Q: I'm replacing a Cisco router with a Checkpoint firewall. How to I duplicate the "ip helper" feature for DHCP?

A:

There are two places this needs to be configured. The Nokia needs to be set up, via Voyager, to help with the DHCP process. Also the Checkpoint rules need to be added to permit the DHCP traffic. Nokia: Go into Voyager, click "config", and click "BOOTP Relay". Turn "on" the relay on the interface which will be hearing the DHCP broadcast from the clients. Apply, then under "new server" put in the IP address you will be forwarding the DHCP request to. You can add multiple servers. Checkpoint: When a DHCP request happens, here's the mechanism. All ports are UDP: 1. the client sends a broadcast from no_ip:68 -> 255.255.255.255:67 2. the Nokia hears this, sends a unicast from the client-side_interface_ip:67 -> each DHCP server:67. 3. DHCP server pings a prospective IP address to make sure it is unused. 4. DHCP server sends the DHCP reply from DHCP_server:67 -> prospective_IP:68 Also, later on the DHCP client will periodically send a request directly to the server to renew the lease. DHCP_client:68 -> DHCP_server:67 So you need the following rules. I set up a node object for IP 255.255.255.255. and a group with the DHCP server node objects in it. We also use the network object for the network the clients are on. 1. src any; dst all-ones; srv DHCP-udp-67; accept/log. Comment "Allow host broadcasts for DHCP to reach firewall" 2. src the firewall object and the client networks; dst DHCP servers; srv DHCP-udp-67; accept/log. Comment "Allow firewall to send DHCP requests to DHCP servers to obtain lease for clients, and allow clients to renew lease directly with DHCP servers" 3. src DHCP servers ahd the firewall object; dst the network(s) on which clients are; srv DHCP-udp-68 and icmp-echo-request; accept/log. Comment "Allow DHCP servers to ping prospective IP addresses and to send DHCP replies to hosts on protected segments"