System requirements
What the host needs before you install — and how to size it.
Platform
Platform
DHCP Shield Pro is a self-hosted Linux appliance. It inspects packets in userspace and enforces verdicts inside the kernel via nftables and NFQUEUE — the Linux mechanism that hands selected packets to a userspace program and accepts its accept/drop verdict. The recommended unit of deployment is a single VM or LXC container dedicated to the appliance.
- Operating system: 64-bit Ubuntu (x86-64). See supported distributions below.
- Privileges: the packet processor needs the kernel capabilities for NFQUEUE and for managing nftables rules (it runs as a privileged systemd service); the API and web console run alongside it on the same host.
- Placement: for enforcement (inline mode) the host must sit in the DHCP packet path. For monitoring only (mirrored mode) it receives copies of traffic via a SPAN/mirror port or a TZSP tunnel.
- Storage backend: ClickHouse ships with the appliance and the installer sets it up — no separate database deployment is required.
- Optional LLM backend: a separate host exposing an OpenAI-compatible API (for example llama.cpp), for plain-language anomaly explanations. Off by default; heuristic detection runs without it.
Distributions
Supported Linux distributions
- Ubuntu 24.04 LTS
- Ubuntu 26.04 LTS
The limiting factor is the installer, not the appliance. The packet processor, the nftables ruleset, and ClickHouse run on any current Linux kernel, but the installer provisions the host through Ubuntu's apt packages and is tested only against these two releases. Other systemd-based distributions are technically capable of running the appliance; we expect to broaden installer coverage as demand warrants. If you need a distribution that isn't listed, talk to us.
Kernel
Kernel modules & services
The host must be able to load nf_tables,
nfnetlink_queue, and nfnetlink. All three are
part of the mainline Linux kernel and are present by default on the
supported Ubuntu releases — there is nothing out-of-tree to compile.
Kernel modules
nf_tables— the nftables core. Holds the shipped inspection ruleset and applies the in-kernel verdict (accept, drop, or rate-limit) once the inspector has classified a packet.nfnetlink_queue— the NFQUEUE backend. Hands selected DHCP packets up to the userspace processor and carries its verdict back down into the kernel.nfnetlink— the netlink transport the two modules above ride on.
The installer also raises file-descriptor limits for the processor and applies a small set of sysctls. Both are written during installation; no manual kernel tuning is required.
Services
The appliance runs as a set of systemd units on the one host. A working install has:
dhcp-processor— the packet processor. Pulls DHCP packets off NFQUEUE, parses and classifies them, and writes the verdict back. Runs privileged; this is the core of the appliance.dhcp-dpi-api— serves the REST API and the web console behind nginx.nginx— terminates TLS and reverse-proxies the API and console over HTTPS.clickhouse-server— stores DHCP events and serves the materialised views the analytics layer reads.dhcp-dpi-tileserver(optional) — local map tiles for the geolocation flow visualiser. Present only if you install the tile-server package.
Dependencies
Installed dependencies
The installer pulls its dependencies from Ubuntu's apt repositories, and ClickHouse from the ClickHouse project's repository, so the host needs outbound internet access during installation. Most are standard system utilities; the tables below list what gets installed and why the appliance uses it.
Required
| Package | Role in the appliance |
|---|---|
nginx | Terminates TLS and reverse-proxies the API and web console over HTTPS. |
nftables | In-kernel packet classification and verdict enforcement; hosts the shipped inspection ruleset. |
clickhouse-server, clickhouse-client | Column store for DHCP events and the analytics views. Installed from the ClickHouse project's apt repository. |
openssl | Generates the self-signed TLS certificate nginx serves on first install. |
iproute2 | The ip command and routing utilities for interface setup and inspection. |
ethtool | NIC diagnostics — offload and queue settings that affect packet capture. |
tcpdump | Packet-capture fallback for diagnostics. |
openssh-client | Outbound SSH for the support backchannel. |
openssh-server | Inbound SSH for operator host access. |
rsync | Bundles backups and diagnostics for transfer. |
socat | Socket relay for diagnostics tunnels. |
curl | Health checks against the API and console. |
jq | JSON parsing in the provisioning and runtime helper scripts. |
apt-transport-https, ca-certificates, gnupg | Add and verify the ClickHouse apt repository during installation. |
Optional
Installed when available and skipped cleanly when not — the appliance runs without them, with the related feature disabled.
| Package | Role in the appliance |
|---|---|
tshark | Backs the in-console packet-capture feature; capture is disabled if absent. |
chrony | Installed only if no active time sync is found. Clocks matter — ClickHouse event timestamps depend on them; an already-running systemd-timesyncd is accepted instead. |
nmap | Active device probing and diagnostics. |
dhcp-probe | Detects rogue or unauthorised DHCP servers on the segment. |
dhcpdump | Human-readable DHCP packet printing for diagnostics. |
Sizing
Sizing the host
DHCP is a low-bandwidth, bursty protocol, so the appliance is CPU-bound long before the NIC is: size to your peak DHCP request rate, not your average, on a dedicated VM or LXC. A small evaluation host — 2 vCPU, 4 GB RAM, 40 GB disk — is enough to install, run against mirrored or light traffic, and explore the console.
For production figures, the sizing & capacity planning page carries an interactive calculator and the measured benchmark behind it: throughput per core, the serve-vs-deny trade-off under attack, and disk by retention window.
Size your deployment → the capacity calculator turns your device count, request rate, and retention window into a host footprint.
Keep reading
Related
Ready to install?
Confirm the target for your traffic profile, then get the appliance running.