Update: v19 and up brings GUI settings for DHCP options via the DHCP servers menu. Use that. For the many of you still stuck in the v17.5 or 18 dark ages, this is for you.
There are no GUI options for adding DHCP Options to Sophos Firewall. The firewall supports DHCP options only through it’s CLI. DHCP options are additional network settings passed down to a client device – often this can include configuration for lightweight network devices such as VoIP handsets, wireless access points, and even network appliances.
To use these commands, log into the device via SSH or console. Select option 4 for Device console.
Commands
List available DHCP Options on Sophos Firewall
SSH Config
system dhcp dhcp-options showNote: Although the firewall lists options 1 through 76, it supports all as defined in the RFC. Full list below.
Create a DHCP Option
It is unclear from the documentation when DHCP Options must be created, but at a guess, it only needs to be “created” if the DHCP option is not visible in the above show command. I’ve never had to use it, however, it is included in the Sophos documentation.
SSH Config
system dhcp dhcp-options add optioncode [optioncode] optionname [optionname] optiontype [optiontype]- optioncode: this is the DHCP option number (e.g. option 66)
- optionname: an arbitrary name
- optiontype: the type of data stored in the option – possible values are: string | ipaddress | and some other values there is no documentation on. String is most common in my experience.
Adding/Binding a DHCP Option to a DHCP Server
SSH Config
system dhcp dhcp-options binding add dhcpname [DHCPservername] optionname [Optionname] [value]- DHCPservername = this is the name of the dhcp server you are binding to (e.g. Default_DHCP_Server)
- optionname: The optionname, either set when creating the dhcp option, or found in the list of available options. (For example, TFTP_Server_Name)
- value: the value of the DHCP option you are adding – for strings, this must be in single quotes (‘google.com’) for ipaddresses this should be plain (192.168.1.21)
Unbind a DHCP Option from a DHCP Server
system dhcp dhcp-options binding delete dhcpname [DHCPservername] optionname [optionname]- DHCPservername: same as previous
- Optionname: same as previous
Delete a DHCP Option
system dhcp dhcp-options delete optioncode [optioncode] optionname [optionname]Available DHCP Options
These tables are directly from Sophos’ documentation. You can find the original version here.
Sophos Firewall Supported DHCP Options IPv4
| Option Number | Name | Description | Data Type |
|---|---|---|---|
| 2 | Time offset | Time offset in seconds from UTC | Four-byte numeric value |
| 4 | Time servers | N/4 time server addresses | Array of IP addresses |
| 5 | Name servers | N/4 IEN-116 server addresses | Array of IP addresses |
| 7 | Log servers | N/4 logging server addresses | Array of IP addresses |
| 8 | Cookie servers | N/4 quote server addresses | Array of IP addresses |
| 9 | LPR servers | N/4 printer server addresses | Array of IP addresses |
| 10 | Impress servers | N/4 impress server addresses | Array of IP addresses |
| 11 | RLP servers | N/4 RLP server addresses | Array of IP addresses |
| 12 | Host name | Hostname string | String |
| 13 | Boot file size | Size of boot file in 512 byte chunks | Two-byte numeric Value |
| 14 | Merit dump file | Client to dump and name of file to dump to | String |
| 16 | Swap server | Swap server addresses | IP address |
| 17 | Root path | Path name for root disk | String |
| 18 | Extension file | Patch name for more BOOTP info | String |
| 19 | IP layer forwarding | Enable or disable IP forwarding | Boolean |
| 20 | Src route enabler | Enable or disable source routing | Boolean |
| 22 | Maximum DG reassembly size | Maximum datagram reassembly size | Two-byte numeric value |
| 23 | Default IP TTL | Default IP time-to-live | One-byte numeric value |
| 24 | Path MTU aging timeout | Path MTU aging timeout | Four-byte numeric value |
| 25 | MTU plateau | Path MTU plateau table | Array of two-byte numeric values |
| 26 | Interface MTU Size | Interface MTU size | Two-byte numeric value |
| 27 | All subnets are local | All subnets are local | Boolean |
| 28 | Broadcast address | Broadcast address | IP address |
| 29 | Perform mask discovery | Perform mask discovery | Boolean |
| 30 | Provide mask to others | Provide mask to others | Boolean |
| 31 | Perform router discovery | Perform router discovery | Boolean |
| 32 | Router solicitation address | Router solicitation address | IP address |
| 34 | Trailer encapsulation | Trailer encapsulation | Boolean |
| 35 | ARP cache timeout | ARP cache timeout | Four-byte numeric value |
| 36 | Ethernet encapsulation | Ethernet encapsulation | Boolean |
| 37 | Default TCP TTL | Default TCP TTL | One-byte numeric value |
