Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Add a DHCP relay

You can configure Sophos Firewall as a DHCP relay agent to relay leased IP addresses and network parameters to clients, such as endpoints, servers, and routers, located on a different subnet from the DHCP server.

The relay agent's interface belongs to the clients' network and must not be the same as the DHCP server's interface.

Configure the relay agent

  1. Go to Network > DHCP.
  2. Under Relay, click Add.
  3. Enter a name.
  4. Specify the IP version of the addresses you want the agent to relay.
  5. Select the Interface on which Sophos Firewall must listen to DHCP broadcast queries from clients.

    The firewall also uses this interface as the source IP address to forward DHCP queries to the server. The DHCP server responds if the IP address lease range it holds matches the subnet of this address. You must create as many relay agents as there are subnets.

    Warning

    Make sure the relay agent's interface you select is in the same subnet as the DHCP clients. Don't specify the DHCP server interface as the relay interface for any relay agent. The agent won't forward client requests.

    Don't configure a relay agent for the subnet in which the DHCP server is located. The server leases IP addresses directly to clients within its subnet.

    Note

    You can't configure Sophos Firewall as a DHCPv6 server and a DHCPv6 relay agent simultaneously.

    You can configure a DHCPv4 server and DHCPv4 relay simultaneously but not on the same interface.

  6. Select the DHCP server IP.

    It's the IP address of the DHCP server. You can add up to eight DHCP servers here. Sophos Firewall forwards the client request to all servers and the servers' response to the client. The client responds to the first offer it receives.

  7. To relay DHCP messages through policy-based IPsec VPN, select Relay through IPsec.

    Note

    You don't need to select Relay through IPsec for route-based VPNs carrying DHCP traffic to DHCP servers deployed behind the firewall. See Send DHCP traffic over route-based IPsec VPN to DHCP servers.

    Currently, firewall interfaces configured as DHCP servers don't support route-based VPN tunnels.

  8. Click Save.

DHCP through route-based VPN

To send DHCP traffic through route-based IPsec tunnels, you must complete the following configurations.

Configurations for route-based VPN traffic

  1. Configure route-based IPsec VPN connections with local and remote subnets set to Any using the firewalls' WAN interfaces.
  2. Configure static, SD-WAN, or dynamic routes on both firewalls to route the VPN traffic.
  3. Allow device access from WAN for IPsec VPN tunnels.
  4. Configure the following firewall rules to allow VPN traffic:

    1. Outbound rule in the branch office firewall.
    2. Inbound rule in the head office firewall.

Configurations for DHCP traffic

  1. Configure an inbound firewall rule in the head office firewall to allow DHCP traffic.
  2. Configure the branch office firewall's interface as the DHCP relay agent.

    Note

    DHCP relay traffic is system-generated. It doesn't need a firewall rule in the branch office firewall.

More resources