diff --git a/internal/pxe/dnsmasq.go b/internal/pxe/dnsmasq.go
index 56943af..6cc8916 100644
--- a/internal/pxe/dnsmasq.go
+++ b/internal/pxe/dnsmasq.go
@@ -212,10 +212,17 @@ func (s *Supervisor) writeConf(hosts []model.Host) error {
 	if err != nil {
 		return fmt.Errorf("create conf: %w", err)
 	}
+	_, ipnet, err := net.ParseCIDR(s.cfg.Subnet)
+	if err != nil {
+		_ = f.Close()
+		return fmt.Errorf("parse subnet %q: %w", s.cfg.Subnet, err)
+	}
 	data := struct {
-		Cfg   SupervisorConfig
-		Hosts []model.Host
-	}{s.cfg, hosts}
+		Cfg     SupervisorConfig
+		Hosts   []model.Host
+		Network string
+		Netmask string
+	}{s.cfg, hosts, ipnet.IP.String(), net.IP(ipnet.Mask).String()}
 	if err := tmpl.Execute(f, data); err != nil {
 		_ = f.Close()
 		return fmt.Errorf("render conf: %w", err)
@@ -264,7 +271,9 @@ no-resolv
 # Proxy DHCP: coexist with the LAN's real DHCP server. We never hand
 # out an IP — we only answer the PXE options (option 66/67 and the
 # PXE BINL on port 4011) when a registered MAC boots from the network.
-dhcp-range={{ .Cfg.Subnet }},proxy
+# dnsmasq's proxy syntax takes a bare network address + netmask, not a
+# CIDR — we split Subnet upstream in writeConf().
+dhcp-range={{ .Network }},proxy,{{ .Netmask }}
 
 # MAC allowlist: dnsmasq only answers DHCP for MACs with a dhcp-host= below.
 dhcp-ignore=tag:!known