• Matt Sherif

DHCP Relay on FortiGate

The FortiGate is a mighty firewall, it has many features, and can do many jobs. In many small environments it's not uncommon to see it not only perform the role of Firewall, but also a DHCP server, DNS server, NTP server, etc..





In larger environments it's not uncommon to have more specialized teams handle these roles and along with it more centralized servers for managing them. Given that DHCP relies on broadcast traffic by default and broadcasts do not traverse subnet boundaries, this would mean that our DHCP servers have to have interfaces listening on every DHCP enabled network, right? Wrong, this is where the DHCP Relay comes into play.



In a topology like this it would be really hard for the DHCP enabled network to get an IP without a relay



DHCP Relay - known by some manufacturers as IP Helper - was developed as a way for a network device to convert these broadcasts into unicast so they can traverse subnet boundaries without having to resort to the scenario above. Enabling this on your FortiGate is simple, all you need to do is enable it on any network interfaces for DHCP enable subnets, configure the DHCP server and you're in business! We'll be taking a brief look how.


Assumptions


  1. You have preconfigured a DHCP scope on your choice of DHCP server

  2. It is activated and ready to use


Configuration


First you need to create the interface or configure an interface on your FortiGate, you can do that by going to Network > Interfaces. For this example I will create a VLAN we intend to use later for a desktop network:



All fairly standard configuration, your settings may vary.

Keep in mind when you intend to use an interface for DHCP Relay, you must assign it a static IP address. Make sure DHCP server is also disabled on the FortiGate interface. Once your interface is created you will need to enable the dhcp-relay-service in the CLI:




Once you've configured the interface to perform DHCP relay, you are all set! To test this I will assign a switch port to VLAN 109 and validate I get an IP address. Your verification methods may vary depending on your environment.