Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

HO firewall as DHCP server and BO firewall as relay agent

Configure the head office Sophos Firewall as the DHCP server and the branch office Sophos Firewall as the DHCP relay agent.

Introduction

The DHCP server configuration on the head office firewall leases IP addresses to clients in the branch office. The DHCP relay configuration on the branch office firewall forwards DHCP communication between DHCP clients and the server. In this example, we configure DHCP communication over a site-to-site IPsec connection.

DHCP server and relay agent: Network diagram

The network details are as follows:

Head office:

  • WAN IP address: 192.0.2.1
  • DHCP server interface: 172.16.16.1

Branch office:

  • WAN IP address: 203.0.113.1
  • DHCP relay agent interface: 10.10.1.1
  • LAN subnet: 10.10.1.0/24

Network diagram: DHCP server and relay agent.

Head office: Specify the DHCP server settings

Configure Sophos Firewall at the head office as the DHCP server to lease dynamic IP addresses to DHCP clients at the branch office.

  1. Go to Network > DHCP.
  2. Under Server, click Add.
  3. The following settings are an example. You must specify your network's settings:

    Name Setting
    Interface Port3 - 172.16.16.1

    Interface on which Sophos Firewall listens to DHCP requests.
    Accept client request via relay Accepts relay requests.
    Dynamic IP lease 10.10.1.10 to 10.10.1.30
    Gateway 10.10.1.1
    Use device's DNS settings DNS server details to share with DHCP clients.
  4. Click Save.

    Here's an example:

    Configure Sophos Firewall as DHCP server at the head office.

Head office: Lease IP addresses over an IPsec connection

On the head office firewall, turn on IP address lease over IPsec.

  1. On the head office CLI, enter 4 for Device console.
  2. Enter the following:

    system dhcp lease-over-IPSec enable

Head office: Configure a site-to-site IPsec connection

On the head office firewall, configure a site-to-site IPsec connection to the branch office.

  1. On the web admin console, go to Site-to-site VPN > IPsec > IPsec connections and click Add.
  2. The following settings are an example. You must specify your network's settings:

    Name Setting
    Connection type Site-to-site
    Gateway type Respond only
    Create firewall rule Clear the checkbox.

    Firewall rules don't control system-generated traffic.
    Authentication type Preshared key
    Listening interface Port3 - 192.0.2.1
    Gateway address 203.0.113.1
    Local subnet 172.16.16.1
    Remote subnet 10.10.1.0

    Here's an example:

    IPsec connection from head office for DHCP lease.

Branch office: Configure a DHCP relay agent

Configure the branch office Sophos Firewall as the DHCP relay agent. In this example, it relays the IP addresses leased by the DHCP server on the head office firewall.

  1. Go to Network > DHCP. Under Relay, click Add.
  2. Select the Interface from the drop-down list.

    Example: Port2 - 10.10.1.1

  3. Enter the IP address for DHCP server IP.

    Example: 172.16.16.1

  4. Select Relay through IPsec.

    Here's an example:

    Configure a DHCP relay agent.

Branch office: Configure an IPsec connection

On the branch office firewall, configure a site-to-site IPsec connection to the head office.

  1. On the web admin console, go to Site-to-site VPN > IPsec > IPsec connections and click Add.
  2. The following settings are an example. You must specify your network's settings:

    Name Setting
    Connection type Site-to-site
    Gateway type Initiate the connection
    Create firewall rule Clear the checkbox.

    Firewall rules don't control system-generated traffic.
    Authentication type Preshared key

    Enter the key you specified in the head office firewall.
    Listening interface Port3 - 203.0.113.1
    Gateway address 192.0.2.1
    Local subnet 10.10.1.0
    Remote subnet 172.16.16.1

    Here's an example:

    IPsec connection at branch office for DHCP relay.

Branch office: Add an IPsec route

On the branch office firewall, add an IPsec route for system-generated traffic to the DHCP server at the head office. Apply source NAT on the system-generated traffic to translate the internal source IP address at the branch office to the destination IP address (DHCP server at the head office).

  1. On the CLI, enter 4 for Device console.
  2. Add a static route from the branch office to the DHCP server in the head office. Enter the following:

    system ipsec_route add host <IP address of host> tunnelname <tunnel>

    Example: system ipsec_route add host 172.16.16.1 tunnelname PolicyBasedVPN

  3. Translate the LAN port's (DHCP relay interface) IP address on the branch office firewall to the DHCP server's IP address at the head office. You must use this command to translate system-generated traffic. Enter the following:

    set advanced-firewall sys-traffic-nat add destination <Destination IP address or network> snatip <Source IP address to translate>

    set advanced-firewall sys-traffic-nat add destination 172.16.16.1 snatip 10.10.1.1