| 38 | TCP keepalive interval | TCP keepalive interval | Four-byte numeric value |
| 39 | TCP keepalive garbage | TCP keepalive garbage | Boolean |
| 40 | NIS domain name | NIS domain name | String |
| 41 | NIS server addresses | NIS server addresses | Array of IP addresses |
| 42 | NTP servers addresses | NTP servers addresses | Array of IP addresses |
| 43 | Vendor specific information | Vendor specific information | String |
| 45 | NetBIOS datagram distribution | NetBIOS datagram distribution | Array of IP addresses |
| 46 | NetBIOS node type | NetBIOS node type | One-byte numeric Value |
| 47 | NetBIOS scope | NetBIOS scope | String |
| 48 | X window font server | X window font server | Array of IP addresses |
| 49 | X window display manager | X window display manager | Array of IP addresses |
| 50 | Requested IP address | Requested IP address | IP addresses |
| 51 | IP address lease time | IP address lease time | Four-byte numeric value |
| 52 | Option overload | Overload “sname” or “file” | One-byte numeric value |
| 53 | DHCP message type | DHCP message type | One-byte numeric value |
| 55 | Parameter Request List | Parameter request list | Array of one-byte numeric values |
| 56 | Message | DHCP error message | String |
| 57 | DHCP maximum message size | DHCP maximum message size | Two-byte numeric value |
| 58 | Renew time value | DHCP renewal (T1) time | Four-byte numeric value |
| 59 | Rebinding time value | DHCP rebinding (T2) time | Four-byte numeric value |
| 60 | Client identifier | Client identifier | String |
| 61 | Client identifier | Client identifier | String |
| 62 | Netware/IP domain name | Netware/IP domain name | String |
| 64 | NIS+ V3 client domain name | NIS+ V3 client domain name | String |
| 65 | NIS+ V3 server address | NIS+ V3 server address | Array of IP addresses |
| 66 | TFTP server name | TFTP server name | String |
| 67 | Boot file name | Boot file name | String |
| 68 | Home agent addresses | Home agent addresses | Array of IP addresses |
| 69 | Simple mail server addresses | Simple mail server addresses | Array of IP addresses |
| 70 | Post office server addresses | Post office server addresses | Array of IP addresses |
| 71 | Network news server addresses | Network news server addresses | Array of IP addresses |
| 72 | WWW server addresses | WWW server addresses | Array of IP addresses |
| 73 | Finger server addresses | Finger server addresses | Array of IP addresses |
| 74 | Chat server addresses | Chat server addresses | Array of IP addresses |
| 75 | StreetTalk server addresses | StreetTalk server addresses | Array of IP addresses |
| 76 | StreetTalk directory assistance addresses | StreetTalk directory assistance addresses | Array of IP addresses |
| 120 | SIP server | The SIP server DHCP option carries a 32-bit (binary) IPv4 address used by the SIP client to locate a SIP server. | Array of IP addresses |
Sophos Firewall Supported DHCP Options IPv6
| Option Number | Name | Description | Data Type |
|---|---|---|---|
| 21 | SIP servers names | The domain names of the SIP outbound proxy servers for the client to use | Alphanumeric text with/without quotes |
| 22 | SIP servers addresses | Specifies a list of IPv6 addresses indicating SIP outbound proxy servers available to the client | Alphanumeric text with/without quotes |
| 24 | Domain search | Specifies the domain search list the client is to use when resolving hostnames with DNS | Alphanumeric text with/without quotes |
| 27 | NIS servers | Provides a list of one or more IPv6 addresses of NIS servers available to the client | Alphanumeric text with/without quotes |
| 28 | NISP servers | Provides a list of one or more IPv6 addresses of NIS+ servers available to the client | Alphanumeric text with/without quotes |
| 29 | NIS domain name | Used by the server to convey client’s NIS Domain Name info to the client | Alphanumeric text with/without quotes |
| 30 | NISP domain name | Used by the server to convey client’s NIS+ Domain Name info to the client | Alphanumeric text with/without quotes |
| 31 | SNTP servers | Provides a list of one or more IPv6 addresses of SNTP servers available to the client for synchronization | Alphanumeric text with/without quotes |
| 32 | INFO refresh time | Specifies an upper bound for how long a client should wait before refreshing information retrieved from DHCPv6 | Alphanumeric text with/without quotes |
| 33 | BCMS server D | Broadcast and Multicast service controller domain name list option for DHCPv6 | Alphanumeric text with/without quotes |
| 34 | BCM server A | Broadcast and Multicast service controller IPv6 address option for DHCPv6 | Alphanumeric text with/without quotes |
Useful Reference & PDF versions:
https://support.sophos.com/support/s/article/KB-000035918?language=en_US
(Written as of SFOS 18.5.2 MR2/Tested on Sophos Firewall XG 210)
Leave a Reply