Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=network-DHCP-server-relay-rbvpn

Send DHCP traffic over route-based VPN to DHCP servers

Configure Sophos Firewall as the DHCP relay agent to forward DHCP requests from clients to the DHCP server behind the head office firewall. Send DHCP traffic over a route-based IPsec VPN connection.

DHCP server and relay agent: Network diagram

The network details and settings are an example. You must use your network settings.

This example uses existing route-based IPsec VPN connections in which the local and remote subnets are set to Any. It also uses existing routes and firewall rules for the VPN traffic.

Head office: The following are example IP addresses.

  • WAN IP address: 192.0.2.1
  • DHCP server interface: 172.16.16.1

Branch office: The following are example IP addresses.

  • WAN IP address: 203.0.113.1
  • DHCP relay agent interface: 10.10.1.1
  • LAN subnet: 10.10.1.0/24

Network diagram: DHCP server and relay agent.

VPN requirements

Configure the following on the head office and branch office firewalls:

  1. Configure route-based IPsec VPN connections with local and remote subnets set to Any using the firewalls' WAN interfaces.
  2. Assign an IP address to the XFRM interface.
  3. Add a gateway IP address for the XFRM interface.
  4. Configure static, SD-WAN, or dynamic routes on both firewalls to route the VPN traffic.
  5. Allow device access from WAN for IPsec VPN tunnels.

  6. Configure the following firewall rules to allow VPN traffic:

    1. Outbound rule in the branch office firewall.
    2. Inbound rule in the head office firewall.

    See Create a route-based VPN (any to any subnets).

Head office

In the head office firewall, configure a route and an inbound firewall rule.

Add a route

You can configure a static, SD-WAN, or dynamic route to route the DHCP server's reply traffic from the head office to the branch office using a route-based VPN tunnel.

This example shows how to configure an SD-WAN route.

  1. Go to Routing > SD-WAN routes.
  2. Select IPv4 and click Add.
  3. Enter a name.
  4. Under Source networks, select the DHCP server, for example, DHCPServer_172.16.16.17.
  5. Under Destination networks, select the IP host you create for the DHCP relay agent, for example, DHCPRelay_10.10.1.1.

  6. Under Services, select DHCP.

    SD-WAN settings for DHCP server's reply traffic in head office.

  7. Under Link selection settings, select Primary and backup gateways.

  8. Under Primary gateway, select the XFRM gateway, for example, xfrm1_3.3.3.4.

    Branch office XFRM interface as the SD-WAN route's primary gateway.

  9. (Optional) To drop traffic if the XFRM gateway is unavailable, select Route only through specified gateways.

  10. Click Save.

Add a firewall rule

Create a firewall rule in the head office firewall to allow inbound DHCP traffic from the relay agent through the VPN as follows:

  1. Go to Rules and policies > Firewall rules, click Add firewall rule, and click New firewall rule.
  2. Enter a name.
  3. Under Source zones, select VPN.
  4. Under Source networks and devices, select the IP host for the branch office firewall's DHCP relay interface, for example, DHCPRelay_10.10.1.1.
  5. Under Destination zones, select DMZ.
  6. Under Destination networks, select the DHCP server, for example, DHCPServer_172.16.16.17.
  7. Under Services, select DHCP.

  8. Click Save.

    Inbound firewall rule in the head office to allow DHCP relay traffic to the server.

Branch office

In the branch office firewall, configure a DHCP relay agent and a route.

Add a DHCP relay agent

Configure the branch office firewall's interface as the DHCP relay agent. The interface forwards DHCP requests from endpoints in its subnet to the DHCP server behind the head office firewall.

  1. Go to Network > DHCP.
  2. Under Relay, click Add.
  3. Enter a name.

  4. Select an Interface, for example, Port2 - 10.10.1.1.

    The DHCP clients belong to the same subnet as the interface.

  5. Under DHCP server IP, enter the DHCP server's IP address, for example, 172.16.16.17, and click Plus button..

  6. Click Save.

    Configure a DHCP relay agent.

Add a route

You can configure a static, SD-WAN, or dynamic route to route the branch office interface's DHCP request traffic to the DHCP server in the head office using a route-based VPN tunnel.

This example shows how to configure an SD-WAN route.

  1. Go to Routing > SD-WAN routes.
  2. Select IPv4 and click Add.
  3. Enter a Name.
  4. Under Source networks, select Any.
  5. Under Destination networks, select the IP host you create for the DHCP server, for example, DHCP_Server_172.16.16.17.

  6. Under Services, select DHCP.

    SD-WAN settings for DHCP request traffic in branch office.

  7. Under Link selection settings, select Primary and backup gateways.

  8. Under Primary gateway, select the XFRM gateway, for example, xfrm1_3.3.3.3.

    Branch office XFRM interface as the SD-WAN route's primary gateway.

  9. (Optional) To drop traffic if the XFRM gateway is unavailable, select Route only through specified gateways.

  10. Click Save.

More resources