Add a DHCP relay
You can configure Sophos Firewall as a DHCP relay agent to relay leased IP addresses and network parameters to clients, such as endpoints, servers, and routers, located on a different subnet from the DHCP server.
The relay agent's interface belongs to the clients' network and must not be the same as the DHCP server's interface.
- Go to Network > DHCP.
- Under Relay, click Add.
- Enter a name.
- Specify the IP version of the addresses you want the agent to relay.
Select the Interface on which Sophos Firewall must listen to DHCP broadcast queries from clients.
The firewall also uses this interface as the source IP address to forward DHCP queries to the server. The DHCP server responds if the IP address lease range it holds matches the subnet of this address. You must create as many relay agents as there are subnets.
Make sure the relay agent's interface you select is in the same subnet as the DHCP clients. Don't specify the DHCP server interface as the relay interface for any relay agent. The agent won't forward client requests.
Don't configure a relay agent for the subnet in which the DHCP server is located. The server leases IP addresses directly to clients within its subnet.
Currently, you can't create a DHCP relay on route-based VPNs. So, XFRM interfaces won't appear on the list.
You can't configure Sophos Firewall as a DHCPv6 server and a DHCPv6 relay agent simultaneously.
You can configure a DHCPv4 server and DHCPv4 relay simultaneously but not on the same interface.
Select the DHCP server IP.
It's the IP address of the DHCP server. You can add up to eight DHCP servers here. Sophos Firewall forwards the client request to all servers and the servers' response to the client. The client responds to the first offer it receives.
To relay DHCP messages through an IPsec VPN connection, select Relay through IPsec.
This allows the relay agent to forward DHCP requests to an IPsec tunnel interface.
If there’s a change in the route to the DHCP server, the DHCP relay is updated automatically. For example, if the DHCP server is available on Port1 and Port2 and Port1 goes down, the DHCP relay automatically starts using Port2.
Configure a static or SD-WAN policy route from the firewall to the DHCP server.
If you selected Relay through IPsec, configure an IPsec route and source NAT on the CLI of the relay agent's firewall. On the web admin consoles, configure site-to-site IPsec connections between the relay agent and the server interfaces. If you're using Sophos Firewall as the DHCP server, go to its CLI and turn on IP address lease over IPsec.