Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=network-DHCP-HO-as-DHCP-server

HO firewall as DHCP server and BO firewall as relay agent

Learn how to configure Sophos Firewall at the head office as a DHCP server, and Sophos Firewall at the branch office as a DHCP relay agent with IP addresses leased over a policy-based IPsec VPN.

The DHCP relay agent forwards DHCP traffic between the clients making the requests and the server leasing IP addresses to the clients.

Network diagram

The network details are as follows:

Head office:

  • WAN IP address: 192.0.2.1
  • DHCP server interface: 172.16.16.1

Branch office:

  • WAN IP address: 203.0.113.1
  • DHCP relay agent interface: 10.10.1.1
  • LAN subnet: 10.10.1.0/24

Network diagram: DHCP server and relay agent.

Head office

Configure the DHCP server, a policy-based IPsec connection, and lease IP addresses through the connection.

Configure the DHCP server

Configure Sophos Firewall at the head office as the DHCP server to lease dynamic IP addresses to DHCP clients at the branch office.

  1. Go to Network > DHCP.
  2. Under Server, click Add.

  3. The following settings are an example. You must specify your network's settings:

    Setting Value
    Interface `Port3 - 172.16.16.1
    Accept client request via relay Accepts relay requests.
    Dynamic IP lease 10.10.1.10 to 10.10.1.30
    Gateway 10.10.1.1
    Use device's DNS settings DNS server details to share with DHCP clients.

  4. Click Save.

    Here's an example:

    Configure Sophos Firewall as DHCP server at the head office.

Lease IP addresses over an IPsec connection

Turn on IP address lease over IPsec tunnels in the head office firewall.

  1. On the head office CLI, enter 4 for Device console.
  2. Run the following command: system dhcp lease-over-IPSec enable

Configure a policy-based IPsec connection

Configure a policy-based IPsec connection as follows:

  1. On the web admin console, go to Site-to-site VPN > IPsec > IPsec connections and click Add.

  2. The following settings are an example. You must specify your network's settings:

    Setting Value
    Connection type Policy-based
    Gateway type

    Respond only

    To allow WAN traffic to access the IPsec tunnel, go to Administration > Device access and select WAN under IPsec.
    Create firewall rule

    Clear the checkbox.

    Firewall rules don't control system-generated traffic.
    Authentication type Preshared key
    Listening interface Port3 - 192.0.2.1
    Gateway address 203.0.113.1
    Local subnet 172.16.16.1
    Remote subnet 10.10.1.0

    Here's an example:

    IPsec connection from head office for DHCP lease.

Branch office

Configure the DHCP relay agent and a policy-based IPsec connection, and translate the LAN interface.

Configure a DHCP relay agent

Configure the branch office Sophos Firewall as the DHCP relay agent. In this example, it relays the IP addresses leased by the DHCP server on the head office firewall.

  1. Go to Network > DHCP.
  2. Under Relay, click Add.
  3. Select the Interface, for exammple, Port2 - 10.10.1.1.
  4. Enter the IP address for DHCP server IP, for example, 172.16.16.1 and click Add button..

  5. Click Save.

    Here's an example:

    Configure a DHCP relay agent.

Configure a policy-based IPsec connection

Configure a policy-based IPsec connection in the branch office firewall.

  1. On the web admin console, go to Site-to-site VPN > IPsec > IPsec connections and click Add.

  2. The following settings are an example. You must specify your network's settings:

    Setting Value
    Connection type Policy-based
    Gateway type Initiate the connection
    Create firewall rule

    Clear the checkbox.

    Firewall rules don't control system-generated traffic.
    Authentication type

    Preshared key

    Enter the key you specified in the head office firewall.
    Listening interface Port3 - 203.0.113.1
    Gateway address 192.0.2.1
    Local subnet 10.10.1.0
    Remote subnet 172.16.16.1

  3. Click Save.

    Here's an example:

    IPsec connection at branch office for DHCP relay.

Translate the LAN interface

You must configure Source Network Address Translation (SNAT) for system-generated traffic, such as DHCP requests, using the CLI.

To translate the LAN port's (DHCP relay interface) IP address on the branch office firewall to the DHCP server's IP address at the head office, do as follows:

  1. Sign in to the CLI and enter 4 for Device Console.

  2. Run the following command:

    set advanced-firewall sys-traffic-nat add destination <destination IP or network address> snatip <source IP address to translate>

    Example

    set advanced-firewall sys-traffic-nat add destination 172.16.16.1 snatip 10.10.1.1