IT Services DHCP service and firewalls

The university DHCP service is compatible with departmental/college firewalls, although some care must be taken not to filter legitimate DHCP traffic.

Expand All

A basic DHCP exchange will on the local subnet appear as follows:

   UDP (00:00:39:1C:0C:32) > (FF:FF:FF:FF:FF:FF) DHCP DISCOVER

At this point the client has no IP address and so uses a source address of and source port of 68 (often referred to as bootpc, the BOOTP client port - BOOTP being the forerunner of DHCP). The packet is sent as a UDP broadcast on port 67 (bootps). Normally this packet will be seen by any host on the local subnet.

Because the OUCS DHCP Service has two servers acting for many different subnets, the packets must be passed from the local subnet to the servers at OUCS. This is done at the router, which will forward any broadcast packet received on an interface to the central DHCP servers ( and any change to their IP addresses will be announced in advance on the itss-announce mailing list). The forwarding is performed as unicast packets from the router to each server in turn.

Because the central DHCP service is provided by two DHCP servers, normally a client will receive two offers of an IP address in response to its initial DISCOVER request. There are exceptions if one server is down, or has no free addresses available.

Because the DHCP servers see the request as originating from the router address, they will return it to the router interface on the subnet in question. The router is responsible for forwarding the responses to the client. For a client on the subnet, the reponses will be along the following lines:

   UDP (00:D0:BC:00:11:22) > (00:00:39:1C:0C:32) DHCP OFFER
   UDP (00:D0:BC:00:11:22) > (00:00:39:1C:0C:32) DHCP OFFER

Note that the destination IP address is that which the server is offering to the client while the destination MAC address is that of the client's network interface. Thus the packet will reach the client even though it does not yet have its IP address.

This stage is similar to the first, except that the client now requests a particular IP address from the DHCP server. Additionally, some clients will use this method to request the IP address they previously used (for instance last bootup); if it is denied (DHCP NAK) they will fall back to the first stage.

   UDP (00:00:39:1C:0C:32) > (FF:FF:FF:FF:FF:FF) DHCP REQUEST

Here the server acknowledges the client's request for an IP address. The basics of the packet are the same as for a DHCP OFFER. Once a client receives this packet, it keeps the IP address given until the expiry of the DHCP lease or until it sends a subsequent DHCP request.

   UDP (00:D0:BC:00:11:22) > (00:00:39:1C:0C:32) DHCP ACK

A variation at this stage is for the server to send a DHCP NAK (not acknowledged) which denies the client the IP address it requested.

This is similar to the first DHCP REQUEST but with a crucial difference: the client knows its IP address and that of the server. As the DHCP server is on a different subnet, requests bear the MAC address of the router.

   UDP (00:00:39:1C:0C:32) > (00:D0:BC:00:11:22) DHCP REQUEST

   UDP (00:D0:BC:00:11:22) > (00:00:39:1C:0C:32) DHCP ACK

A DHCP NAK may be returned by the DHCP server if the lease cannot be renewed, at which point the client should abandon its IP address (and may send a DHCPDISCOVER).

A bridging firewall should permit the following packets to pass. We again assume the subnet with gateway; you will need to replace these with your own network, netmask and gateway addresses.


UDP 68  > 67
UDP > 67
UDP > 67


UDP 67 > 68
UDP 67 > 68
UDP 67 > 68

Routing firewalls are more complicated: the firewall itself will be acting as the gateway for internal hosts and must therefore be able to forward the traffic to the external DHCP servers. If purchasing such a firewall you will need to ensure that it can do this, or else implement your own DHCP server in-house.

Get support

Local IT support provide your first line of on-the-spot help



Common requests and fault reports can be logged using self-service




The central Service Desk is available 24x7 on +44 1865 6 12345


If you do not have an SSO account you can use this form to contact the Service Desk