Skip to Content

How to fix DHCP Discover packets dropped despite dhcp-relay-service enabled on ingress interface after upgrading FortiOS to v7.0.1 and above

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes how to fix issues with DHCP relay setups not working after upgrading to FortiOS v7.0.1 onwards when local-in policies are in use.

Scope

FortiOS v7.0.1 onwards.

Solution

After the upgrade of FortiGate setup as DHCP relay agent to v7.0.1 and above, DHCP Discover packets are being dropped with the below recorded in flow debugs :

config system interface
edit "port1"
set vdom "root"
set dhcp-relay-service enable
set ip 10.1.1.1 255.255.255.224
set allowaccess ping
set description "LAN"
set snmp-index 119
set dhcp-relay-ip "10.2.1.1"
next
end

diag sniffer packet any "port 67" 4 o a
2023-07-19 08:33:04.987276 port1 in 0.0.0.0.68 -> 255.255.255.255.67: udp 300
2023-07-19 08:33:20.986618 port1 in 0.0.0.0.68 -> 255.255.255.255.67: udp 300
2023-07-19 08:35:03.610983 port1 in 0.0.0.0.68 -> 255.255.255.255.67: udp 300
2023-07-19 08:35:07.605345 port1 in 0.0.0.0.68 -> 255.255.255.255.67: udp 300

2023-07-19 11:50:16 id=20085 trace_id=1045 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=17, 0.0.0.0:68->255.255.255.255:67) tun_id=0.0.0.0 from port1. "
2023-07-19 11:50:16 id=20085 trace_id=1045 func=init_ip_session_common line=6023 msg="allocate a new session-0060f9a7, tun_id=0.0.0.0"
2023-07-19 11:50:16 id=20085 trace_id=1045 func=vf_ip_route_input_common line=2605 msg="find a route: flag=90000000 gw-255.255.255.255 via root"
2023-07-19 11:50:16 id=20085 trace_id=1045 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 4, drop"

This is because from v7.0.1 onwards, the DHCP relay daemon listens on the Layer 3 socket and hence the incoming DHCP DISCOVER packets are checked against the local-in policies.

config firewall local-in-policy
.
.
edit 4
set intf "any"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
set schedule "always"
next
end

So if using a deny all local-in policy configured, it is necessary to have a local-in policy above the deny policy to accept traffic on UDP destination port 67 as below :

config firewall local-in-policy
.
.

edit 5
set intf "port1"
set srcaddr all
set dstaddr all
set action accept
set service "DHCP"
set schedule "always"
next
edit 4
set intf "any"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
set schedule "always"
next
end