A DHCP server provides IP addresses and other network configuration to computers and devices on your network.

When first connecting to the network, a client devices tries to discover a DHCP server. The assigned IP address can be taken from a defined range (a 'dynamic' pool) or can be statically assigned according to the client's unique MAC address.

Note: Make sure that any IP used for a static fixed lease does not come from the 'dynamic' pool of IP addresses.

DHCP usually provides much more configuration than just an IP address. It can include information such as a gateway IP, DNS and NTP servers.

Example configuration

In this example we will configure a standard IPFire installation to serve an internal network for the Green Interface.

Blue Interface Enabled

If the Blue Interface has been enabled ensure that the MAC Filtering has been configured on the Blue Access page.

Start Address / End Address

The first two fields are the start address and end address of the dynamic IP address range. With the current implementation this range must fit into a /24 net (netmask 255.255.255.0).

In this example the DHCP server provides IP addresses 192.168.26.50 to 192.168.26.150. This means clients will be randomly assigned an IP in this range if they use DHCP.

Deny known clients:

Enable this if you want to prevent any defined and enabled fixed lease clients from getting a dynamic lease from the selected interface. When you enable this box you must have a defined dynamic range for that interface otherwise you will get an error message.

In this example this means that any fixed lease in Green or Blue will be denied a dynamic lease from the Green range.

If the Deny known clients box is checked on Blue then this means that any fixed lease in Green or Blue will be denied a dynamic lease from the Blue range.

If both are checked then any fixed lease in Green or Blue will be denied a dynamic lease from both the Green and Blue range.

Default lease time

Next the lease duration is set. The lease duration is the amount of time, in minutes, that IPFire waits before releasing a previously assigned IP address which is no longer in use. An active DHCP client will attempt to refresh its connection in half of this time.

Domain Name suffix

The Domain Name Suffix is simply the name of the network workgroup or domain. IPFire will pre-fill this with the domain name that was entered during the setup phase. This can be a valid domain name obtained from a Dynamic DNS provider for instance or if you have paid for a domain name that can be used, or localdomain can be used.
The domain name suffix to be applied can be modified on this page so that a different one is used from that specified for IPFire and/or a different domain name suffix can be used for the Green subnet compared to the Blue subnet.

Primary DNS / Secondary DNS

Primary DNS. Specifies what the DHCP server should tell its clients to use for their Primary DNS server. As ipfire runs a DNS proxy you will usually want the Primary DNS server set to IPFire's Green IP address. Otherwise, if you have your own DNS server then specify it here.

Secondary DNS (optional). You can optionally specify a second DNS server which will be used if the primary is unavailable. This could be another DNS server on your network or that of your ISP.
A list of free non-compromised DNS server can be found here.

Primary NTP server / Secondary NTP server

The DHCP server can optionally specify up to two NTP server addresses for time synchronization.

Primary NTP Server (optional). If you are using IPFire as an NTP Server, or want to pass the address of another NTP Server to devices on your network, you can put its IP address in this field. The DHCP server will pass this address to all clients when they get their network parameters.

Secondary NTP Server (optional). If you have a second NTP Server address, put it in this field. The DHCP server will pass this address to all clients when they get their network parameters.

Note - Did you see a WARNING DHCP on BLUE Local NTP server specified but not enabled error? Go to NTP Configuration WebGUI and enable Provide time to local network.

Primary WINS server address / Secondary WINS server address

WINS is a historic name resolution service for Microsoft's NetBIOS network protocol. If it is still in use in your network you can optionally configure up to two addresses for WINS servers.

next-server / filename

The fields next-server and filename are used to allow un-configured systems, or diskless workstations, to boot an Operating System from the network using bootp or PXE (see RFC2131).

DNS Update in IPFire

DNS Update in IPFire is a feature that permits DHCP clients to update their own DNS entries, adhering to the RFC2136 standard. When a DHCP client's IP address changes, this functionality allows it to notify the name server of the alteration. This ensures that host name resolution of the local network remains consistent and functional without manual intervention, which is particularly beneficial for networks where IP addresses are dynamic.

