HO firewall as DHCP server and BO firewall as relay agent
Configure the head office Sophos Firewall as the DHCP server and the branch office Sophos Firewall as the DHCP relay agent.
Introduction
The DHCP server configuration on the head office firewall leases IP addresses to clients in the branch office. The DHCP relay configuration on the branch office firewall forwards DHCP communication between DHCP clients and the server. In this example, we configure DHCP communication over a site-to-site IPsec connection.
DHCP server and relay agent: Network diagram
The network details are as follows:
Head office:
- WAN IP address:
192.0.2.1
- DHCP server interface:
172.16.16.1
Branch office:
- WAN IP address:
203.0.113.1
- DHCP relay agent interface:
10.10.1.1
- LAN subnet:
10.10.1.0/24
Head office: Specify the DHCP server settings
Configure Sophos Firewall at the head office as the DHCP server to lease dynamic IP addresses to DHCP clients at the branch office.
- Go to Network > DHCP.
- Under Server, click Add.
-
The following settings are an example. You must specify your network's settings:
Name Setting Interface Port3 - 172.16.16.1
Interface on which Sophos Firewall listens to DHCP requests.Accept client request via relay Accepts relay requests. Dynamic IP lease 10.10.1.10
to10.10.1.30
Gateway 10.10.1.1
Use device's DNS settings DNS server details to share with DHCP clients. -
Click Save.
Here's an example:
Head office: Lease IP addresses over an IPsec connection
On the head office firewall, turn on IP address lease over IPsec.
- On the head office CLI, enter 4 for Device console.
-
Enter the following:
system dhcp lease-over-IPSec enable
Head office: Configure a site-to-site IPsec connection
On the head office firewall, configure a site-to-site IPsec connection to the branch office.
- On the web admin console, go to Site-to-site VPN > IPsec > IPsec connections and click Add.
-
The following settings are an example. You must specify your network's settings:
Name Setting Connection type Site-to-site
Gateway type Respond only
Create firewall rule Clear the checkbox.
Firewall rules don't control system-generated traffic.Authentication type Preshared key
Listening interface Port3 - 192.0.2.1
Gateway address 203.0.113.1
Local subnet 172.16.16.1
Remote subnet 10.10.1.0
Here's an example:
Branch office: Configure a DHCP relay agent
Configure the branch office Sophos Firewall as the DHCP relay agent. In this example, it relays the IP addresses leased by the DHCP server on the head office firewall.
- Go to Network > DHCP. Under Relay, click Add.
-
Select the Interface from the drop-down list.
Example:
Port2 - 10.10.1.1
-
Enter the IP address for DHCP server IP.
Example:
172.16.16.1
-
Select Relay through IPsec.
Here's an example:
Branch office: Configure an IPsec connection
On the branch office firewall, configure a site-to-site IPsec connection to the head office.
- On the web admin console, go to Site-to-site VPN > IPsec > IPsec connections and click Add.
-
The following settings are an example. You must specify your network's settings:
Name Setting Connection type Site-to-site
Gateway type Initiate the connection
Create firewall rule Clear the checkbox.
Firewall rules don't control system-generated traffic.Authentication type Preshared key
Enter the key you specified in the head office firewall.Listening interface Port3 - 203.0.113.1
Gateway address 192.0.2.1
Local subnet 10.10.1.0
Remote subnet 172.16.16.1
Here's an example:
Branch office: Add an IPsec route
On the branch office firewall, add an IPsec route for system-generated traffic to the DHCP server at the head office. Apply source NAT on the system-generated traffic to translate the internal source IP address at the branch office to the destination IP address (DHCP server at the head office).
- On the CLI, enter 4 for Device console.
-
Add a static route from the branch office to the DHCP server in the head office. Enter the following:
system ipsec_route add host <IP address of host> tunnelname <tunnel>
Example:
system ipsec_route add host 172.16.16.1 tunnelname PolicyBasedVPN
-
Translate the LAN port's (DHCP relay interface) IP address on the branch office firewall to the DHCP server's IP address at the head office. You must use this command to translate system-generated traffic. Enter the following:
set advanced-firewall sys-traffic-nat add destination <Destination IP address or network> snatip <Source IP address to translate>
set advanced-firewall sys-traffic-nat add destination 172.16.16.1 snatip 10.10.1.1