Tuesday, March 25, 2008

DHCP Address Reservations

If you use the DHCP server on the Fortigate you can configure DHCP address reservations to always assign specific IP addresses to a computer, based on its MAC address.
Use the CLI command config system dhcp reserved-address to reserve an IP address for a particular client identified by its device MAC address and type of connection. The DHCP server then always assigns the reserved IP address to the client. The number of reserved addresses that you can define ranges from 10 to 200 depending on the FortiGate model.
Use the following syntax to always assign 192.168.1.1 to the device with MAC address 00:04:f1:11:11:11.

config system dhcp reserved-address
edit "ip_phone"
set ip 192.168.1.1
set mac 00:04:f1:11:11:11
next
end

In FortiOS 5.x use the following syntax

config system dhcp server
edit 1 (or other number as appropriate)
config reserved-address
edit 1
set ip 192.168.1.1
set mac 00:11:22:33:44:55
next
next
next
end

23 comments:

Anonymous said...

thnks great job

Sarcosis said...

Saves searching the KBs on fortinet support. this came up first on google. Thanks

Icaro said...

what about the other parameters as default gateway, DNS and net mask?

Or address reservation just reserve addresses and the rest of the params are passed with the DHCP server?

Sebastian said...

DNS, Default Gateway, etc are part of the global parameters passed to every client. The DHCP reservation allows to you assign the same IP address to the same MAC address every time. This is helpful for printers for example. You always know which IP address the printer will have even if it is using DHCP and you have the reservation configured.

Anonymous said...

After making this reservation by cli, I do not see this reservation in de GUI anymore.
Is this normal behaviour?

Thanks,

David

Sebastian said...

I have never seen a reservation in the GUI.

Unknown said...

Does anyone know how to remove a DHCP reservation made in this manner ?

Unknown said...

How would I go about removing a reservation that was put in ?

Sebastian said...

From the CLI:

config system dhcp reserved-address
delete

Unknown said...

So using the example above would I just have to enter the following info to delete:


config system dhcp reserved-address
delete "ip_phone"
next
end

Anonymous said...

Thats great, Thanks sebastian..

jcknowak said...

Hi all.

I have a question about checking list of clients names with binded IP. Lets say that I've added a lot of clients and now I don't remember names of settings that I've used to each of them. So how to check this names?

Thanks in advance.

Corenium said...

Hey guys,

I'm trying to use the dhcp reservation option but it doesn't work.
The mac-address is correct but it simply ignores the reservation list.

I ran the "exe dhcp lease-clear" command and tried again, nothing. /release /renew - same.

When I run the debug on dhcp I see that it receives the correct mac address but provides the client with a simple pool-ip.

any idea?

Sebastian said...

One of the common problems I run into is that the address reservation is outside of the scope of the DHCP server. Check to make sure it's actually in the range of available IP addresses.

k8 said...

Thank you that worked! :)
Looking through blogs is much easier than reading the entire CLI manual.

BTW. I loooove the background image, I lived in Hamburg for a year and I loved it. So, when I was reading your post I suddenly recognize the picture and I got super happy! hahhaha Viel Spass!

Sebastian said...

One of the best places in the world to be from. Glad you enjoyed it :)

Anonymous said...

Excellent Post, I looked through the Fortinet docs and couldn't find a reference to this anywhere.... You rock!

Tell me one other thing, do you know if there is there a way to restrict it so that a specific mac address does not get an IP assigned to it at all? i.e. blacklist it from the network?

Sebastian said...

Interesting question :)
Not that I know of since the point of DHCP is typically to provide an IP address to anyone who asks for it.

You could assign a specific MAC address to get an address out of a pool that doesn't route anywhere or is limited by firewall policies.

Anonymous said...

I was thinking the same thing, in that I could simply assign a particular mac address a different unrelated ip....But that would also require that I set a firewall policy matching that IP to deny access. Since in the Fortinet DHCP setup you can only have 1 DHCP server per interface, and the DHCP will always give out the gateway info thereby allowing even the problem IPs access to the outside world.


Basically what I would like to do is to have an open network of both wired and wireless connections in the office. Where if the machine is known they have full access to the internet, NAS, etc.
But if the machine is unknown it has little to no access. That way we could have our drop-in customers use the network, and not have any security or performance issues with it.

Supporting this, maybe I could turn the configuration on it's ear and do something like this.

Have the DHCP server use a pool of 192.168.1.100 to 192.168.1.200 but with a Gateway of 10.0.0.1 That way default connections can see the outside world, but inside is not accessible

Then register my known set of machines each with a reserved IP in the 10.0.0.100 to 10.0.0.200 range. This way they will work fine with each other and the gateway.

Next, put a policy in place that denies access or better still uses traffic shaping and QOS to limit access to any IP with a 192.168.1.X

This way my known machines get true access to each other and the internet with the 10.0.0.X IP and 10.0.0.1 gateway and no policy limitations

While any unknown machines would get an IP of 192.168.1.X and have no access to the 10.0.0.X set of machines and a policy limiting their internet access via the gateway.

This puts the onus on the machine owner to register the machine if they want full access, while supporting our drop-ins with some internet access

What do you think?

niel said...

hey
looking for an answer
i have fortigate router
i assigned an IP address to a specific MAC address.... now i just wanna remove that is that possible

Emrah said...

Hi,
We have problem with the IP reservation. We have determined the address and everything worked for at least 6 months normally. Than fortigate started to forget user MAC addresses and start to give them different IP address. Why this happening? Any idea?
Thanks

TechEnthusiast said...

With the Forti OS 5 released in November 2012, the MAC address reservation has now been made available on the GUI.

Anonymous said...

The command for this has been updated in newer firmware releases. I don't know what version initiated the change but in version 5.0.6 the command would be:

config system dhcp server
edit 1 (or other number as appropriate)
config reserved-address
edit 1
set ip 192.168.1.1
set mac 00:11:22:33:44:55
next
next
next