The tab Network Services > DHCP > Server allows to configure a DHCP server. Sophos UTM on AWS provides the DHCP service for the connected network as well as for other networks. The DHCP server can be used to assign basic network parameters to your clients. You can run the DHCP service on multiple interfaces, with each interface and each network to be provided having its own configuration set.
Note – On the Options tab you can define additional or different DHCP options to be sent to the clients. A DHCP option defined on the Options tab overwrites a setting made on the Servers tab if its scope is not set to be global. For example, defining DHCP options for selected hosts only, you can assign them a DNS server or lease time different from what is defined for the DHCP server.
To configure a DHCP server, proceed as follows:
On the Servers tab, click New DHCP Server.
The Add DHCP Server dialog box opens.
Make the following settings:
Interface: The interface from which the IP addresses should be assigned to the clients. You can only select an already configured interface.
Address type: This option is only available when IPv6 is globally enabled. Select the IP version of the DHCP server.
Note – Prefix Advertisements with Stateful Autoconfiguration (managed flag), either on Sophos UTM on AWS or via another device will be needed. You can configure prefix advertisements under the Interfaces & Routing > IPv6 > Prefix Advertisements tab.
Range start/end: The IP range to be used as an address pool on that interface. By default, the configured address area of the network card will appear in the text boxes. If the clients are in the same network, the range must be inside the network attached to the interface. If the clients are in another network, the range must be inside the network where the relayed DHCP requests are forwarded from.
Note – The bigger a defined DHCP IP range, the more memory Sophos UTM on AWS will reserve. Please make sure to reduce the DHCP range size to the values you need. The maximum allowed range is a /9 network.
DNS server 1/2: The IP addresses of the DNS servers.
Default gateway (only with IPv4): The IP address of the default gateway.
Note – Both wireless access points and RED appliances need the default gateway to be within the same subnet as the interface they are connected to.
Domain (optional): Enter the domain name that will be transmitted to the clients (e.g., intranet.example.com).
Lease time (only with IPv4): The DHCP client automatically tries to renew its lease. If the lease is not renewed during its lease time, the IP address lease expires. Here you can define this time interval in seconds. The default is 86,400 seconds (one day). The minimum is 600 seconds (10 minutes) and the maximum is 2,592,000 seconds (one month).
Valid lifetime (only with IPv6): The DHCP client automatically tries to renew its lease. If the lease is not renewed during its valid lifetime, the IP address lease status becomes invalid, the address is removed from the interface, and it may be assigned somewhere else. You can select an interval between five minutes and infinity, however the valid lifetime must be equal or greater than the preferred lifetime.
Preferred lifetime (only with IPv6): The DHCP client automatically tries to renew its lease. If the lease is not renewed during its preferred lifetime, the IP address lease status becomes deprecated, i.e., it is still valid but will not be used for new connections. You can select an interval between 5 minutes and infinity.
Comment (optional): Add a description or other information.
Optionally, make the following advanced settings:
WINS node type (only with IPv4): Windows Internet Naming Service (WINS) is Microsoft's implementation of NetBIOS Name Server (NBNS) on Windows, a name server and service for NetBIOS computer names. A WINS server acts as a database that matches computer names with IP addresses, thus allowing computers using NetBIOS to take advantage of the TCP/IP network. The following WINS node types are available:
- Do not set: The WINS node type is not set and will be chosen by the client.
- B-node (no WINS): B-node systems use broadcasts only.
- P-node (WINS only): P-node systems use only point-to-point name queries to a Windows name server (WINS).
- M-node (Broadcast, then WINS): M-node systems broadcast first, then query the name server.
- H-node (WINS, then Broadcast): H-node systems query the name server first, then broadcast.
WINS server: Depending on your WINS node type selection, this text box appears. Enter the IP address of the WINS server.
Clients with static mappings only (optional): Select this option to have the DHCP server assign IP addresses only to clients that have a static DHCP mapping (see Definition & Users > Network Definitions > Network Definitions).
Enable HTTP proxy auto configuration: Select this option if you want to provide a PAC file for automatic proxy configuration of browsers. For more information, see chapter Web Protection > Filtering Options > Misc, section Proxy Auto Configuration.
Note – HTTP proxy auto configuration is currently not supported with IPv6 by Microsoft Windows.
Clients via DHCP relay agent (only with IPv4): If selected, the DHCP server assigns IP addresses to clients which are not in the network of the attached interface. In this case, the address range defined above has to be inside the network where relayed DHCP requests are forwarded from, and not within the network of the attached interface.
Netmask: Select the netmask of the network where relayed DHCP requests are forwarded from.
The new DHCP server definition appears on the DHCP server list and is immediately active.
To either edit or delete a DHCP server definition, click the corresponding buttons.