At first look, Sophos UTM’s DHCP server capabilities look very simple. However, you can unlock a more robust DHCP feature set if you know where to look and what to set. This article will take you through some of these hidden DHPC features you might want to use.
Features such as:
- Defining custom DHCP options
- Changing the primary DNS server or introducing a secondary NTP server for specific networks.
- Creating static leases
- Configuring a DHCP Relay
Depending on your network, you will have varying requirements for Dynamic Host Configuration Protocol (DHCP). Large companies will almost always have Active Directory Integrated or standalone DHCP servers, where as smaller networks may only have Sophos UTM as both the router and DHCP server.
As you start to define VPN or WiFi networks, you will find yourself needing to choose between using the UTM as a DHCP server or using it as a DHCP forwarder to pass on to a full DHCP server.
Before you choose to forward DHCP to another server, read this article to make sure you’re aware of the full capabilities of Sophos UTM’s DHCP functionality, as some of it is a little hidden away.
If you are coming from a Windows Server DHCP perspective, the first thing you need to know is that Sophos UTM uses different terminology. The following list defines the Windows term and the Sophos UTM term.
- A DHCP scope is known as a DHCP server.
- Reservations are known as Static Mappings.
- Scope Options are called Server Options.
- Server Options are called Global Options.
Configure the Sophos UTM DHCP server
Before you can define a DHCP scope, you need an interface to connect it to. This interface could be physical or it could be a VPN segment or VLAN. You also can edit an existing server in this step.
In this example, I am going to edit a scope that was created for a RED deployment.
- Browse to Network Services | DHCP | Servers.
- Edit an existing server.
- Interface: Selecting this autofills some fields for you, based on the interface.
- The Range start and end are based on the interface’s address and subnet.
- Domain is the appended Domain suffix setting for DNS queries.
- Lease time (in seconds): The default is 24 hours, which is relatively short. Once stable, I suggest changing it to something longer, perhaps a week (604800).
- Expanding advanced allows you to enable HTTP Proxy Auto Configuration.
Setting the Start range and End range allows you to exclude certain IPs. Here, I excluded the first 10 IP addresses for non-DHCP clients in addition to excluding the last 10 IPs in the range.
Because it is a RED, the DNS server would be itself by default, but if your rules permit, you can specify the DNS servers directly as I have done here.
The default gateway for this network segment is the RED’s own IP. Normally you would not change this but you can if you want to.
A nice touch here is how easy it is to enable HTTP Proxy Auto Configuration. This defines DHCP Option 252 and gives it the value of http://gatewayip:8080/wpad.dat. This is handy for clients set to automatically detect proxy settings.
Defining and assigning additional DHCP options
Having your client devices receive additional configuration through DHCP is useful, especially for tasks such as changing the primary DNS server or introducing a secondary NTP server. These additional configuration settings are called “options” and they consist of a code and a value. The value can be string or integer or hex values. Options can then be applied to a specific subnet or globally to all of them.
Sophos UTM makes this possible on the Options tab. Simply define your additional options, then assign the Scope as Server (scope options in Windows) or Global (server options in Windows). When testing, be aware that regardless of which options you define, Sophos UTM will only send the options the client requests.
- Browse to Network Services | DHCP | Options.
- Click + New DHCP Option.
- Select a code.
- Specify a Name.
- Select the type (IP, Text, Hex, Integer).
- Specify the value.
- Specify the scope (Server, Global, Host, Mac Prefix, Vendor ID).
- Click Save.
- Enable the option from the list.
Testing the DHCP options
A great way to check which setting you have received from your DHCP server is to simply check the network configuration.
From a Windows machine you can use the following, and it will show you most of the info:
If, however, you are using an alternative setting, such as 252, you can check those on your Mac OSX by looking at
ipconfig getpacket en0
This will show you the options your machine has requested and received.
If you want a client to always retain the same IP address, you can define a reservation or a static mapping for it.
There are two ways to do this.
- Create a network definition:
You can manually create a reservation using the client’s MAC address, then join the client. This has the advantage that the host will get the predetermined IP address you give it, but there is a fair amount to configure and type.
- Create a static DHCP lease:
The second method relies on the client to come up and take a lease. You then simply convert that lease to a static mapping. This method is much easier, and there is less chance of errors.
Method 1: Create a network definition
- Browse to Definitions & Users | Network Definitions | +New Network Definition.
- Specify a object name.
- Type: Host.
- DHCP Settings select a server.
- Specify the MAC.
- DNS Setting specify the FQDN DNS name for the client.
- Click Save.
Method 2: Create a static DHCP lease
- Browse to Network Services | DHCP | IPv4 Lease Table.
- Locate the device you want to convert and click +Make Static.
- Enter the object name.
- Specify a FQDN DNS name
- Click Save.
Managing your DHCP reservations
You can list, check and manage your DHCP reservation by:
- Browsing to Definitions & Users | Network Definitions.
- From the drop down list, select Show hosts with static mappings or Show hosts without static mapping.
- You can also use the Search option in combination with the drop-down selection.
Sophos UTM Unified Host Object
The reservation created with either method contains both DNS and DHCP information. Because of this, Sophos UTM no longer needs explicit DHCP and DNS objects. It is a single unified object that contains the information that can be used in rules. For more on this, check out the Sophos Knowledge base article: How to create a ‘Unified Host Object’ in your Sophos UTM.
Clients with static mappings only
Another advanced DHCP server setting is the Clients with static mappings only option that is available when adding or editing your server in Network Services | DHCP | Servers.
The Clients with static mappings only options will prevent the DHCP server from issuing an IP to a client on the network unless you have explicitly defined it. This is handy in an environment that might have poor physical security to network points, and allow someone to simply walk by and plug in.
Someone could, of course, assign a static IP on the device with the correct network and subnet, but at least you are not advertising that information.
If you decide to use Sophos UTM for connectivity but would like to use your existing DHCP server, you can do so by configuring the UTM as a DHCP relay agent. This will instruct Sophos UTM to pass the requests on to your DHCP server. You need a DHCP relay to explicitly listen and forward DHCP DORA requests because DHCP is a broadcast, something that is not typically routed.
On your existing DHCP server (not the UTM) you need to define a scope with the relevant ranges, exclusions, reservations and options.
On the UTM, make the following changes:
- Browse to Network Services | DHCP | Relay tab.
- Toggle the switch to On.
- Specify your existing DHCP server by defining a new host or selecting it.
- Select the interfaces for relaying requests.
- Click Apply.
- The toggle switch will turn green.
We have seen the Sophos UTM DHCP functionality is quite full featured. Now that you know where all the rich functionality hides, you can unlock and use the features.
You can define scope lease times, domain suffixes, DNS servers, time servers, as well as your own options. I prefer to let the Windows AD Integrated DHCP servers handle DHCP for my large network, but for anything attached to the UTM by means of WiFi, RED, or VPN I prefer using the UTM.
The built-in DHCP functionality is capable and sufficient for all but the most complex of DHCP duties.