DHCP Guest Range on a Single Subnet

At my new job, we needed to deny unregistered devices access to the internet by default. Normally this should be done via NAC, but all I had available was a Windows DHCP Server, a single subnet (and VLAN), and a perimeter firewall. Upgrading to NAC wasn’t an option at the time.

I wanted to configure the DHCP server so that whitelisted clients would get a DHCP IP Address lease in a different range than guest clients. This way, I can block all traffic to/from the guest client IP range at the firewall. This isn’t at all a robust security solution, but it was good enough for the specific application.

Here’s how you can configure Windows DHCP Server to put whitelisted machines in a specific IP range, and guest machines in a separate IP range.

  1. Create a ‘DHCP Scope’ in DHCP that constitutes the entire IP address range you’d like to use for DHCP. The scope should include both whitelisted PC’s and guests.
  2. Create an ‘exclusion range’ in the main scope created in the previous step. The exclusion range will be the ‘guest’ range.
  3. Create a ‘DHCP Policy’ in the main scope.
    Policy Name: “Guest Devices Get Blocked Pool”
  4. Edit the new policy.
  5. On the ‘Conditions’ tab, add a new condition.
    Criteria: MAC Address
    Operator: Not Equals
  6. Populate the policy’s new condition “Values” with your MAC address whitelist.
  7. Back on the Policy Properties window (conditions tab), make sure that the ‘AND’ radio button is selected.

An important note is that each condition can only hold about 20 MAC addresses. When you want to whitelist more devices past the limit, just create another ‘condition’ in the same policy. As long as ‘AND’ is the operator on the ‘Conditions’ tab, it’ll work great.

Another important note is that when running a DHCP fail-over partner, create the policy on a source member, and then replicate it to the partner. Every time you whitelist a new machine, you need to initiate a replication.

Here’s some PowerShell to help.

#Get all current reservation mac addresses:
Get-DhcpServerV4Lease -ScopeID | Select ClientId

#Get all whitelisted machines:
(Get-DhcpServerV4Policy -ScopeID -Name “Guest Devices Get Blocked Pool”).MacAddress

Thanks for reading :).