AnsweredAssumed Answered

How do I allow DHCP relay from a non-Checkpoint host to pass the firewall?

Question asked by Chris Williams on Aug 23, 2017
Latest reply on Mar 22, 2018 by Sami Hänninen

Hello,

 

I am having issues getting DHCP relay to work through my R77.30 security management and gateway cluster.

 

I have a half dozen subnets that have the firewall as their default gateway, and the firewall acts as the DHCP relay for them, with the DHCP Server being located in a DMZ zone. This is working fine.

 

The problem is I have a new 3rd party VPN application. The VPN server acts as the DHCP relay for its clients and uses the same DMZ DHCP server to service its clients. I am unable to receive DHCP offers from the DHCP Server.

 

Wireshark packet captures on the DHCP server show the request coming in and a proper response going back out. The capture on the VPN server shows the DHCP offer coming from an incorrect IP - its coming from the public internet IP of my firewall instead of the DHCP server address. I have a NAT rule in place to keep the packets at their original addresses, but it seems to come out as the public IP, which is the final NAT rule. It kind of looks like the NAT rule is being ignored when its DHCP.

 

I've gone through SK104114 - Configuration of IPv4 BOOTP/DHCP Relay using new services and configured everything as instructed.

 

My rulebase is using the new dhcp-request and dhcp-reply services as per the above document.

 

I don't see a lot of this traffic in the tracker either, but I can see it in FW MONITOR and zdebug.

 

Any ideas?

Outcomes