low-end FortiGates

On low-end FortiGate units, a DHCP server is configured on the internal interface, by default, with the following values:

Field

Value

Address Range 192.168.1.110 to 192.168.1.210
Netmask 255.255.255.0
Default Gateway 192.168.1.99
Lease Time 7 days
DNS Server 1 192.168.1.99

These settings are appropriate for the default internal interface IP address of 192.168.1.99. If you change this address to a different network, you need to change the DHCP server settings to match.

Configuring the lease time

The lease time determines the length of time an IP address remains assigned to a client. Once the lease expires, the address is released for allocation to the next client that requests an IP address.

To configure the lease time:
config system dhcp server
    edit <server_entry_number>
        set interface <interface>
        set netmask <netmask>
        set lease-time <seconds>
    next
end

The default lease time is seven days. To have an unlimited lease time, set the value to zero.

The lease time can also be configured in the GUI in the Lease time field within the DHCP server section of the Edit Interface dialog.

Configuring TFTP servers

You can configure multiple TFTP servers for a DHCP server. For example, you may want to configure a main TFTP server and a backup TFTP server.

The tftp-server command allows you to configure the TFTP servers, using either their hostnames or IP addresses. Separate multiple server entries with spaces.

To configure TFTP servers:
config system dhcp server
    edit <server ID>
        set interface <interface>
        set netmask <netmask>
        set tftp-server <hostname/IP address> <hostname/IP address>
    next
end

TFTP servers can also be configured in the GUI in the TFTP server(s) field within the DHCP server > Advanced section of the Edit Interface dialog.

Configuring the DHCP renew time

You can set a minimum DHCP renew time for an interface acting as a DHCP client. This option is available only when mode is set to DCHP.

To set the DHCP renew time:
config system interface
    edit <name>
        set vdom <vdom>
        set interface <interface>
        set mode dhcp
        set dhcp-renew-time <seconds>
    next
end

The possible values for dhcp-renew-time are 300 to 605800 seconds (five minutes to seven days). To use the renew time that the server provides, set this entry to 0.

FortiGate DHCP works with DDNS to allow FQDN connectivity to leased IP addresses

As clients are assigned IP addresses, they send back information that would be found in an A record to the FortiGate DHCP server, which can take this information and pass it back to a corporate DNS server so that even devices using leased IP address can be reached using FQDNs. You can configure the settings for this feature using the ddns-update CLI command and some other DDNS related options. Please refer to DDNS update override in the DDNS topic for further details.

Breaking an address lease

If you need to end an IP address lease, you can break the lease. This is useful if you have limited addresses and longer lease times when some leases are no longer necessary, for example, with corporate visitors.

To break a lease:
# execute dhcp lease-clear <ip_address>
To break a lease for all IP addresses for the DHCP servers in the current VDOM:
# execute dhcp lease-clear all

Excluding addresses in DHCP

If you have a large address range for the DHCP server, you can block a range of addresses that will not be included in the available addresses for the connecting users using the config exclude-range subcommand.

To exclude addresses in DHCP:
config system dhcp server
    edit <server_entry_number>
        config exclude-range
            edit <sequence_number>
                set start-ip <address>
                set end-ip <address>
            next
        end
    next
end

Viewing information about DHCP server connections

To view information about DHCP server connections, go to Dashboard > Network and expand the DHCP monitor widget. On this page, you can also add IP addresses to the reserved IP address list.