Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
welnaggar
Staff
Staff

Created on ‎05-07-2020 05:43 AM Edited on ‎02-15-2023 09:42 PM By Community Manager

Article Id 196557

Technical Tip: Push static routes from DHCP server

Description


This article describes how to push static routes from FortiGate DHCP server using RFC 3442 DHCP Option 121.

Solution


DHCP Option 121 uses hexadecimal representation of decimal values.
It is compatible with all Windows machines except XP and Server 2003.
Also Linux accepts routes learned by DHCP Option 121.

The format is a concatenation of three sections, with no delimiting characters:

 

<mask> <destination subnet> <next hop IP>

 

Note that the destination subnet is condensed but only down to the size of the CIDR mask, rounded up to the nearest octet.

For example, here is the formatting for three different routes; spaces are added for clarity:

 

08 0A C0A80201      10.0.0.0/8

10 0A00 C0A80201    10.0.0.0/16

14 0A0000 C0A80201  10.0.0.0/20

 

Note the additional zeroes in the destination subnet section; although it is only to zero, the output length is different because the destination subnet is extended up to and including the octet of the CIDR mask boundary.

 

Each route statement is then concatenated together into a single hexadecimal statement.

 

As an example:

1st route.

10.0.0.0/8 with gateway 192.168.2.1
Hex value has to be: /8=08, 10.0.0.0=0A, 192.168.2.1=C0A80201                       

Output value: 080AC0A80201

 

2nd route.

172.16.0.0/16  with gateway 192.168.2.1
Hex value has to be: /16=10, 172.16.0.0=AC10, 192.168.2.1=C0A80201         

Output value: 10AC10C0A80201


3rd route.

192.168.15.0/24  with gateway 192.168.2.1
Hex value has to be: /24=18, 192.168.15.0=C0A80F, 192.168.2.1=C0A80201     

Output value: 18C0A80FC0A80201

 

The final concatenated result then would be:

080AC0A8020110AC10C0A8020118C0A80FC0A80201


On FortiGate, DHCP Options can be configured from the GUI or CLI.

From GUI.

Go to  Network -> Interfaces -> Edit Interface -> Advanced -> Create new “ Additional DHCP Options” and enter:

- Option Code: Specify

- Code: 121

- Value Type: Hexadecimal

- Value: 080AC0A8020110AC10C0A8020118C0A80FC0A80201

 
 
griehm_1-1676499554877.png

 

 
 
From the CLI.
# config system dhcp server
    edit 1
        # config options
            edit 1
                set code 121
                set type hex
                set value "080AC0A8020110AC10C0A8020118C0A80FC0A80201"
            next
        end
    next
end
Finally, the three routes appear in the routing table of the Windows machine after renewing the IP configuration using the following command:
C:\users\fortinet>ipconfig/renew
Here is the final result when listing the routing table using Route print command:
C:\users\fortinet>route print
6665
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.