Reconfig of dhcp.conf

Chris Arnold carnold at
Thu Nov 26 12:43:33 UTC 2009

On 11/26/09 4:00 AM, "Simon Hobson" <dhcp1 at> wrote:

> Chris Arnold wrote:
>> So i know it is listening/sending on 192.168.124. Therefore, will
>> need a trust to dmz policy and a dmz to trust policy? I did that and
>> made no difference.
> You will need the firewall to allow the relevant packets, AND act as
> a relay - it's not a simple matter of just forwarding packets, the
> relay agent modifies them as it goes. There may be a requirement for
> untrust->firewall, firewall->untrust, trust->firewall, and
> firewall->untrust permit rules - as well as untrust->trust and
> trust->untrust to allow unicast traffic between clients and server
> when it comes to renewal time.
>> Would it be better to have dhcp on the trust network,
> Since the server is already physically connected, it would seem the
> simplest way round it. Just turn off the relay agent in the firewall
> and configure the DHCP server to serve that subnet/segment directly.
All this would be fine but even the clients on the dmz (which is where the
dhcp server is. There should be no need of a policy for this) are not
getting ip's. So, I am back at square 1, not sure if this is a dhcp issue or
a firewall issue.

More information about the dhcp-users mailing list