Set a subnet mask in Microsoft DHCP


During one of my Citrix ADC projects, I came across a strange problem. I had to give external users access to a certain IoT device. These very devices don’t support static addressing (!) and are well known for being exploitable, however, there is no really secure alternative available on the market. Because of this, my customer wanted to restrict these crappy devices to a certain range of IP addresses, close to the gateway. This would have been done by narrowing the subnet mask. Unfortunately, I could not solve the problem, as Microsoft’s DHCP servers don’t support DHCP option 1 (Subnet Mask). Even aunty Google didn’t have a clue on how to do it.

I had been lucky, my college Darren Harding (also Citrix CTA, specialized in virtualization) could help. Many thanks to him!

As Google didn’t know how to do it, I made up my mind to publish a note on this subject.

My customer’s network plan

Network: (
Servers: in range from to
DHCP Scope for end-user devices: to
Gateway: (last IP in range)

Desired solution:

The IoT devices should be inside the IP range, the gateway should be, DNS The devices would be locked into this class C range and not be able to connect to any devices except the gateway. At the same time, local machines would not be able to connect to these IoT devices, but this is no problem for my customer, they are used from outside only. The internet connection is the only thing they are allowed to share with the rest of the network.

We decided to go with address leases in DHCP (there is just a hand full of devices, so the overhead is rather little)

The problem

Being a UNIX/Linux guy, I immediately thought of sending the DHCP option 1 (subnet mask), but the Microsoft DHCP server does not permit setting it. It simply does not exist. It supports all pointless DHCP options, but not option 1. Any DHCP server allows to use it, but Microsoft thought for odd reasons, this is not desired.

The solution

Use Powershell! It’s easy:

Set-DhcpServerv4OptionValue -ReservedIP -OptionId 001 -value

The command executed without any error. Unfortunately, it seemed like I had no success, as the subnet mask never showed up in GUI.

I double-checked from PowerShell. Now I could see the result::

PS C:\> Get-DhcpServerv4OptionValue -ReservedIP
OptionId Name Type       Value           VendorClass 
-------- ---- ----       -----           ----------- 
1 Subnet Mask IPv4Add... {}


About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (

Add comment

Recent Posts

Recent Comments