Send DHCP traffic over route-based IPsec VPN to DHCP servers
Configure Sophos Firewall as the DHCP relay agent to forward DHCP requests from clients to the DHCP server behind the head office firewall. Send DHCP traffic over a route-based IPsec VPN connection.
DHCP server and relay agent: Network diagram
The network details and settings are an example. You must use your network settings.
This example uses existing route-based IPsec VPN connections in which the local and remote subnets are set to Any
. It also uses existing routes and firewall rules for the VPN traffic.
Head office: The following are example IP addresses.
- WAN IP address:
192.0.2.1
- DHCP server interface:
172.16.16.1
Branch office: The following are example IP addresses.
- WAN IP address:
203.0.113.1
- DHCP relay agent interface:
10.10.1.1
- LAN subnet:
10.10.1.0/24
VPN requirements
Configure the following on the head office and branch office firewalls:
- Configure route-based IPsec VPN connections with local and remote subnets set to
Any
using the firewalls' WAN interfaces. - Configure static, SD-WAN, or dynamic routes on both firewalls to route the VPN traffic.
- Allow device access from WAN for IPsec VPN tunnels.
-
Configure the following firewall rules to allow VPN traffic:
- Outbound rule in the branch office firewall.
- Inbound rule in the head office firewall.
Head office: Firewall rule
Create a firewall rule to allow inbound DHCP traffic in the head office firewall as follows:
- Go to Rules and policies > Firewall rules, click Add firewall rule, and click New firewall rule.
- Enter a name.
- Under Source zones, select
VPN
. - Under Source networks and devices, select the IP host for the branch office firewall's DHCP relay interface, for example,
DHCPRelay_10.10.1.1
. - Under Destination zones, select
DMZ
. - Under Destination networks, select the DHCP server, for example,
DHCPServer_172.16.16.17
. - Under Services, select
DHCP
. -
Click Save.
Branch office: DHCP relay agent
Configure the branch office firewall's interface as the DHCP relay agent. It requests IP addresses for the endpoints in its subnet from the DHCP server behind the head office firewall.
- Go to Network > DHCP.
- Under Relay, click Add.
- Enter a name.
- Select the Interface to which the DHCP clients belong, for example,
Port2 - 10.10.1.1
. - Under DHCP server IP, enter the DHCP server's IP address, for example,
172.16.16.17
, and click . -
Click Save.
For more information, see Add a DHCP relay.