Summary
On 15 July 2025, we will deploy a change to the DHCP server used to configure a server's private network interfaces. Up to the change, the DHCP server has been sending a Router Option (code 3) as well as a Classless Static Route Option (code 133). After the change, the DHCP server will cease sending the Router Option.
Although RFC3442, which defines the Classless Static Route Option, states
If the DHCP server returns both a Classless Static Routes option and a Router option, the DHCP client MUST ignore the Router option.
some DHCP clients did not ignore the Router option, and hence installed a default route towards the private network gateway IP address, thereby most likely configuring the system to route all traffic over the private network.
Without the Router option, the default route will no longer be installed automatically, and only traffic destined towards the private network prefix, e.g., 10.0.0.0/16 (or the prefix you're using) is routed over the private network.
This may impact your setup if traffic for other destinations should be routed across the private network, e.g., using a NAT or VPN gateway, and you did not explicitly configure a default route or other destinations outside of the private network prefix towards the private network.
Am I affected?
To be affected by this change all of the following circumstances must be true:
First, and foremost, you are using a private network to connect your servers.
Secondly, you are using a Linux distribution with an affected DHCP client, for example RHEL-based Distros (Fedora, CentOS Stream, Rocky Linux) and NetworkManager, or Microsoft Windows.
This implies that you have disabled the automatic network configuration provided by our hc-utils package (on Linux systems).
Additionally, you are using the private network to reach destinations outside of the private network itself, e.g., using a server as NAT/VPN gateway, and servers do not have a static route configured for the target prefixes, but rely on the default route learned via DHCP.
Verification
If you are unsure whether your servers might be affected, you can verify if a default route was learned via DHCP using:
ip route show dev PRIVATE_NETWORK_INTERFACEOn CentOS 7 servers, the network interface names are:
| Network | Name |
|---|---|
| First attached network | eth1 |
| Additional interfaces (second) | eth2 |
| Additional interfaces (third) | eth3 |
On Debian / Ubuntu, Fedora, Alma/CentOS/Rocky 8 or higher, the network interface names are:
| Network | CX*1, CCX*1 | CX*2, CPX, CAX, CCX*2, CCX*3 |
|---|---|---|
| First attached network | ens10 | enp7s0 |
| Additional interfaces (second) | ens11 | enp8s0 |
| Additional interfaces (third) | ens12 | enp9s0 |
If the output contains a line that starts with default via and includes proto dhcp, like the first line below, the server has learned a default route via DHCP and is affected.
# ip route show dev eth1
default via 10.1.0.1 proto dhcp src 10.1.0.3 metric 101
10.1.0.0/16 via 10.1.0.1 proto dhcp src 10.1.0.3 metric 101
10.1.0.1 proto dhcp scope link src 10.1.0.3 metric 101If the output does only contain the route for the private network prefix and the private network gateway (first IP of the private network prefix), the system is not affected.
# ip route show dev eth1
10.1.0.0/16 via 10.1.0.1 proto dhcp src 10.1.0.3 metric 101
10.1.0.1 proto dhcp scope link src 10.1.0.3 metric 101If you have configured a static default route, the system is also not affected.
Required changes
If your systems are affected, and you intend to route all traffic over a private network, please make sure to configure a static default route towards the virtual gateway IP (first IP of the private network prefix). In this case, we suggest using a manual static network configuration, to make sure IP address(es) and route are present at all times. For more information about configuring your client servers, please consult the community tutorial "How to set up NAT gateway for private Cloud Networks", especially step 3 and step 4 - Achieving a persistent configuration, on how to configure your client servers.