DHCP relay behind a NAT device

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Hi all,

I have a special question of configuration.

My client have a DHCP server on subnet behind a Firewall. Between them, we have switchs that route only the default vlan with the subnet He want to add HiveAP with static ip and DHCP for the wifi client.

The AP will get address on and they are directly connected to the Firewall on a specific interface. Wifi terminals will get address on The client want to use his actual DHCP server without adding any vlan on the switchs between the FW and the DHCP server.

On which terminal should i configure DHCP relay? The Firewall can route and make NAT. Should i make a policy on the firewall that NAT DHCPDiscover Frame from client to DHCP server?

Thank you all
Photo of Zakaria


  • 3 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1027 Posts
  • 269 Reply Likes
I'm not following this. Could you post a sketch of the proposed network layout?
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 119 Reply Likes
I see some issues with your design, before we can talk about the DHCP relay.

Your AP will get an address from the native VLAN with address range You want to put your clients in another network ( To do this, you either need to put them in another VLAN, and configure that VLAN on any switches between the firewall and the AP. Or you can configure the SSID to put clients in a wireless NAT zone, so clients would be in a NAT subnet behind the AP's IP address. We support either scenario.

The DHCP server being in a different zone on the firewall presents additional complications. If you choose the VLAN approach, you may be able to configure a DHCP relay on the firewall, if it supports that feature. But if you choose the NAT approach, I believe you could configure a DHCP relay on each AP, and each AP will need to be able to route to the DHCP server in the other firewall zone.