At our branch sites we have guest networks with security policy configured to only allow access to open internet and deny to all private IP ranges. As an extra precaution we do not even advertise the routes for these subnets since there is no need for them to communicate with any corporate devices. Previously we had run DHCP services off of our Check Point gateways but have migrated to more fully-featured DHCP servers and have configured DHCP Relay on our gateways. This has been working for all subnets except for the guest network since the routers used by the DHCP server don't have a route back to the guest network gateway IP.
I had thought I could set the primary IP for the relay to that of a routed interface but I haven't yet been able to get it to work the way I want. I suspect that I'm not understanding the protocol and/or terminology correctly and we may need to advertise the routes but I wanted to check if I'm missing anything. Here is the setup (actual addresses substituted):
Gateway model: 3600
Interface eth1: 10.0.0.1/24 (route is advertised)
Interface eth1.222: 192.168.1.1/24 (Guest subnet, route is not advertised)
DHCP server: 10.1.100.20
Relay base configuration configuration:
set bootp interface eth1 on
set bootp interface eth1 relay-to 10.1.100.20 on
set bootp interface eth1 wait-time 0
set bootp interface eth1.222 on
set bootp interface eth1.222 relay-to 10.1.100.20 on
set bootp interface eth1.222 wait-time 0
Security policy is configured as per the SK for new services.
By default the relay agent IP address in Guest network discovery packets is that of the Guest network gateway IP, 192.168.1.1. These discovery packets are issued an offer by the DHCP server but are not received by the branch gateway since that 192.168.1.0/24 subnet is not an advertised route.
I had tried setting the primary ip on eth1.222 to that of its base eth1 interface with
set bootp interface eth1.222 primary 10.0.0.1
but 'show bootp interfaces' then displays the error 'Error: the configured Primary Address is associated with a different interface' so it's my understanding that for this purpose a vlan interface is considered to be entirely separate from its host physical interface. I then removed this configuration and tried applying the same setting to the eth1 interface which eliminated the error but the relay agent IP address remains that of the Guest network, presumably for the same reason.
I also tried setting the circuit ID and remote ID in the bootp settings for interface eth1.222 but those only affect the Option 82 field and do not change the relay agent IP address in the Discover packet's bootp flags.
I have a directive from management to avoid advertising the Guest network subnets, is there something I'm missing that would enable me to change the relay agent IP address for DHCP requests sent via the eth1.222 interface? I had considered NAT and it may be worth testing but from inspecting the traffic it appears that the DHCP server sends its lease offers based off that relay agent IP in the DHCP parameters rather than responding to the packet source address.