Reconfig of dhcp.conf

Simon Hobson dhcp1 at
Thu Nov 26 09:00:08 UTC 2009

Chris Arnold wrote:

>So i know it is listening/sending on 192.168.124. Therefore, will 
>need a trust to dmz policy and a dmz to trust policy? I did that and 
>made no difference.

You will need the firewall to allow the relevant packets, AND act as 
a relay - it's not a simple matter of just forwarding packets, the 
relay agent modifies them as it goes. There may be a requirement for 
untrust->firewall, firewall->untrust, trust->firewall, and 
firewall->untrust permit rules - as well as untrust->trust and 
trust->untrust to allow unicast traffic between clients and server 
when it comes to renewal time.

>Would it be better to have dhcp on the trust network,

Since the server is already physically connected, it would seem the 
simplest way round it. Just turn off the relay agent in the firewall 
and configure the DHCP server to serve that subnet/segment directly.

Simon Hobson

Visit for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

More information about the dhcp-users mailing list