Sign in Get started
Product · Overview

A self-hosted appliance that inspects every DHCP transaction.

It enforces verdicts inside the Linux kernel, and keeps the full record for monitoring, forensics, and compliance.

Dashboards › NOC LIVE
DHCP Shield Pro NOC dashboard: service health score, firewall load relief, DHCP traffic volume by message type, transaction fulfilment rates, rate-limited MACs, and DHCPv4/DHCPv6 message-rate charts on one screen.
The NOC dashboard — health, traffic, and enforcement at a glance, on one screen.
Download datasheet

Overview

What DHCP Shield Pro is

DHCP is one of the quietest, least-watched protocols on a network — and one of the easiest to abuse. A single misbehaving or hostile client can exhaust an address pool, impersonate other devices, or flood a server until legitimate clients can't get a lease. Traditional firewalls and DHCP appliances either don't look this deep or can't act fast enough to matter.

DHCP Shield Pro reads every DHCP exchange in full, decides what to do about each client, and enforces that decision inside the Linux kernel — then records the whole transaction so you can answer "what happened, and why" weeks later. It runs on your own infrastructure with no cloud dependency and no mandatory phone-home.

Capabilities

What it does

01

Deep packet inspection

Full DHCPv4 + DHCPv6 parse — every option, every relay sub-option, message-type aware. Sixteen RFCs, subscriber traceability through Option 82, queryable across your retention window.
Learn more
02

Enforcement & control

Block, throttle, allow, or monitor any client — enforced inline by the Linux kernel. Manual actions, scheduled automation, bulk operations, a full firewall manager, and downstream notifications. If inspection ever stops, traffic passes through untouched.
Learn more
03

Observability

Live dashboards, a device inventory with full history, statistics, a traffic-flow visualizer, and a network map — plus deterministic weekly reports and compliance exports across your whole retention window.
Learn more
04

Investigation

Watch the live DHCP stream, capture packets on demand with PCAP download, review every firewall decision, raise per-device alarms, and drop into an appliance terminal — drill from the whole network down to one device.
Learn more
05

Extensibility & integrations

200+ documented REST endpoints and 45 MCP tools. Export metrics to Prometheus and forward events through Vector to the systems you already run.
Learn more
06

Support console

Built-in product documentation and a growing library of use cases, an optional AI assistant, and one-click human escalation over an auditable channel — help on your terms.
Learn more

Architecture

Architecture at a glance

The appliance sits inline on the DHCP path: the kernel hands each packet to the inspection engine, the engine returns a verdict, and the kernel enforces it — all before the packet reaches your DHCP server. Live and historical views, the report builder, and the MCP server sit on top. There is no cloud dependency and no mandatory phone-home, and if the inspection service stops, DHCP keeps flowing.

DHCP Shield Pro — on-appliance packet processing flow A DHCP packet on the wire enters the Linux kernel data plane at the nftables prerouting hook, is queued to userspace via NFQUEUE, and reaches the inspection service which parses, matches, marks and decides a verdict. The verdict and mark return to the kernel nftables enforcement stage, which blocks or throttles offenders and forwards accepted packets to the DHCP server; the mark is also installed back at prerouting for subsequent packets. In parallel, the inspection service records every transaction to a local ClickHouse store feeding the on-appliance admin GUI and event stream. The kernel data plane and userspace are shown as two zones; all connectors are orthogonal. LEGEND Solid blue — packet path (kernel data plane) Solid teal — records & telemetry Dashed — verdict / mark installed in kernel LINUX KERNEL · DATA PLANE USERSPACE · ON APPLIANCE ON THE WIRE DHCP packet inbound DHCP server (Kea, ISC, …) nftables prerouting hook NFQUEUE kernel → userspace nftables enforcement block · throttle · accept kernel-space, wire speed Inspection service deep packet inspection · userspace parse match mark verdict ClickHouse local transaction store Admin GUI + event stream on-appliance dashboards · live view · export in queue packet to userspace verdict + mark accept record Inspection runs in userspace; enforcement runs in the kernel — a stalled inspector fails open, so traffic keeps flowing.
On-appliance packet processing: inspection in userspace, enforcement in the kernel — fail-open.

See the Architecture

See the full security, compliance, and privacy posture in the Trust Center →

See it on your own network.

Open documentation, a real product, and a team that knows DHCP.

Talk to sales Read the docs