DHCP
The DHCP module is set out in a single screen, unless IPv6 support has been enabled. If this is the case, the DHCP module will consist of two separate tabs and its settings will be located in the DHCPv4 tab.
General
|
This button makes it possible to enable or disable the use of the DHCP protocol on the firewall (server or relay). |
| DHCP server | Sends various network parameters to DHCP clients. |
| DHCP Relay | The DHCP relay mode is to be used when client requests are to be redirected to an external DHCP server. |
“DHCP server” service
The “DHCP server” service presents 4 configuration zones:
- Default settings. This menu is reserved for the configuration of DNS parameters (domain name, primary and secondary DNS servers) and the default gateway sent to DHCP clients.
- Address range. For each range, specify a group of addresses to be allocated to users. The address will be allocated for the duration determined in the advanced configuration.
- Reservation. The address allocated by the service stays the same for hosts listed in the column Reservation.
- Advanced properties. This menu allows enabling or disabling the automatic sending of the proxy configuration files for client hosts (WPAD: Web Proxy Autodiscovery Protocol). Additional servers can also be defined (WINS, SMTP, POP3, etc.) and the duration of the assignment of IP addresses distributed by the DHCP service can be customized.
Default settings
If the DHCP server option has been selected, global parameters can be configured here, such as the domain name, DNS servers, etc. that client hosts will use.
| Domain name | Domain name used by DHCP client hosts for DNS resolution. |
| Gateway | The default gateway is the host that indicates the routes to use if the client does not know the destination address. |
| Primary DNS | Select the primary DNS server that will be sent to DHCP clients. This is a host object. If no objects are specified, the firewall’s primary DNS server will be sent to them. |
| Secondary DNS | Select the secondary DNS server that will be sent to DHCP clients. This is a host object. If no objects are specified, the firewall’s secondary DNS server will be sent to them. |
Address range
In order for a DHCP server to provide IP addresses, an address pool from which the server can pick addresses has to be configured.
Action buttons
To add or delete address ranges, click on Add or Delete.
| Add | Allows adding an address range. Select or create an IPv4 address range (IP address range network object). |
| Delete | Allows deleting one or several address ranges simultaneously. |
The table shows the address ranges used by the DHCP server for distributing addresses to clients:
| Address range | Select an IP address range network object from the drop-down list. The server will pick from this pool to distribute addresses to clients. If none of the firewall’s protected interfaces has an IP address in the network hosting this range, a warning message will appear: “No protected interfaces match this address range”. |
| Gateway | This field allows assigning a specific default gateway for DHCP clients. Select a host network object from the drop-down list. If no objects are selected, the value “default” will be displayed in this column. The host selected in the Default gateway field in the Settings section will then be used as the gateway for DHCP clients. |
| Primary DNS | This field allows assigning a specific main DNS server to DHCP clients. Select a host network object from the drop-down list. If no objects are selected, the value “default” will be displayed in this column. The host selected in the Primary DNS field in the Default settings section will then be used as the DNS server for the client. |
| Secondary DNS | This field allows assigning a specific secondary DNS server to DHCP clients. Select a host network object from the drop-down list. If no objects are selected, the value “default” will be displayed in this column. The host selected in the Secondary DNS field in the Default settings section will then be used as the DNS server for the client. |
| Domain name | This field allows indicating a specific domain name that will be used by the DHCP client for its DNS resolution. If no name is specified, the value “Default domain” will be displayed in this column. The domain name indicated in the Domain name field in the Default settings section will then be used for the client. |
WARNING
Address ranges must not overlap. An address range belongs to a single bridge / interface.
Reservation
Even when a server that dynamically distributes IP addresses to clients is used, a specific IP address can be reserved for certain hosts. This configuration resembles static addressing, but nothing is configured on client workstations, thereby simplifying their network configuration.
Action buttons
To add or delete reserved addresses, click on Add or Delete.
| Add | Allows adding a reserved IP address for a specific host network object. |
| Delete | Allows deleting an IP address reservation. If a reservation is cancelled, the host concerned will be assigned a new random address when it is renewed. |
The table displays the host objects for which addresses have been reserved: these objects must always be defined using an IPv4 address and their MAC address. Indeed, the MAC address will be used as the client’s unique ID for obtaining or renewing its reserved IP address.
