The DHCP relay service allows you to pass DHCP broadcast messages to network segments that a client computer is not directly attached to. DHCP relaying can be used to share a single DHCP server across logical network segments that are separated by a firewall. The DHCP relay service does not handle IP addresses. It sends unicast messages instead of broadcast messages.
A client in need of a DHCP-assigned IP address sends its request as a broadcast message to the network attached to the corresponding interface. The DHCP relay service on the firewall receives the request on an interface attached to the same network, e.g., eth2, 192.168.0.0/24. The DHCP relay service sends a unicast request to all configured DHCP servers in the LAN and receives a DHCP IP address offer from a DHCP server (e.g., 10.0.0.254) that has an IP address range configured for the network segment of the requesting client (e.g., 192.168.0.0/24). This offer is forwarded to the requesting client. If the client accepts the offer, the DHCP address is acknowledged by the client and immediately assigned to its attached interface.
DHCP Relay Agent Between Two LANs:
Before You Begin
If you are using both a DHCP and a DHCP relay service on the same firewall, verify that both services are not using the same physical interface.
Configure the DHCP Relay Agent for IPv4
Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > DHCP-Relay.
Click Lock.
Select Enable Relay for IPv4.
Enter the UDP Port the relay agent is listening on (default: 67).
In the Relay Interfaces section, click + and add the network interfaces that are used by the DHCP relay agent to connect to the DHCP server and client networks.
In the DHCP Server IPs field, enter the IP addresses of the DHCP servers.
Enable Add Agent ID (AID) if you want the DHCP relay agent to add an Agent ID (AID) to the transmitted packets. An AID indicates that the data has been relayed.
Enter the maximum DHCP Packet Size in bytes (default: 1400).
From the AID Relay Policy list, select how your DHCP relay agent handles DHCP packets that are already flagged by an AID from another agent:
Append (default) – Attaches your AID to the existing AID.
Replace – Replaces the existing AID with your AID.
Forward – Passes DHCP packets without any modification.
Discard – Discards DHCP packets that are already flagged by an AID.
From the Reply AID Mismatch Policy list, select how your DHCP relay agent handles DHCP server replies that do not contain its AID:
Discard – Default. Discards the DHCP packet.
Forward – Forwards the DHCP packet to the DHCP client.
Specify the maximum Packet Hop Count to avoid infinite packet loops (default: 10).
Select Forward unicast packets if BootstrapBOOTP unicast messages should be forwarded by the DHCP relay.
Click OK.
Click Send Changes and Activate.
Create an Access Rule to Allow DHCP Requests
The relay agent must forward the request from the client to the DHCP server.
Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Forwarding Rules.
Click Lock.
Either click the plus icon (+) at the top right of the ruleset or right-click the ruleset and select New > Rule.
Select Pass as the action.
Enter a name for the rule. For example,
DHCPrequest
.Specify the following settings that must be matched by the traffic to be handled by the access rule:
Source – The network address of the segment to which the client is attached, e.g., 192.168.0.0/24.
Destination – The network address of the segment where the DHCP server is attached to, e.g., 10.0.0.0/24.
Service – Either configure an explicit service for UDP and ports 67 and 68 to let DHCP requests pass, or create a service object. For more information, see How to Create Service Objects.
Connection Method – Original Source IP.
Click OK.
Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
Click Send Changes and Activate.
The DHCP Server Must Be Able to Reach the Client Network
The DHCP server must return DHCP offers to the requesting client.
(option #1) In case your DHCP server runs on a dedicated Barracuda firewall, create a gateway route to the client network. For more information, see How to Configure Gateway Routes.
(option #2) On any other appliance, configure the DHCP server to be able to reach the client network.
Configure the DHCP Relay Agent for IPv6
Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > DHCP-Relay > DHCP-Relay Settings.
In the left menu, select DHCP Relay IPv6.
Click Lock.
Select Enable Relay for IPv6
Enter the UDP Port the relay agent is listening on (default: 547).
Specify the maximum Packet Hop Count to avoid infinite packet loops (default: 10).
Select Interface ID to force the use of the DHCPv6 Interface-ID option. This option is automatically sent when there are two or more downstream interfaces in use, to disambiguate between them.
For Lower Network Interfaces, click '+' to specify the network interface and link address on which queries will be received from clients or other relay agents. If no link address is specified, the first non-link local address is used.
The Lower Network Interfaces window is displayed to enter the name for the interface.
Enter the name for the lower interface.
Click OK… .
The Lower Network Interfaces window is displayed to configure the interface.
Click '+' to select the lower interface.
For IPv6 Address, enter the IP address.
Click OK.
For Upper Network Interfaces, click '+' to specify the network interface and destination unicast or multicast address to which queries will be forwarded. If no destination address is specified, requests are forwarded to the FF02::1:2 multicast address (All_DHCP_Relay_Agents_and_Servers).
The Upper Network Interfaces window is displayed to enter the name for the interface.
Enter the name for the upper interface.
Click OK… .
The Upper Network Interfaces window is displayed to configure the interface.
Click '+' to select the upper interface.
For IPv6 Address, enter the IP address.
Click OK.
Click Send Changes and Activate.