This article describes the possibility of having a DHCP offer packet from DHCP server sent to a broadcast layer 3 address instead of a unicast layer 3 address.
Scope
FortiOS.
Solution
This article considers an implementation where the DHCP server and the client requesting the IP or PXE Boot information do not reside on the same subnet (a relay is involved) and the communication between the server and the client has to pass through a FortiGate in transparent mode for enhanced security.
The DHCP offer packet carries IP information that a DHCP server assigned to the client (more information about the DHCP IP information assignment process can be found here).
Most times, this offer packet is sent to a unicast address. In some circumstances, it can also be sent to a broadcast address.
Some devices or operating systems are not capable of communicating DHCP information with unicast (this is detailed in rfc 2131 – see the screenshot taken from this RFC below). In these cases, the DHCP offer will be sent to a broadcast IP (this is controlled by the broadcast flag).
When these offer packets arrive at FortiGate (in transparent mode), they will likely be dropped if there is no Firewall policy which permits the DHCP service to access the destination IP of 255.255.255.255 through the interface the client (DHCP) is sitting behind.
Ensure DHCP offer packets of this nature are permitted through/by the Firewall to avoid issues in situations like this.
Note: An identical setup with a different ‘DHCP server relay agent’ or ‘BOOTP relay agent’ behaves differently (for example, a Cisco router used as a DHCP relay agent might not behave the same way as having Juniper router as a DHCP relay agent).