| Reservation | This field contains the name of the network object (host) that has a reserved IPv4 address. |
| Gateway | This field allows assigning a specific default gateway for each DHCP client that has reserved addresses. Select a host network object from the drop-down list. If no objects are selected, the value “default” will be displayed in this column. The host selected in the Default gateway field in the Settings section will then be used as the gateway for the client. |
| Primary DNS | This field allows assigning a specific main DNS server to each DHCP client using address reservation. Select a host network object from the drop-down list. If no objects are selected, the value “default” will be displayed in this column. The host selected in the Primary DNS field in the Default settings section will then be used as the DNS server for the client. |
| Secondary DNS | This field allows assigning a specific secondary DNS server to each DHCP client using address reservation. Select a host network object from the drop-down list. If no objects are selected, the value “default” will be displayed in this column. The host selected in the Secondary DNS field in the Default settings section will then be used as the DNS server for the client. |
| Domain name | This field allows indicating a specific domain name that will be used by the DHCP client for its DNS resolution. If no name is specified, the value “Default domain” will be displayed in this column. The domain name indicated in the Domain name field in the Default settings section will then be used for the client. |
Advanced properties
Other types of servers to be used can be sent to client workstations through the DHCP service.
| File name | Name of the boot and configuration file that the client workstation can retrieve at startup. |
| SMTP Server | The SMTP server is used for sending e-mails. A drop-down list allows selecting the host object that corresponds to this server. |
| POP3 server | The POP3 server is used for receiving e-mails. A drop-down list allows selecting the host object that corresponds to this server. |
| Next server | Address of the server that hosts the boot and configuration file for the client workstations specified in the File name field. |
| News Server (NNTP) | This field allows sending the news server’s address to DHCP clients. This server provides the NNTP service, which allows clients to read Usenet news. |
| TFTP Server | The TFTP server is used for booting hosts remotely. This field (option 150: TFTP server address) can be used for starting up network devices such as routers, X-terminals or workstations without hard disks. |
| Distribute the Web proxy autodiscovery (WPAD) file | If this option has been selected, the DHCP server will distribute the Internet access configuration to DHCP clients through a PAC file (Proxy Auto Configuration). This file must be entered in the authentication settings (Captive portal tab in the menu Configuration>Users>Authentication). It can be made accessible from internal and/or eternal interfaces (Internal interfaces and External interfaces tabs in the menu Configuration>Users>Authentication). |
| Update DNS server entries | If this option has been selected, DNS servers will be dynamically updated when information contained in the DHCP server is modified. |
Assigned lease time
| Default (hour) | For the purpose of optimizing network resources, IP addresses are assigned for a limited period. You therefore need to indicate here the default duration for which hosts will keep the same IP address. |
| Minimum (hour) | Minimum duration for which hosts will keep the same IP address. |
| Maximum (hour) | Maximum duration for which hosts will keep the same IP address. |
“DHCP relay” service
The “DHCP relay” service contains 2 configuration zones:
- Settings: this menu allows configuring the DHCP server(s) to which the firewall will relay DHCP requests from client hosts,
- Listening interfaces on the DHCP relay service: the network interfaces(s) on which the firewall listens for DHCP client requests.
Settings
| DHCP server(s) | The drop-down list allows selecting a host object or group object containing hosts. The firewall will relay client requests to this or these DHCP server(s). |
| IP address used to relay DHCP queries | The IP address entered as the source in this field will be used for relayed queries. For example, this option would allow local users to benefit from the automatic configuration of the IP parameters of a remote DHCP server through an IPsec tunnel. This address has to belong to the local traffic endpoint in order to be recognized by the tunnel. This option is only available for a DHCPv4 service and via a VPN tunnel whose traffic endpoints have been configured in IPv4. NOTE NOTE If nothing is entered, the selection of the address will be automatic (selection of the IP address of the interface in front of the routing). |
| Relay DHCP queries for all interfaces | If this option has been selected, the firewall will listen for DHCP client requests on all its network interfaces. In this case, the table Listening interfaces on the DHCP relay service will be grayed out. |
Listening interfaces on the DHCP relay service
In this section, indicate:
- The network interfaces through which the firewall will receive DHCP client requests,
- The network interfaces through which the firewall will contact the external DHCP server(s).
The DHCP relay service on the firewall can also listen on the interface used by the IPsec VPN in order to relay DHCP queries through these tunnels.
Listening interfaces must include the interfaces for listening to the client-side query as well as the interfaces for listening to the server-side response.
The DHCP server has to be configured in such a way that it can distribute IP addresses to clients that pass through the relay.
Action buttons
In order to add or delete listening interfaces, click on Add or Delete.
| Add | Adds a row to the table and opens a drop-down list of the firewall’s interfaces in order to select an interface. |
| Delete | Allows deleting one or several listening or outgoing interfaces. |