Netgate is offering COVID-19 aid for pfSense software users, learn more.
To alter the behavior of the IPv4 DHCP server, navigate to Services > DHCP Server in the web interface. The behavior of the IPv4 DHCP server is controlled there, along with static IP address mappings and related options such as static ARP.
Choosing an Interface¶
The DHCP configuration page contains a tab for each interface with a static IP address. Each interface has its own separate DHCP server configuration, and they may be enabled or disabled independently of one another. Before making any changes, visit the tab for the correct interface.
The first setting on the tab enables or disables DHCP service for the interface. To turn on DHCP for the interface, check Enable DHCP server on [name] interface. To disable the service, uncheck the box instead.
- Deny unknown clients
Under normal circumstances, the DHCP server will answer requests from any client requesting a lease. In most environments this is normal and acceptable behavior, but in restricted or secure environments this behavior is undesirable. With this option set, only clients with static mappings defined will receive leases. This is a more secure practice but is much less convenient. This option is per-pool, meaning that if unknown clients are denied in the default range, another pool of IP addresses may be defined that does not have the setting checked. The DHCP server will assign clients IP addresses out of that alternate pool instead.
This will protect against low-knowledge users and people who casually plug in devices. Be aware, however, that a user with knowledge of the network could hardcode an IP address, subnet mask, gateway, and DNS which will still give them access. They could also alter/spoof their MAC address to match a valid client and still obtain a lease. Where possible, couple this setting with static ARP entries, access control in a switch that will limit MAC addresses to certain switch ports for increased security, and turn off or disable unused switch ports.
The network address of the interface subnet, for reference purposes.
- Subnet Mask
The subnet mask for the interface subnet, for reference purposes.
- Available Range
The range of available addresses inside the interface subnet, for reference and to help determine the desired range for DHCP clients. The network address and broadcast address are excluded, but interface addresses and Virtual IP addresses are not excluded.
This defines the DHCP address range, also referred to as the Scope or Pool. The two boxes for Range tell the firewall the first and last address for use as a DHCP pool. Addresses between the entered values, inclusive, will be used for clients which request addresses via DHCP. The range must be entered with the lower number first, followed by the higher number. For example, the default LAN DHCP range is based off of the subnet for the default LAN IP address. It is
192.168.1.199. This range can be as large or as small as the network needs, but it must be wholly contained within the subnet for the interface being configured.
The Additional Pools section defines extra pools of addresses inside of the same subnet. These pools can be used to craft sets of IP addresses specifically for certain clients, or for overflow from a smaller original pool, or to split up the main pool into smaller chunks with a GAP of non-DHCP IP addresses in the middle of what used to be the pool. A combination of the MAC Address Control options may be used to guide clients from the same manufacturer into a specific pool, such as VoIP phones.
To add a new pool, click Add Pool and the screen will switch to the pool editing view, which is nearly the same as the normal DHCP options, except a few options that are not currently possible in pools are omitted. The options behave the same as the others discussed in this section. Items left blank will, by default, fall through and use the options from the main DHCP range.
See the MAC Address Control section below for specifics on directing clients into or away from pools.
- WINS Servers
Two WINS Servers (Windows Internet Name Service) may be defined that will be passed on to clients. If one or more WINS servers is required, enter their IP addresses here. The actual servers do not have to be on this subnet, but be sure that the proper routing and firewall rules are in place to let them be reached by client PCs. If this is left blank, no WINS servers will be sent to the client.
- DNS Servers
The DNS Servers may or may not need filled in, depending on the firewall configuration. If the built-in DNS Resolver or DNS Forwarder is used to handle DNS, leave these fields blank and pfSense® will automatically assign itself as the DNS server for client PCs. If the DNS forwarder is disabled and these fields are left blank, pfSense will pass on whichever DNS servers are defined under System > General Setup. To use custom DNS Servers instead of the automatic choices, fill in the IP addresses for up to four DNS servers here. In networks with Windows servers, especially those employing Active Directory, it is recommended to use those servers for client DNS. When using the DNS Resolver or DNS forwarder in combination with CARP, specify the CARP Virtual IP address on this interface here.
