CLI:Example for Configuring the Device as a DHCP Client

Networking Requirements

Figure 1 shows that a FW functions as an egress gateway and connect PCs in an intranet to the Internet. The network plan is as follows:

An administrator manually specifies an IPv4 address for each PC on the network segment 10.3.0.0/24.
An interface with a static IPv4 address connects the FW to the intranet.
Another interface on the FW that functions as a DHCP client applies for a client IPv4 address and a DNS server IP address from a DHCP server and connects the intranet to the Internet.

Figure 1 Networking diagram for accessing the Internet using DHCP

Configuration Roadmap

The configuration roadmap is as follows:

Enable the DHCP client function on GigabitEthernet 0/0/1 of the FW to obtain a client IPv4 address and a DNS server address from a DHCP server.
Specify a static IPv4 address on GigabitEthernet 0/0/3 that connects the FW to the intranet.
Configure a security policy and a NAT policy (easy-IP) on the FW.
Set the IP addresses of the PCs' gateway and a DNS server to 10.3.0.1. This example provides the configuration procedure on the FW. The configuration procedure for the PCs is not provided.

After the FW obtains an IPv4 address from a DHCP server, the DHCP server issues a default route to the FW that function as a DHCP client. The next hop of the default route is a carrier's device. Therefore, there is no need to configure a default route.

To configure a specific route, you can configure a static route and specify GigabitEthernet 0/0/1 (a DHCP client has been configured on the interface) as the outbound interface. You do not need to specify the next-hop address. The device uses the gateway address obtained by the outbound interface from the DHCP server as the next-hop address. You can run the display dataplane-fib command to view the next-hop address in the routing table.

Procedure

Configure the IP address of the interface and assign the interfaces to the security zones.

<FW> system-view
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit

Configure the DNS proxy function.

[FW] dns proxy enable
[FW] dns resolve
[FW] dns server unnumbered interface GigabitEthernet 0/0/1

Configure GigabitEthernet 0/0/1 as a DHCP client.

[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address dhcp-alloc
[FW-GigabitEthernet0/0/1] quit

Configure a security policy to allow the PCs to access the Internet.

[FW] security-policy
[FW-policy-security] rule name policy_sec_1
[FW-policy-security-rule-policy_sec_1] source-zone trust
[FW-policy-security-rule-policy_sec_1] source-address 10.3.0.0 24
[FW-policy-security-rule-policy_sec_1] action permit
[FW-policy-security-rule-policy_sec_1] quit
[FW-policy-security] quit

Configure a NAT policy to translate private network IP addresses into public network IP addresses before PCs access the Internet.

[FW] nat-policy
[FW-policy-nat] rule name policy_nat_1
[FW-policy-nat-rule-policy_nat_1] source-zone trust
[FW-policy-nat-rule-policy_nat_1] destination-zone untrust
[FW-policy-nat-rule-policy_nat_1] egress-interface GigabitEthernet 0/0/1
[FW-policy-nat-rule-policy_nat_1] source-address 10.3.0.0 24
[FW-policy-nat-rule-policy_nat_1] action source-nat easy-ip

Configuration Verification

Check the status of GigabitEthernet 0/0/1 (uplink).
1. Choose Network > Interface.
2. Verify that the physical status and IPv4 status of GigabitEthernet 0/0/1 are Up, the connection type is DHCP, and the interface obtained an IPv4 address.
Check whether the PC on the intranet can use domain names to access the Internet. If the PC can access the Internet, the configuration is successful. If the PC fails to access the Internet, modify the configuration and try again.

Configuration Script

#
 dns resolve                                                                    
 dns server unnumbered interface GigabitEthernet0/0/1
#                                                                               
 dns proxy enable                                                               
#                                                                               
interface GigabitEthernet0/0/1                 
 ip address dhcp-alloc                                                          
#                                                                               
interface GigabitEthernet0/0/3                 
 ip address 10.3.0.1 255.255.255.0                                              
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet0/0/3            
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet0/0/1            
#
security-policy                                                                 
  rule name policy_sec_1                                                        
    source-zone trust                                                           
    source-address 10.3.0.0 mask 255.255.255.0                                  
    action permit                                                               
#                                                                               
nat-policy                                                                      
  rule name policy_nat_1                                                        
    source-zone trust                                                           
    destination-zone untrust                                                    
    egress-interface GigabitEthernet0/0/1      
    source-address 10.3.0.0 mask 255.255.255.0                                  
    action source-nat easy-ip                                                          
#                                                                               
return