pfSense DHCP Server - Configuration and Static Mappings
The DHCP server in pfSense automatically distributes IP addresses to clients from predefined pools while transmitting network configuration parameters - gateway, DNS servers, domain name, and lease duration. The server is configured independently for each interface, enabling tailored settings for different network segments. pfSense supports two DHCP backends - Kea DHCP (modern, recommended) and ISC DHCP (deprecated, scheduled for removal in future releases). Backend selection is available at System > Advanced > Networking > Server Backend.
Enabling the DHCP Server
DHCP server configuration is performed through Services > DHCP Server. The configuration page contains separate tabs for each interface capable of serving DHCP addresses.
To activate the server on a specific interface:
- Navigate to the tab for the desired interface (LAN, OPT1, etc.)
- Check Enable DHCP server on [interface] interface
- Define the address pool range
- Click Save
Warning:
The DHCP server operates only on interfaces with statically assigned IP addresses. If an interface is configured to obtain its address via DHCP or PPPoE, enabling the DHCP server on that interface is not possible.
Address Pool Configuration
The address pool defines the range of IP addresses that the DHCP server distributes to clients. The range is specified using the From (starting address) and To (ending address) fields and must fall within the interface subnet.
Core Pool Parameters
| Parameter | Description | Default Value |
|---|---|---|
| Address Pool Range | Starting and ending addresses of the range | Depends on subnet |
| DNS Servers | Up to four DNS servers for clients | pfSense interface IP |
| Gateway | Default gateway for clients | pfSense interface IP |
| Domain Name | Domain name for FQDN formation | pfSense system domain |
| Domain Search List | DNS search domains (option 119) | Not set |
| Default Lease Time | Lease duration when client does not request specific length | 7200 seconds (2 hours) |
| Maximum Lease Time | Upper limit for requested lease duration | 86400 seconds (24 hours) |
| WINS Servers | Up to two Windows Internet Name Service servers | Not set |
Additional Pools
Multiple address pools within a single subnet can be created using the Add Address Pool button. This is useful when different device categories on the same interface require separate ranges - for example, one pool for workstations and another for printers with different lease parameters.
Planning Recommendations
When planning the address pool, several practical considerations apply:
- Reserve addresses at the beginning of the subnet for the gateway, servers, and network equipment (e.g., .1 through .20)
- Allocate a separate range for static mappings outside the dynamic pool
- Account for potential device count growth when selecting the subnet size
- Set lease times according to device type: short (1-2 hours) for guest networks with high turnover, longer (8-24 hours) for corporate workstations
Static Mappings
Static mappings ensure that a specific device always receives the same IP address based on its MAC address. Unlike fully static configuration on the device itself, the device continues using the DHCP protocol but consistently receives the assigned address.
Creating a Static Mapping
To create a mapping, navigate to Services > DHCP Server, select the interface, and click Add in the DHCP Static Mappings section.
| Field | Description | Required |
|---|---|---|
| MAC Address | Device MAC address in aa:bb:cc:dd:ee:ff format | Yes |
| Client Identifier | Client identifier per RFC 2132 | No |
| IP Address | Preferred IP address (not a hard reservation) | No |
| Hostname | Hostname for DNS Resolver registration | No |
| Description | Device description for administrative purposes | No |
| ARP Table Static Entry | Create a static ARP binding for this mapping | No |
Warning:
The IP Address field specifies a preferred address, not a hard reservation. If the specified address is already in use, the DHCP server may assign a different address from the pool. To guarantee address persistence, select an IP outside the dynamic pool range.
Practical Applications
Static mappings are recommended for:
- Servers and network equipment that require fixed addresses for firewall rules and NAT
- Printers and multifunction devices configured by IP address
- IP phones with number-to-address binding
- IoT devices that do not support static network configuration
- Administrator workstations requiring fixed access
Static ARP Option
When Static ARP is enabled at the interface level, pfSense creates static ARP table entries for all devices with static mappings. Devices without a mapping cannot communicate with the firewall through that interface, even if they configure an IP address manually. This provides an additional layer of access control at the data link layer.