This may also be left blank if this firewall is acting as the gateway for the network on this interface. If that is not the case, fill in the IP address for the gateway to be used by clients on this interface. When using CARP, fill in the CARP Virtual IP address on this interface here.
- Domain Name
Specifies the domain name passed to the client to form its fully qualified hostname. If the Domain Name is left blank, then the domain name of the firewall it sent to the client. Otherwise, the client is sent this value.
- Domain Search List
Controls the DNS search domains that are provided to the client via DHCP. If multiple domains are present and short hostnames are desired, provide a list of domain names here, separated by a semicolon. Clients will attempt to resolve hostnames by adding the domains, in turn, from this list before trying to find them externally. If left blank, the Domain Name option is used.
The Domain Search List is provided via DHCP option 119. As of this writing, no Windows DHCP client of any version supports DHCP option 119. Other operating systems such as BSD, Linux, and OS X do support obtaining the Domain Search List via DHCP option 119.
- Default lease time
Controls how long a lease will last when a client does not request a specific lease length. Specified in seconds, default value is
7200seconds (2 hours)
- Maximum lease time
Limits a requested lease length to a stated maximum amount of time. Specified in seconds, default value is 86400 seconds (1 day).
- Failover Peer IP
If this system is part of a High Availability failover cluster, enter the real IP address of the other system in this subnet here. Do not enter a CARP Virtual IP address.
- Static ARP
This checkbox works similar to denying unknown MAC addresses from obtaining leases, but takes it a step further in that it also restricts any unknown MAC address from communicating with this firewall. This stops would- be abusers from hardcoding an unused address on this subnet, circumventing DHCP restrictions.
When using static ARP, all systems that need to communicate with the firewall must be listed in static mappings before activating this option, especially the system being used to connect to the pfSense GUI. Also be aware that this option may prevent people from hardcoding an IP address and talking to the firewall, but it does not prevent them from reaching each other on the local network segment.
- Time Format Change
By default, the ISC DHCP daemon maintains lease times in UTC. When this option is checked, the times on the DHCP Leases status page are converted to the local time zone defined on the firewall.
- Statistics Graphs
This option, disabled by default, activates RRD graphing for monitoring the DHCP pool utilization.
For Dynamic DNS settings, click Display Advanced to the right of that field, which displays the following options:
Check the box to enable registration of DHCP client names in DNS using an external (non-pfSense) DNS server.
- DDNS Domain
The domain name used for registering clients in DNS
- Primary DDNS Address
The DNS server used for registering clients in DNS
- DNS Domain Key
The encryption key used for DNS registration
- DNS Domain Key Secret
The secret for the key used for DNS registration
MAC Address Control¶
For MAC Address Control, click Display Advanced to show the lists of allowed
and denied client MAC addresses. Each list is comma-separated and contains
portions of MAC addresses. For example, a group of VoIP phones from the same
manufacturer may all start with the MAC address
aa:bb:cc. This can be
leveraged to give groups of devices or users separate DHCP options.
A list of MAC Addresses to allow in this pool. If a MAC address is in the allow box, then all others will be denied except the MAC address specified in the allow box.
A list of MAC Addresses to deny from this pool. If a MAC address is in the deny list, then all others are allowed.
It is best to use a combination of allow and deny to get the desired result,
such as: In the main pool, leave allow blank and deny
aa:bb:cc. Then in the
VoIP pool, allow
aa:bb:cc. If that extra step is not taken to allow the MAC
prefix in the additional pool, then other non-VoIP phone clients could receive
IP addresses from that pool, which may lead to undesired behavior.
This behavior may also be used to blacklist certain devices from receiving a
DHCP response. For example to prevent Example brand printers from receiving a
DHCP address, if MAC addresses all start with
ee:ee:ee, then place that in
the deny list of each pool.
To specify NTP Servers (Network Time Protocol Servers), click the Display Advanced button to the right of that field, and enter IP addresses for up to two NTP servers.
click the Display Advanced button next to TFTP to display the TFTP server option. The value in the TFTP Server box, if desired, must be an IP address or hostname of a TFTP server. This is most often used for VoIP phones, and may also be referred to as “option 66” in other documentation for VoIP and DHCP.
click the Display Advanced button next to LDAP to display the LDAP
Server URI option. LDAP Server URI will send an LDAP server URI to the
client if requested. This may also be referred to as DHCP option 95. It takes
the form of a fully qualified LDAP URI, such as
ldap://ldap.example.com/dc=example,dc=com. This option can help clients
using certain kinds of systems, such as OpenDirectory, to find their server.
