Feature #2704

dhclient refuse certain DHCP offers (e.g. private RFC1918 leases on WAN)

Added by Dim Hatz about 7 years ago. Updated about 4 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


dhclient can use of the "reject x.y.z.w" keyword to refuse certain offers.

Check "How to Prevent DHCP Client from Receiving IP from a Specific Server?".



#1 Updated by Seth Mos about 7 years ago

Do you mean that we want to be able to ignore certain offers? Or are you implying that pfSense is ingoring DHCP offers?

#2 Updated by Chris Buechler about 7 years ago

  • Category set to Interfaces
  • Affected Version deleted (2.1)

the ability to ignore private leases is the request. Because some cable modems start handing out private addresses when they lose signal, and some people would prefer to ignore those.

#3 Updated by Jim Pingle about 7 years ago

My cable modem does this, and it's extremely annoying, so I'd be all for such an option. It would also be easy to replicate/test, all I need to do is yank the coax out of my modem.

#4 Updated by Jim Pingle about 7 years ago

Unfortunately it appears that the reject statement only allows individual IP addresses, so denying all private servers isn't quite that easy. But we could still have a field somewhere to enter some IP addresses to reject leases from it would be helpful.

#5 Updated by Seth Mos almost 7 years ago

  • Category deleted (Interfaces)
  • Affected Version set to 2.1

Would a hook into the dhclient-script not be a option for this to return on a "invalid" address

#6 Updated by Jim Pingle almost 7 years ago

Seth Mos wrote:

Would a hook into the dhclient-script not be a option for this to return on a "invalid" address

I suppose that might be viable, but it might require some shell script subnet math (or a small second script/program to test if an IP is inside a given subnet).

#7 Updated by Phillip Davis almost 7 years ago

The ISC dhclient allows rejecting of subnets:
Quote from ISC dhclient doc:

The above example would cause offers from any server identifier in the
entire RFC 1918 "Class C" network, or the specific
single address, to be rejected.
The dhclient source code (clparse.c parse_reject_statement) has code in it to parse netmasks.
So, for example, it would be possible to have an option to reject all offers of private IPs on WAN.

#8 Updated by Jim Pingle over 6 years ago

  • Status changed from New to Feedback

I added an option for this in 850324a23e45b3a11231f910290f8ff9b774d9bc a few weeks ago, forgot the ticket existed. :-)

#9 Updated by Chris Buechler about 4 years ago

  • Status changed from Feedback to Resolved

done 2+ years ago.

Also available in: Atom PDF