Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How do I set up a DHCP relay through a VPN?



Article ID: KB7120 KB Last Updated: 19 Dec 2017Version: 9.0
This article provides information on how to obtain a DHCP address from a server on the other side of a VPN by using the DHCP Relay Agent.
  • Site-to-Site VPN works fine

  • DHCP Server configured on the other side of a VPN

Note: This article is applicable to ScreenOS 5.0 or later.

The ScreenOS device can be configured as a DHCP relay agent, which receives information from a DHCP server and relays that information to hosts on the trusted network. This example assumes that a Site to Site VPN has already been configured.


  • PC: DHCP enabled

  • Firewall A acting as a DHCP Relay Agent
    Trust IP address:
    Untrust IP address:
    Untrust Gateway:

  • Firewall B Acting or Connecting DHCP server
    Trust IP address:
    Untrust IP address:
    Untrust Gateway:
  • DHCP server:
    IP range: ~
    Subnet mask:
    Router (default gateway):

The DHCP Server can be Firewall B itself or any DHCP Server that is connected to its LAN. If using Firewall B as the DHCP Server, then it should not be a ScreenOS based device, as the architecture of ScreenOS does not allow the device to be used as a DHCP server in a DHCP relay environment.

For more information, refer to the following articles:

KB3390 - Can a NetScreen firewall be used as a DHCP server in a DHCP relay environment?
KB19962 - ScreenOS DHCP Server not responding to DHCP request sent by a DHCP Relay Agent

To set up a DHCP relay through a VPN, perform the following procedure:


  1. Go to Network > DHCP (List).
  2. On the DHCP list, click Edit for the interface for the trust zone:
  3. Click to select DHCP Relay Agent. In the Relay Agent Server IP or Domain Name: text box, enter
    You can configure up to four DHCP servers for the DHCP relay agent. The relay agent unicasts an address request from a DHCP client to all the configured DHCP servers. The relay agent then forwards all responses from the DHCP server. 
  4. Click to select Use Trust Zone Interface as Source IP for VPN
    This option will protect the relayed requests and responses between the security device and the DHCP server by encrypting and then transmitting them through a VPN tunnel.
  5. Click OK.


The CLI commands to do the same are as follows:
set interface (name) dhcp relay server-name ""
set interface (name) dhcp relay vpn
set interface (name) dhcp relay service
Modification History:
‚Äč2017-12-07: Article reviewed for accuracy. Removed end of life devices from category list. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search