Use the CLI command config system dhcp reserved-address to reserve an IP address for a particular client identified by its device MAC address and type of connection. The DHCP server then always assigns the reserved IP address to the client. The number of reserved addresses that you can define ranges from 10 to 200 depending on the FortiGate model.
Use the following syntax to always assign 192.168.1.1 to the device with MAC address 00:04:f1:11:11:11.
config system dhcp reserved-address
edit "ip_phone"
set ip 192.168.1.1
set mac 00:04:f1:11:11:11
next
end
edit "ip_phone"
set ip 192.168.1.1
set mac 00:04:f1:11:11:11
next
end
In FortiOS 5.x use the following syntax
config system dhcp server
edit 1 (or other number as appropriate)
config reserved-address
edit 1
set ip 192.168.1.1
set mac 00:11:22:33:44:55
next
next
next
edit 1 (or other number as appropriate)
config reserved-address
edit 1
set ip 192.168.1.1
set mac 00:11:22:33:44:55
next
next
next
end
thnks great job
ReplyDeleteSaves searching the KBs on fortinet support. this came up first on google. Thanks
ReplyDeletewhat about the other parameters as default gateway, DNS and net mask?
ReplyDeleteOr address reservation just reserve addresses and the rest of the params are passed with the DHCP server?
DNS, Default Gateway, etc are part of the global parameters passed to every client. The DHCP reservation allows to you assign the same IP address to the same MAC address every time. This is helpful for printers for example. You always know which IP address the printer will have even if it is using DHCP and you have the reservation configured.
ReplyDeleteAfter making this reservation by cli, I do not see this reservation in de GUI anymore.
ReplyDeleteIs this normal behaviour?
Thanks,
David
I have never seen a reservation in the GUI.
ReplyDeleteDoes anyone know how to remove a DHCP reservation made in this manner ?
ReplyDeleteHow would I go about removing a reservation that was put in ?
ReplyDeleteFrom the CLI:
ReplyDeleteconfig system dhcp reserved-address
delete
So using the example above would I just have to enter the following info to delete:
ReplyDeleteconfig system dhcp reserved-address
delete "ip_phone"
next
end
Thats great, Thanks sebastian..
ReplyDeleteHi all.
ReplyDeleteI have a question about checking list of clients names with binded IP. Lets say that I've added a lot of clients and now I don't remember names of settings that I've used to each of them. So how to check this names?
Thanks in advance.
Hey guys,
ReplyDeleteI'm trying to use the dhcp reservation option but it doesn't work.
The mac-address is correct but it simply ignores the reservation list.
I ran the "exe dhcp lease-clear" command and tried again, nothing. /release /renew - same.
When I run the debug on dhcp I see that it receives the correct mac address but provides the client with a simple pool-ip.
any idea?
One of the common problems I run into is that the address reservation is outside of the scope of the DHCP server. Check to make sure it's actually in the range of available IP addresses.
ReplyDeleteThank you that worked! :)
ReplyDeleteLooking through blogs is much easier than reading the entire CLI manual.
BTW. I loooove the background image, I lived in Hamburg for a year and I loved it. So, when I was reading your post I suddenly recognize the picture and I got super happy! hahhaha Viel Spass!
One of the best places in the world to be from. Glad you enjoyed it :)
ReplyDeleteExcellent Post, I looked through the Fortinet docs and couldn't find a reference to this anywhere.... You rock!
ReplyDeleteTell me one other thing, do you know if there is there a way to restrict it so that a specific mac address does not get an IP assigned to it at all? i.e. blacklist it from the network?
Interesting question :)
ReplyDeleteNot that I know of since the point of DHCP is typically to provide an IP address to anyone who asks for it.
You could assign a specific MAC address to get an address out of a pool that doesn't route anywhere or is limited by firewall policies.
I was thinking the same thing, in that I could simply assign a particular mac address a different unrelated ip....But that would also require that I set a firewall policy matching that IP to deny access. Since in the Fortinet DHCP setup you can only have 1 DHCP server per interface, and the DHCP will always give out the gateway info thereby allowing even the problem IPs access to the outside world.
ReplyDeleteBasically what I would like to do is to have an open network of both wired and wireless connections in the office. Where if the machine is known they have full access to the internet, NAS, etc.
But if the machine is unknown it has little to no access. That way we could have our drop-in customers use the network, and not have any security or performance issues with it.
Supporting this, maybe I could turn the configuration on it's ear and do something like this.
Have the DHCP server use a pool of 192.168.1.100 to 192.168.1.200 but with a Gateway of 10.0.0.1 That way default connections can see the outside world, but inside is not accessible
Then register my known set of machines each with a reserved IP in the 10.0.0.100 to 10.0.0.200 range. This way they will work fine with each other and the gateway.
Next, put a policy in place that denies access or better still uses traffic shaping and QOS to limit access to any IP with a 192.168.1.X
This way my known machines get true access to each other and the internet with the 10.0.0.X IP and 10.0.0.1 gateway and no policy limitations
While any unknown machines would get an IP of 192.168.1.X and have no access to the 10.0.0.X set of machines and a policy limiting their internet access via the gateway.
This puts the onus on the machine owner to register the machine if they want full access, while supporting our drop-ins with some internet access
What do you think?
hey
ReplyDeletelooking for an answer
i have fortigate router
i assigned an IP address to a specific MAC address.... now i just wanna remove that is that possible
Hi,
ReplyDeleteWe have problem with the IP reservation. We have determined the address and everything worked for at least 6 months normally. Than fortigate started to forget user MAC addresses and start to give them different IP address. Why this happening? Any idea?
Thanks
With the Forti OS 5 released in November 2012, the MAC address reservation has now been made available on the GUI.
ReplyDeleteThe command for this has been updated in newer firmware releases. I don't know what version initiated the change but in version 5.0.6 the command would be:
ReplyDeleteconfig system dhcp server
edit 1 (or other number as appropriate)
config reserved-address
edit 1
set ip 192.168.1.1
set mac 00:11:22:33:44:55
next
next
next