Unknown Client Handling
The Deny unknown clients parameter controls DHCP server behavior when receiving requests from devices without a static mapping.
| Mode | Behavior |
|---|---|
| Allow all clients | All devices receive an address from the pool (default) |
| Allow known clients from any interface | Only devices with a static mapping on any interface |
| Allow known clients from only this interface | Only devices with a static mapping on this specific interface |
Restrictive modes are valuable in environments with heightened security requirements where connecting unauthorized devices to the network must be prevented. Combined with Static ARP, this provides MAC-level access control.
DHCP Relay
DHCP Relay is used when the DHCP server resides in a different subnet. Instead of distributing addresses locally, pfSense forwards client DHCP requests to a remote server and returns the responses.
Configuring DHCP Relay
Configuration is performed through Services > DHCP Relay.
- Check Enable DHCP Relay
- Enter the remote DHCP server IP address in the Destination Server field
- Select the interfaces on which to intercept DHCP requests
- Click Save
Warning:
DHCP Relay and DHCP Server cannot operate simultaneously on the same interface. Enabling Relay automatically deactivates the local DHCP server on the selected interfaces.
Use Cases
- A centralized DHCP server (Windows Server, ISC DHCP, Infoblox) serving multiple subnets through Relay on pfSense
- Branch office networks with a single DHCP server at headquarters connected via VPN tunnel
- Migration from a dedicated DHCP server: during the transition period, pfSense forwards requests to the existing server
Additional DHCP Options
pfSense can transmit extended configuration parameters to clients through additional DHCP options.
Built-in Options
| Option | Field | Description |
|---|---|---|
| TFTP Server (66) | TFTP Server | TFTP server address for IP phones and PXE boot |
| NTP Servers (42) | NTP Servers | Up to four time synchronization servers |
| LDAP URI (95) | LDAP URI | LDAP server URI in format ldap://ldap.example.com/dc=example,dc=com |
Network Booting (PXE/UEFI)
To configure network booting, enable Enable Network Booting and specify:
| Parameter | Description |
|---|---|
| Next Server | IP address of the server hosting boot images |
| Default BIOS File Name | Boot file name for Legacy BIOS |
| UEFI 32 bit File Name | Boot file for 32-bit UEFI |
| UEFI 64 bit File Name | Boot file for 64-bit UEFI |
| UEFI HTTPBoot URL | Boot file URL in format http://server/path |
| Root Path | Root device path (e.g., iSCSI target) |
Custom Options (ISC DHCP Only)
The Additional BOOTP/DHCP Options section allows defining arbitrary DHCP options by number, type, and value:
- Number - option code per IANA standards
- Type - data type (Text, String, Boolean, Unsigned Integer 8/16/32, Signed Integer 8/16/32, IP address or hostname)
- Value - option value
Custom options enable transmitting device-specific parameters for VoIP equipment, thin clients, IP cameras, and other devices supporting extended DHCP options.
MAC Address Control
Advanced settings allow restricting service by MAC address:
- Allow - comma-separated list of permitted MAC addresses; all others are rejected
- Deny - comma-separated list of blocked MAC addresses; all others are served
DHCPv6 and Router Advertisements
pfSense supports IPv6 address distribution through DHCPv6 and Router Advertisement (RA) configuration for client autoconfiguration.
DHCPv6 Configuration
DHCPv6 configuration is available at Services > DHCPv6 Server & RA. Each interface provides two tabs: DHCPv6 Server and Router Advertisements.
Core DHCPv6 parameters mirror those of DHCPv4:
- Address range (Range)
- IPv6 DNS servers
- Domain name
- Lease times (Preferred and Valid Lifetime)
- Static mappings by DUID (DHCPv6 Unique Identifier)
Router Advertisements
Router Advertisements determine how IPv6 clients obtain their addresses.
| RA Mode | Description |
|---|---|
| Managed | Clients obtain addresses exclusively through DHCPv6 |
| Assisted | Clients use SLAAC for address and DHCPv6 for other parameters |
| Unmanaged | Clients use SLAAC only, DHCPv6 is not used |
| Disabled | Router Advertisements are disabled |
Warning:
The Router Advertisements mode must be coordinated with DHCPv6 settings. When set to Unmanaged, the DHCPv6 server will not process address assignment requests, even if it is enabled.
DNS Integration
The pfSense DHCP server supports automatic hostname registration in the DNS Resolver (Unbound). When a DHCP request includes a hostname, the server creates a corresponding DNS record, allowing devices to be reached by name instead of IP address.
