Why aren't DHCP addresses allowed to the Trust side?
This article applies to ScreenOS 4.0 and higher.
If the NetScreen is in transparent mode and configured for DHCP relay, a DHCP broadcast will be directly received by the DHCP client without the NetScreen relay agent's involvement. When this occurs, the client is receiving an src-port of 67 and a dst-port of 67 in the reply. The packet is dropped due to the client expecting src-port 67 and dst-port 68 in a reply packet.
In a typical DHCP relay environment, the DHCP server responds to the DHCP relay agent IP that is sent in the initial boot request, not a broadcast address.
To allow DHCP addresses to pass traffic to the Trust side, use one of the following options:
- Configure the DHCP server so it is aware that DHCP requests are being relayed from a relay agent. This could be the case if the NetScreen is sitting behind a cable modem or DSL router. Configuring this option may not be possible on all DHCP servers, check with your DHCP server vendor.
- The DHCP relay option should be disabled to allow the NetScreen to operate at layer two and forward these broadcasts between the DHCP server and client without involvement. There is no need to use DHCP relay when the server is on the same IP subnet and in the same broadcast domain.
A DHCP relay agent should not be configured for NetScreen devices that are in transparent mode.
To disable the DHCP relay agent, perform the following steps:
Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI
From the NetScreen options menu, click Network, and then click DHCP.
From the trust interface, click Edit.
From Interface: trust, click to select None.
Click OK.