[SOLVED] Feature request: Option to deny DHCP leases to unknown clients in Kea GUI

Started by Netlearn, February 15, 2026, 08:25:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 15, 2026, 08:25:19 PM Last Edit: February 28, 2026, 05:30:10 AM by Netlearn
Hello,

I would like to propose a feature request regarding the Kea DHCP implementation in OPNsense.

Currently, while Kea itself supports configurations where only clients with defined reservations are allowed to receive leases, there is no exposed option in the OPNsense GUI to enforce this behavior (i.e., effectively "deny unknown clients" as in the deprecated ISC).

This request is not based from a security perspective, but thinking of an additional control layer, ensuring that only explicitly defined hosts receive IP addresses.

For example, if I bring a new device to my network and the MAC is not shown, I can connect it and find it before the device could access the internet or even the local network. This allows me to put the relevant rules on it, allowing or denying what the new device can do beforehand. This is my main use case, but I'm sure there is a lot more.

Having an explicit GUI option such as "Allow only clients with reservations" or "Deny unknown DHCP clients" would improve clarity, usability, and feature parity with both legacy ISC DHCP behavior and Kea's native capabilities.

Maybe, this could be implemented as an advanced option, disabled by default, to preserve current behavior and avoid impacting existing deployments.

Not sure how an Issue has to be opened in Github or if this question deserves one, not very familiar with the way it should be done, sorry.
February 17, 2026, 12:13:36 AM #1
I think this could help. Hope it's correctly opened.

https://github.com/opnsense/core/issues/9804
February 28, 2026, 05:28:41 AM #2
As @Patrick suggests in this thread, leaving a subnet with an empty list of pools has the effect desired, the server do not assign an IP to clients without a reservation.

Closing the issue on Github.

March 07, 2026, 11:00:42 PM #3
The request has been closed with the response pasted below.

DENY UNKNOWN option in ISC is still needed for the more security conscious.

Even if a DHCP pool is left empty, if an endpoint has a static configuration it will still be able to connect.

DENY UNKNOWN will remove the ability for a rogue endpoint to be connected that's got static IP?

=====================
Opnlearn
last week
Author
As suggested in this thread, leaving a subnet with an empty list of pools has the effect desired, the server do not assign an IP to clients without a reservation.

Proceeding to close the issue for that reason.

=====================
March 07, 2026, 11:24:30 PM #4
Quote from: Dizzy Reprobate on March 07, 2026, 11:00:42 PMDENY UNKNOWN will remove the ability for a rogue endpoint to be connected that's got static IP?

No. A client with its own static configuration will always be able to connect regardless of the DHCP server configuration. "Deny unknown" in ISC does not prevent that and never did.

Keep rogue devices out of your network.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 13, 2026, 06:07:23 PM #5
Quote from: Dizzy Reprobate on March 07, 2026, 11:00:42 PMDENY UNKNOWN option in ISC is still needed for the more security conscious.

There are two different "ticks" in ISC:
1. Deny unknown clients.
2. Static ARP

If you want to deny addressing configuration if the client doesn't have a reserve: use 1.
If you want to deny any communication from clients without a MAC/IP coincidence: use 2.

None of them can be considered a security feature. MAC spoofing is very easy to do and thinking of this features as "security" can lead to very bad surprises.
Also, implementing "static ARP" is a delicate thing, as you could easily block yourself out. If there are more than one admin, this gets even worse.

The main point: Do no think of this features as security measures!
Print
Go Up Pages1
User actions