NDC Logical Firewall - Configuring a DHCP Server

WARNING: You should only start DHCP service on your firewall if:
  1. You are authorized to provide it to your entire subnet AND your subnet doesn't already have DHCP
  2. You are using a physical (2-NIC in-line) firewall and you explicitly restrict your DHCP service to the network physically wired behind your firewall.

Please confirm with the NOC there is no central DHCP service for your subnet before proceeding.

DHCP is a UDP-broadcast-based protocol which can be used to configure the initial network settings of other computers on the network. Because DHCP client hosts do not yet have an IP address when they boot, they must broadcast a DHCP request to get one and the server will broadcast a reply. These broadcasts will go everywhere on your subnet (and possibly be relayed to the central DHCP server) unless they're blocked by a physical (2-NIC in-line) firewall. Accidentally having more than one DHCP server responding on a network is a frequent cause of network trouble. Be careful. You've been warned.

Good Reasons to Run a DHCP Server on Your Firewall

Running DHCP service on your firewall allows you to:

  1. Configure hosts to be behind a Logical Firewall (LFW) without touching them.
  2. Assign addresses dynamically to firewall clients from a pool of 10. addresses.
  3. Assign known and unknown hosts to different private networks (requires registering known MAC addresses).
  4. Assign both public and private addresses with DHCP (requires registering some MAC addresses).

There are basically two ways of assigning IP addresses with DHCP: randomly from a pool and statically (by manually pairing MAC addresses with fixed IP addresses). One could, for example, use LFW variation #e10 and cause unknown clients to get an IP address from a pool on an isolated 10.0 network while known LFW clients (whose MAC addresses are listed in the DHCP configuration file) would get an address on the normal 10.x network.

How to Configure DHCP3 on Recent Versions of Gibraltar

The following steps will configure DHCP service on a Gibraltar-based LFW:
  1. Edit "/etc/dhcp3/dhcpd.conf" to contain something similar to the example below (with the values shown in color suitably modified for your network). If you don't want to do MAC registration, you can omit the entire "subnet" section with the blue text or if you don't want to assign addresses from a pool, you can delete the "subnet" section with pink text.

    You can also add additional "subnet" sections if necessary and/or combine pool and host declarations in a single subnet (as long as any fixed IP addresses are not also in a pool).

    The syntax of the "dhcpd.conf" file is documented in the online manpage: "man dhcpd.conf" and also somewhat in: "man dhcpd3", but hopefully the one example below will cover most situations. If not, there are more examples in the manpages you can consult.

  2. At the shell prompt, type:

  3. If (and probably only if) you're using LFW variation #sNIC you probably want to restrict DHCP service to the interface on the network behind the firewall. To do that, edit "/etc/default/dhcp3-server" to say:
  4. To start, stop or restart the DHCP server daemon, type one of:
        /etc/init.d/dhcp3-server start
        /etc/init.d/dhcp3-server stop
        /etc/init.d/dhcp3-server restart

    For debugging, you may initially prefer to start DHCP manually like this:

        dhcpd3 -f -d eth0
        dhcpd3 -f -d eth1

  5. To cause DHCP service to start automatically when the firewall is rebooted, uncomment the "dhcp3-server" line in "/etc/runlevel.conf".

  6. When everything is configured to your satisfaction, remember to run "save-config" to save your work.

Example "/etc/dhcp3/dhcpd.conf" file contents

The following "dhcpd.conf" file will cause the DHCP server to assign IP addresses with a 3600 second (1 hour) lease from a pool of IP addresses in the 10.0.y.0/24 network to clients whose MAC addresses are NOT listed in the "dhcpd.conf" file. Clients whose MAC addresses ARE listed will get their corresponding fixed IP in the 10.x.y.0/24 network.

ddns-update-style none;

option domain-name "xxx.washington.edu";
option domain-name-servers,;

default-lease-time 3600;
max-lease-time 3600;

log-facility local7;
lease-file-name "/etc/dhcp3/dhcpd.leases";

shared-network MyLAN {

  subnet 10.0.y.0 netmask {
    option routers 10.0.y.25;		# LFW's 10.0.y IP address
    server-identifier 10.0.y.25;	# LFW's 10.0.y IP address

    pool {
      range 10.0.y.1 10.0.y.24;
      deny known clients;
    pool {
      range 10.0.y.26 10.0.y.254;
      deny known clients;


  subnet 10.x.y.0 netmask {
    option routers 10.x.y.25;		# LFW's 10.x.y IP address
    server-identifier 10.x.y.25;	# LFW's 10.x.y IP address

    host h115 {
        hardware ethernet 10:11:7b:a9:9b:50;
        fixed-address 10.x.y.115;
    host h116 {
        hardware ethernet 01:90:5a:a0:b9:25;
        fixed-address 10.x.y.116;



Corey Satten
Email -- corey @ u.washington.edu
Web -- http://staff.washington.edu/corey/
Date -- Mon Jan 28 12:25:17 PST 2008