Additional BOOTP/DHCP Options¶
Other numeric DHCP options can be sent to clients using the Additional BOOTP/DHCP Options controls. To view these options, click Display Advanced in this section. To add a new option, click Add.
The DHCP option code number. IANA maintains a list of all valid DHCP options.
The choices and formats for each type may be a little counter-intuitive, but the labels are used directly from the DHCP daemon. The proper uses and formats are:
Free-form text to be sent in reply, such as
A string of hexadecimal digits separated by a colon, such as
- Unsigned 8, 16, or 32-bit Integer
A positive Integer that will fit within the given data size, such as
- Signed 8, 16, or 32-bit Integer
A positive or negative Integer that will fit within the given data size, such as
- IP address or host
An IP address such as
192.168.1.1or a hostname such as
The value associated with this numeric option and type.
For more information on which options take a specific type or format, see the linked list above from the IANA.
When using numbered custom options, be careful of the type. Some will be OK on text/string but others are not.
For example, DHCP options for code 132 (and presumably 133) for VLAN ID must be set for a type of unsigned integer 32.
To view the Network boot settings, click in the Network Booting section header bar.
Check to enable network booting options in DHCP
- Next Server
The IP address from which boot images are available
- Default BIOS file name
File name for the boot image (Non-UEFI)
- UEFI 32 bit file name
File for 32-bit UEFI booting
- UEFI 64 bit file name
File for 64-bit UEFI booting
- Root Path
String to target a specific device as the client’s root filesystem device, such as
After making changes, click Save before attempting to create static mappings. Changes to settings will be lost if the browser leaves this page without saving.
Static DHCP mappings express a preference for which IP address will be assigned to a given client based on its MAC address. In a network where unknown clients are denied, this also serves as a list of “known” clients which are allowed to receive leases or have static ARP entries. Static mappings can be added in one of two ways:
From this screen, click Add.
Add them from the DHCP leases view, which is covered later in this chapter.
On this screen, only the MAC address is necessary.
- MAC Address
The client MAC address which identifies the host to deliver options on this page, or by entering only the MAC address, it will be added to the list of known clients for use when the Deny unknown clients option is set.
Client MAC address can be obtained from a command prompt on most platforms. On UNIX-based or UNIX-work-alike operating systems including Mac OS X, typing
ifconfig -awill show the MAC address for each interface. On Windows-based platforms,
ipconfig /allwill show the MAC address. The MAC address may also sometimes be found upon a sticker on the network card, or near the network jack for integrated adapters. For hosts on the same subnet, the MAC can be determined by pinging the IP address of the host and then running
arp - a.
- Client Identifier
An ID sent by the client to identify itself.
- IP Address
The IP address field is needed if this will be a static IP address mapping instead of only informing the DHCP server that the client is valid. This IP address is a preference, not a reservation. Assigning an IP address here will not prevent someone else from using the same IP address. If this IP address is in use when this client requests a lease, it will instead receive an address from the general pool. For this reason, the pfSense WebGUI does not allow assigning static IP mappings inside of the DHCP pool.
The hostname of the client. This does not have to match the actual hostname set on the client. The hostname set here will be used when registering DHCP addresses in the DNS forwarder.
Cosmetic only, and available for use to help track any additional information about this entry. It could be the name of the person who uses the PC, its function, the reason it needed a static address, or the administrator who added the entry. It may also be left blank.
- ARP Table Static Entry
If checked, this entry will receive a static ARP entry in the OS tying this IP address to this MAC address.
If this option is used rather than using the global static ARP option, it does not prevent that MAC address from using other IP addresses, it only prevents other MAC addresses from using this IP address. In other words, it prevents another machine from using that IP to reach the firewall, but it doesn’t stop the user from changing their own IP address to something different.
The remaining options available to set for this client are the same in behavior to the ones found earlier in this section for the main DHCP settings.
Click Save to finish editing the static mapping and return to the DHCP Server configuration page.