It's essential to note that Unbound itself does not directly support RFC2136. As such, DNS registration is managed behind the scenes by the bridge script using a different method. Activating the DNS Update feature without redirecting updates to a different name server that supports RFC2136 will disable this capability.

  1. Provide a Secure Key:
    A key component of the DNS Update is the requirement of a secret key for security reasons. This key ensures the integrity and authenticity of DNS updates. A secure random string of characters needs to be provided in IPFire's Web User Interface (WUI). To generate such a key using OpenSSL, run:
    openssl rand -base64 32
    The generated string will serve as your secret key.

  2. Navigate to DNS Update Configuration in WUI:
    After logging into the IPFire WUI, proceed to the 'Services' menu and select 'DNS Update'.

  3. Fill in the Required Details:
    - Enable DNS Update (RFC2136): This option needs to be checked to activate the feature.
    - Local Domain: Specify the domain for which the DNS record will be updated.
    - Key Name: Assign a name for your key. This is merely for identification purposes.
    - Secret: Insert the secret key produced in the first step.
    - Algorithm: From the available options in the dropdown, select "HMAC-MD5", determining the algorithm used for the DNS updates.

  4. Finalize the Configuration:
    To apply your configurations, click on the 'Save' button.

Additional DHCP options

This section allows additional options for DHCP to be configured.

  • DHCP can be set to listen on a specific interface, typically the Green interface or use a global scope.
  • The button "List options" shows a lot of additional options which can be set.

The Web Proxy Auto-Discovery Protocol can be configured here, if needed.

Current fixed leases

IPFire supports the configuration of fixed, or static, IP address leases for specific clients. When configured the unique MAC address of a network card is used to identify a particular client and offer them a specific IP address each time.

All clients not listed in this section will be given an address from the 'dynamic' range set above.

MAC Address

The unique hardware (MAC) address of a client's network card.

IP address

A unique IP address to reserve for a client.
Note: This IP address must not be in the 'dynamic' range set above.

Remark

The remark field is used to comment an entry in this configuration page.

Note! The IPFire's DNS server automatically adds the first word in the remark field as a host name entry for the IP address configured in this section.

Current dynamic leases

In this last section, dynamic leases are listed with the associated MAC addresses and expiration time. Clients that already have a "MAC assigned" address (fixed leases) and clients with a static IP address (manually set) will not be listed.

The "Add" button will add the client definition (MAC address) to the set of fixed leases. This definition should be edited to assign an IP address not in the dynamic address pool.

Specify settings

Changes on the WebUI DHCP settings will be save on /var/ipfire/dhcp/dhcpd.conf.

Default settings:

deny bootp; #default
authoritative;
ddns-update-style none;

include "/var/ipfire/dhcp/dhcpd.conf.local";

To add specific options (e.g. change router ip, create dhcp entry) edit the file /var/ipfire/dhcp/dhcpd.conf.local.

Sample:

subnet 10.0.0.1 netmask 255.0.0.0 #GREEN
{
      range 10.1.0.1 10.1.255.254;
      option subnet-mask 255.0.0.0;
      option domain-name "int.company.com";
      option routers 10.0.0.1;
      option domain-name-servers 10.11.0.2;
      default-lease-time 600;
      max-lease-time 1200;
} #GREEN

To check the syntax of the statements put into /var/ipfire/dhcp/dhcpd.conf.local run the following command before restarting dhcp

/usr/sbin/dhcpd -t -cf /var/ipfire/dhcp/dhcpd.conf

which will flag any syntax issues.

If you have additional interfaces the DHCP server should listen to, you will need to specify them in /etc/sysconfig/dhcpd file for the LISTEN_INTERFACES variable. Example for vlan10 and vlan20:

LISTEN_INTERFACES="vlan10 vlan20"