Skip to content

DHCP

You can configure Sophos Firewall as a DHCP server and a relay agent to provide IP addresses and network parameters to clients.

Network parameters include the default gateway, subnet mask, domain name, DNS servers, and WINS servers. You can send additional parameters to clients using DHCP options on the CLI.

On the web admin console, you can also view lease records for IP addresses leased to clients.

Note

For DHCP communication over VPN, Sophos Firewall only supports DHCP relays on IPsec site-to-site connections. Currently, you can't create DHCP relays on route-based VPNs.

Note

You can configure DHCP servers and relay agents on physical and virtual interfaces, such as VLANs, wireless networks, and bridge interfaces, but not on an interface alias.

Benefits of DHCP:

  • Simplifies the configuration of endpoint devices, including mobile devices, servers, and routers.
  • Allows mobile devices to move seamlessly between networks.
  • Allows you to use address space effectively, redistributing IP addresses that aren't in use.
  • Allows you to locate and troubleshoot IP address-related issues faster.

Overview

DHCP server: As a DHCP server, Sophos Firewall assigns IP addresses and network parameters to DHCP clients. When clients leave the network, the server releases the assigned IP addresses and reuses these.

For Sophos Firewall to lease IP addresses directly to clients within the server's network, the DHCP interface must belong to the client network.

For Sophos Firewall to lease IP addresses to clients in other networks, you must configure a DHCP relay agent. Since clients in each network require different sets of network parameters (example: default gateway), you must configure the DHCP server as many times as the networks for which you want to lease IP addresses. For these server configurations, you can use the same DHCP interface on which the server listens for DHCP queries. The server leases IP addresses that belong to the same subnet as the relay agent's source address.

You can also configure the server to assign static IP addresses mapped to clients' MAC addresses.

  • To configure Sophos Firewall as the DHCP server, go to the Server section and click Add.

DHCP relay agent: You can configure Sophos Firewall as a DHCP relay agent. It then forwards DHCP communication between clients in the relay agent's network and DHCP servers in other networks. You can also configure agents to relay DHCP packets through IPsec VPN tunnels.

Warning

Make sure the relay agent's interface you select is in the same subnet as the DHCP clients. Don't specify the DHCP server interface as the relay interface for any relay agent. The agent won't forward client requests.

Don't configure a relay agent for the subnet in which the DHCP server is located. The server leases IP addresses directly to clients within its subnet.

Note

You can't configure Sophos Firewall as a DHCPv6 server and a DHCPv6 relay agent simultaneously.

If you're using an external DHCP server instead of using Sophos Firewall as the server, you must configure the external server to route DHCP packets through the relay agent's interface.

  • To create a DHCP relay, go to the Relay section and click Add.

DHCP clients: These are hosts, such as endpoints, servers, and routers, that receive dynamic IP addresses from the DHCP server. You must configure the clients to get IP addresses through DHCP.

Note

DHCP clients send DHCP requests using the source IP address 0.0.0.0. The firewall drops these requests if no DHCP server is configured and creates the following log entry: Policy rule denied.

DHCP options: Using the CLI and the UI, you can configure DHCP options to send additional parameters to specific clients or all clients. For example, you can change the LAN interface that access points must contact for registration, change the primary DNS server, set another NTP server, or direct PXE clients to a server hosting a file with boot options. You can also use the default options or create custom options. For the complete list of DHCP options, see DHCP options.

Use case: Sophos Firewall as DHCP server (HO) and as relay agent (BO)

In this scenario, we used an IPsec connection for DHCP communication.

On the head office firewall, do as follows:

  1. Configure the DHCP server.
  2. Add a site-to-site IPsec connection.
  3. On the CLI, turn on DHCP lease over IPsec.

On the branch office firewall, do as follows:

  1. Configure the DHCP relay agent. Select Relay through IPsec in the configuration.
  2. Add a site-to-site IPsec connection.
  3. On the CLI, add an IPsec route.
  4. Also, add an SNAT command to translate the LAN port's (DHCP relay interface) IP address to the DHCP server's IP address.

Use case: Third-party DHCP server (HO) and Sophos Firewall as relay agent (BO)

You can configure a third-party server, such as a Windows server, as the DHCP server. In this scenario, we use an IPsec connection for DHCP communication.

On the third-party server, configure the server to route DHCP packets through the relay agent's interface.

On the head office firewall, do as follows:

  1. Add a site-to-site IPsec connection.
  2. Add an outbound firewall rule to allow DHCP traffic from the server to the client network.
  3. Add a corresponding inbound firewall rule.

On the branch office firewall, do as follows:

  1. Configure the DHCP relay agent. Select Relay through IPsec in the configuration.
  2. Add a site-to-site IPsec connection.
  3. On the CLI, add an IPsec route.
  4. Also, add an SNAT command to translate the LAN port's (DHCP relay interface) IP address to the DHCP server's IP address.

Use case: Sophos Firewall as a DHCP server and relay agent

For IPv6 addresses, you can configure Sophos Firewall only as a DHCP server or a relay agent.

To configure Sophos Firewall as the DHCPv4 server, do as follows:

  1. Specify the interface to use for listening to DHCP queries.
  2. Select the checkbox to accept client requests to relay.
  3. Specify the IP address lease range of the client network.
  4. Specify the client network's subnet mask and gateway.
  5. Specify the DNS server.

To configure the same Sophos Firewall as a DHCPv4 relay agent, do as follows for each client network:

  1. Specify the client-side interface.
  2. Specify the DHCP server's IP address.

Use case: Sophos Firewall as a DHCP server and DHCP clients within the server's subnet

To lease IP addresses to clients in the DHCP server's subnet, don't configure a relay agent. The server leases IP addresses directly to these clients.

To configure Sophos Firewall as the DHCP server, do as follows:

  1. Specify the interface to listen to DHCP queries.
  2. Enter the IP lease range. The range must belong to the subnet of the interface you specified.
  3. Specify the network parameters, such as the subnet mask and the gateway of the client network.
  4. Specify the DNS server.

RED DHCP server: Update of RED interface

When you change the IP address of an existing RED interface to an address outside the dynamic lease range of the RED DHCP server, Sophos Firewall turns the RED DHCP server off.

For the RED DHCP to work again, you can do one of the following:

  • Update the existing DHCP server settings, such as Dynamic IP lease, Static IP MAC mapping, and DNS.
  • Create a new DHCP server for the new IP address range.

More resources