Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Send DHCP traffic over route-based IPsec VPN to DHCP servers

Configure Sophos Firewall as the DHCP relay agent to forward DHCP requests from clients to the DHCP server behind the head office firewall. Send DHCP traffic over a route-based IPsec VPN connection.

DHCP server and relay agent: Network diagram

The network details and settings are an example. You must use your network settings.

This example uses existing route-based IPsec VPN connections in which the local and remote subnets are set to Any. It also uses existing routes and firewall rules for the VPN traffic.

Head office: The following are example IP addresses.

  • WAN IP address: 192.0.2.1
  • DHCP server interface: 172.16.16.1

Branch office: The following are example IP addresses.

  • WAN IP address: 203.0.113.1
  • DHCP relay agent interface: 10.10.1.1
  • LAN subnet: 10.10.1.0/24

Network diagram: DHCP server and relay agent.

VPN requirements

Configure the following on the head office and branch office firewalls:

  1. Configure route-based IPsec VPN connections with local and remote subnets set to Any using the firewalls' WAN interfaces.
  2. Configure static, SD-WAN, or dynamic routes on both firewalls to route the VPN traffic.
  3. Allow device access from WAN for IPsec VPN tunnels.
  4. Configure the following firewall rules to allow VPN traffic:

    1. Outbound rule in the branch office firewall.
    2. Inbound rule in the head office firewall.

    See Create a route-based VPN (any to any subnets).

Head office: Firewall rule

Create a firewall rule to allow inbound DHCP traffic in the head office firewall as follows:

  1. Go to Rules and policies > Firewall rules, click Add firewall rule, and click New firewall rule.
  2. Enter a name.
  3. Under Source zones, select VPN.
  4. Under Source networks and devices, select the IP host for the branch office firewall's DHCP relay interface, for example, DHCPRelay_10.10.1.1.
  5. Under Destination zones, select DMZ.
  6. Under Destination networks, select the DHCP server, for example, DHCPServer_172.16.16.17.
  7. Under Services, select DHCP.
  8. Click Save.

    Inbound firewall rule in the head office to allow DHCP relay traffic to server.

Branch office: DHCP relay agent

Configure the branch office firewall's interface as the DHCP relay agent. It requests IP addresses for the endpoints in its subnet from the DHCP server behind the head office firewall.

  1. Go to Network > DHCP.
  2. Under Relay, click Add.
  3. Enter a name.
  4. Select the Interface to which the DHCP clients belong, for example, Port2 - 10.10.1.1.
  5. Under DHCP server IP, enter the DHCP server's IP address, for example, 172.16.16.17, and click Plus button..
  6. Click Save.

    Configure a DHCP relay agent.

For more information, see Add a DHCP relay.