Which scope DHCP server uses to assign addresses to incoming requests is up to the server, but most often it assigns it based on the interface the request was coming in on, or in case of unicast requests, based on the source address.
You would need to also enable "Use proxy ARP" and "Restrict ranges" in the same screen you sent the screenshot of, and define the range matching to the scope behind both of the two buttons on the right. "Use local relay" should not be necessary. It forces unicast request to be used even with directly connected DHCP server.
DHCP relay subpolicy is no longer necessary with 5.8, same is done with automatic rules.
In the access rule you have, put the address range matching to the scope also in the source field, and in the "source VPN" field on the far right, put the client VPN element involved. This is the most explicit way to configure a mVPN rule.
Please use log browser to check for any related errors when the client connection is attempted.
Thanks for your answer. As i know, DHCP Server on Windows 2k3 and 2k8 using Relay Agent IP Address information to find which scope is used. So in this VPN Client case, there's no way to assign Ip address that is out of 10.0.2.0/24 to VPN Client, right? In real worl, when gateway using Public IP address, DHCP Request from VPN Client will hit the outside interface(that using IP address) and Relay Agent IP Address = outside interface's Ip address --> we have to assign IP address that belong to the outside interface subnets, it's impossible and nonsense .
By the way, i didn't see the any DHCP policy in the automatic rules in my NGFW:
Thanks and Regards!
the VPN Client does not use DHCP-over-IPsec, so there is no DHCP Request from the client. The client requests the virtual IP from gateway through IKE mode-cfg. The gateway then requests the DHCP lease from the DHCP server for the client. You can select the interface for DHCP relay in the engine properties, VPN > VPN Client section. That selection defines used source IP (and relay agent IP) when sending the DHCP Request to the DHCP Server (if unicast is used). The DHCP packets themselves sent by firewall are routed to the DHCP server based on routing table (not through the interface you selected in the VPN Client settings).
You can also select an interface that is not directly facing the DHCP Server for relay, as long as the server is able to route its answer back to the firewall. So for example in this case if you select the 10.0.2.51 as "interface for DHCP Relay", if the DHCP Server has a 10.0.2.0 scope and it routes packets directed at 10.0.2.51 back to the firewall (e.g. firewall is default gateway for the server) then there should be no problem and VPN Client receives a virtual IP from the 10.0.2.0 scope.
This means you can even create a dummy VLAN or tunnel interface that has IP from the scope that you want to use, and select that as the "interface for DHCP Relay".
>By the way, i didn't see the any DHCP policy in the automatic rules in my NGFW:
The rules are still created even though it's not listed there, this issue (i.e. missing DHCP Relay in automatic rule summary) should be fixed in a future release.
You're absolutely right!!
Thanks you guys!