Enabling DNS Registration
Automatic registration is configured in the DNS Resolver (Services > DNS Resolver):
- DHCP Registration - register hostnames of dynamic clients
- Static DHCP - register hostnames from static mappings
Detailed DNS Resolver configuration is covered in DNS in pfSense .
Dynamic DNS (ISC DHCP Only)
When using the ISC DHCP backend, hostname registration on an external DNS server is available through the Dynamic DNS protocol:
- DDNS Domain - domain for client registration
- Primary/Secondary DDNS Address - DNS server addresses for record updates
- DNS Domain Key Name and Secret - credentials for update authentication
- DDNS Client Updates - policy for handling client DNS update requests (Allow, Deny, Ignore)
Viewing Active Leases
The list of current DHCP leases is available at Status > DHCP Leases. The page displays:
- Client IP address and MAC address
- Hostname (if provided by the client)
- Lease start and expiration times
- Lease type (dynamic or static)
- Device online status
From this list, a static mapping can be created for any active client by clicking Add Static Mapping next to the corresponding entry. Wake on LAN functionality is also available for devices supporting remote wake-up.
Troubleshooting
Client Does Not Receive an IP Address
- Verify that the DHCP server is enabled on the appropriate interface (Services > DHCP Server)
- Confirm that the pfSense interface IP address is statically configured
- Check that the address pool is not exhausted (Status > DHCP Leases)
- Verify that Deny unknown clients is not enabled for a device without a static mapping
- Check firewall rules - DHCP uses UDP port 67 (server) and UDP port 68 (client)
- Review the system log: Status > System Logs > DHCP
Client Receives an Address from the Wrong Pool
- Verify that the client is connected to the correct interface or VLAN
- Confirm that the primary and additional pool ranges do not overlap
- If a static mapping exists, verify that the specified address falls within the interface subnet
DHCP Relay Not Working
- Confirm that the DHCP server is disabled on interfaces used for Relay
- Test routing to the remote DHCP server using Diagnostics > Ping
- Verify that firewall rules permit DHCP traffic (UDP 67/68) between pfSense and the remote server
- When using a VPN tunnel, confirm that the DHCP server subnet is reachable through the tunnel
IP Address Conflicts
- Check whether the address is statically assigned on another device
- Verify that static mapping addresses do not fall within the dynamic pool range
- Enable Ping Check (ISC DHCP only) to verify address availability before assignment
Migration from Other Platforms
Migration from Cisco IOS DHCP
In Cisco IOS, DHCP pools are configured globally and bound to a subnet. In pfSense, each pool is tied to a specific interface.
| Cisco IOS | pfSense |
|---|---|
ip dhcp pool VLAN10 | Interface tab in Services > DHCP Server |
network 192.168.10.0 255.255.255.0 | Determined by interface subnet |
default-router 192.168.10.1 | Gateway |
dns-server 8.8.8.8 | DNS Servers |
domain-name corp.local | Domain Name |
lease 0 8 | Default Lease Time (in seconds) |
ip dhcp excluded-address | Exclude addresses from pool range |
host 192.168.10.50 + hardware-address | Static Mappings |
Migration from FortiGate
In FortiGate, the DHCP server is bound to an interface similarly to pfSense. Key differences include:
- FortiGate uses MAC Access Control List - the pfSense equivalent is implemented through Allow/Deny MAC in advanced options
- Address reservations in FortiGate are configured via
config reserved-address- pfSense uses Static Mappings - FortiGate supports hardware-level DHCP snooping - pfSense implements control through Static ARP
Migration from MikroTik
In MikroTik, the DHCP server, pool, and network parameters are configured as separate objects. In pfSense, all parameters are consolidated on a single interface page.
| MikroTik | pfSense |
|---|---|
/ip dhcp-server add | Enable DHCP on interface |
/ip pool add ranges= | Address Pool Range |
/ip dhcp-server network add | DNS, Gateway, Domain in pool settings |
/ip dhcp-server lease add | Static Mappings |
always-broadcast=yes | Configured in additional options |
Related Sections
- DNS in pfSense - configuring DNS Resolver for DHCP hostname registration
- VLAN Setup - creating VLAN interfaces with individual DHCP configuration
- CARP and Virtual IPs - using CARP VIPs as gateway for failover DHCP