Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Send DHCP traffic over policy-based IPsec VPN to servers

Configure Sophos Firewall as the DHCP relay agent to forward DHCP packets between clients and the DHCP server behind the head office firewall.

Introduction

When you configure Sophos Firewall as a DHCP relay agent, it enables the DHCP server to lease IP addresses to clients in a different subnet from the server.

DHCP relay: Network diagram

In this example, we use a Windows Server that's configured as the DHCP server. The network details are as follows:

Head office:

  • WAN IP address: 192.0.2.1
  • DHCP server IP address: 172.16.16.17
  • LAN subnet: 172.16.16.0/24

Branch office:

  • WAN IP address: 203.0.113.1
  • DHCP relay agent's interface: 10.10.1.1
  • LAN subnet: 10.10.1.0/24

Network diagram: DHCP server and relay agent.

Branch office: Configure a DHCP relay agent

Configure the branch office Sophos Firewall as the DHCP relay agent. In this example, it relays the IP addresses leased by the DHCP server to branch office clients. The DHCP server is deployed at the head office.

  1. Go to Network > DHCP.
  2. Under Relay, click Add.
  3. For Interface, select the client-side interface. The server responds if the lease range it holds belongs to the subnet of this interface.

    Example: Port2 - 10.10.1.1

  4. Enter the IP address for DHCP server IP.

    Example: 172.16.16.17

  5. Select Relay through IPsec.

    Here's an example:

    Configure a DHCP relay agent.

Branch office: Configure an IPsec connection

On the branch office firewall, configure a site-to-site IPsec connection to the head office.

  1. On the web admin console, go to Site-to-site VPN > IPsec > IPsec connections and click Add.
  2. The following settings are an example. You must specify your network's settings:

    Name Setting
    Connection type Site-to-site
    Gateway type Initiate the connection
    Create firewall rule Clear the checkbox.

    Firewall rules don't control system-generated traffic.
    Authentication type Preshared key

    Enter the key you specified in the head office firewall.
    Listening interface Port3 - 203.0.113.1
    Gateway address 192.0.2.1
    Local subnet 10.10.1.0
    Remote subnet 172.16.16.0

    Here's an example:

    IPsec at branch office firewall for DHCP.

Branch office: Add an IPsec route

On the branch office firewall, add an IPsec route for system-generated traffic to the DHCP server at the head office. Apply source NAT on the system-generated traffic to translate the internal source IP address at the branch office to the destination IP address (DHCP server at the head office).

  1. On the CLI, enter 4 for Device console.
  2. Add an IPsec route from the branch office firewall to the DHCP server in the head office. Enter the following:

    system ipsec_route add host <IP address of host> tunnelname <tunnel>

    Example

    system ipsec_route add host 172.16.16.17 tunnelname BO_to_HO

  3. Translate the IP address of the LAN port (DHCP relay interface) of the branch office firewall to the DHCP server's IP address at the head office. You must use this command to translate traffic generated by Sophos Firewall. Enter the following:

    set advanced-firewall sys-traffic-nat add destination <Destination IP address or network> snatip <Source IP address to translate>

    Example

    set advanced-firewall sys-traffic-nat add destination 172.16.16.17 snatip 10.10.1.1

Head office: Configure a site-to-site IPsec connection

On the head office firewall, configure a site-to-site IPsec connection to the branch office.

  1. On the web admin console, go to Site-to-site VPN > IPsec > IPsec connections and click Add.
  2. The following settings are an example. You must specify your network's settings:

    Name Setting
    Connection type Site-to-site
    Gateway type Respond only
    Create firewall rule Select the checkbox.
    Authentication type Preshared key

    Enter the key you specified in the branch office firewall.
    Listening interface Port3 - 192.0.2.1
    Gateway address 203.0.113.1
    Local subnet 172.16.16.17
    Remote subnet 10.10.1.0

    Here's an example:

    IPsec configuration at head office for DHCP traffic.

Head office: Outbound firewall rule

Edit the automatically created firewall rule on the head office firewall to allow outbound DHCP communication from the DHCP server to the branch office's DHCP relay agent.

Select the following:

  1. Source zones: LAN
  2. Source networks and devices: DHCPServer-172.16.16.17
  3. Destination zones: VPN
  4. Destination networks: BO_DHCP_Relay-10.10.1.0
  5. Services: DHCP

    Here's an example:

    Outbound firewall rule for DHCP server in head office.

Head office: Inbound firewall rule

Configure a firewall rule on the head office firewall to allow inbound DHCP communication to the DHCP server from the branch office's DHCP relay agent.

Select the following:

  1. Source zones: VPN
  2. Source networks and devices: BO_DHCP_Relay-10.10.1.0
  3. Destination zones: LAN
  4. Destination networks: DHCPServer-172.16.16.17
  5. Services: DHCP

    Here's an example:

    Inbound firewall rule for DHCP server in head office.