Set Up a DHCP Server

FortiGate can hand out IPs to clients on any LAN interface — replacing or supplementing a separate DHCP server. Common on small/mid-size deployments where the FortiGate is the only network device.

Before You Start

• The interface is configured with an IP that will be the clients' default gateway.
• The IP range you want to hand out is decided (typically the upper half of the subnet, leaving room for static IPs).
• DNS servers and other options (NTP, domain name) are decided.

Steps

Enable DHCP on the interface

1. Network → Interfaces → (e.g. click internal).
2. Scroll to DHCP Server section.
3. Toggle Enabled.
4. Fill in:
   • Address Range — e.g. 10.0.0.100 to 10.0.0.200 (the IPs you'll hand out).
   • Netmask — auto-filled from the interface.
   • Default Gateway — Same as Interface IP (default, correct in most cases).
   • DNS Server — pick:
     • Same as System DNS (uses what's set in Network → DNS)
     • Same as Interface IP (the FortiGate itself acts as DNS)
     • Specify (manually pick, e.g. 1.1.1.1 and 8.8.8.8)
   • Lease Time — default 7 days is fine for most networks. Drop to 1 day for guest networks (faster IP recovery).
   • Advanced Options — domain name, NTP, WINS, custom DHCP options.
5. Click OK.

Reserve IPs for specific MACs (static DHCP)

For devices that should always get the same IP (printers, servers, certain workstations):

1. Under the DHCP Server section on the interface, expand IP Reservation.
2. + Create New.
3. Enter the MAC address of the device and the IP to assign.
4. OK.

CLI Equivalent

config system dhcp server
edit 1
    set status enable
    set interface "internal"
    set default-gateway 10.0.0.1
    set netmask 255.255.255.0
    set dns-service specify
    set dns-server1 1.1.1.1
    set dns-server2 8.8.8.8
    set lease-time 604800       # 7 days in seconds
    config ip-range
        edit 1
            set start-ip 10.0.0.100
            set end-ip 10.0.0.200
        next
    end
next
end

Verify

# Show active leases:
execute dhcp lease-list internal

# Or in GUI: Monitor → DHCP Monitor.

From a client on the network, release/renew its DHCP lease:

• Windows: ipconfig /release && ipconfig /renew
• Mac: System Preferences → Network → Renew DHCP Lease.
• Linux: sudo dhclient -r && sudo dhclient

Client should pick up an IP from the configured range.

Common Issues

• Clients get APIPA (169.254.x.x). DHCP not actually reaching them. Check DHCP server is enabled on the right interface, and the client is physically on that interface (not on a separate VLAN that doesn't have DHCP).
• Two DHCP servers on the same broadcast domain. Both FortiGate AND another router/switch hand out IPs. Disable one. The two will fight for leases, clients get random results.
• Reserved IP doesn't honor. Wrong MAC (typo or wrong format). MACs in FortiOS use colon format aa:bb:cc:dd:ee:ff.
• Lease range too small. Run out of IPs as devices join. Expand the range.
• Need DHCP relay (not server). If clients are on a separate subnet from the FortiGate (e.g. they reach a remote DHCP server), use set dhcp-relay-service enable instead — see Fortinet docs for relay.

Related Pages

• Configure a Network Interface
• Add a VLAN Sub-Interface
• Configure DNS Settings