ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

DMZ does not permit DHCP Relay

10.14.10   |  
‎10-14-2010 06:47 PM

I'm in the process of setting up a new SSG20 for our network, and have spent quite a few hours trying to figure out why the DHCP-relay failed for the DMZ zone, but worked for a Guest zone that was also set up on the firewall. After much pouring over debug logs and trawling through the forums, it appears that DHCP-relay does not work from the standard DMZ setup.

 

I've already demonstrated that setting up an alternative DMZ zone works fine for DHCP-relay, but that made me wonder whether there was a valid reason for the restriction on the "out-of-the-box" DMZ. 

 

Is there some obscure reason why DHCP-relay doesn't work in this situation?  Is there any philosophical reason for not creating a custom DMZ that would allow DHCP-relay to work.

 

Many thanks,

Innes (NZ)

2 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: DMZ does not permit DHCP Relay

10.15.10   |  
‎10-15-2010 06:38 AM

There is an option within the zone which allows or disallows DHCP relay.  I would assume you checked that, right?  I do not have any particular opinion as to why DHCP relay would be worse than any other allowed service from the DMZ to the LAN, but as it is a service easily provided for in the firewall (or another DMZ host), I seldom find myself allowing it.

 

Ron

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: DMZ does not permit DHCP Relay

10.15.10   |  
‎10-15-2010 06:42 AM

unset zone dmz no-dhcp-relay

 

Ron