diff --git a/cmd/vetting/main.go b/cmd/vetting/main.go
index 00036ca..5633fac 100644
--- a/cmd/vetting/main.go
+++ b/cmd/vetting/main.go
@@ -151,7 +151,7 @@ func main() {
 		supervisor = pxe.NewSupervisor(pxe.SupervisorConfig{
 			Enabled:         true,
 			Interface:       cfg.PXE.Interface,
-			DHCPRange:       cfg.PXE.DHCPRange,
+			Subnet:          cfg.PXE.Subnet,
 			OrchestratorURL: cfg.PXE.OrchestratorURL,
 			RuntimeDir:      filepath.Join(stateRoot, "pxe"),
 			TFTPRoot:        tftpRoot,
diff --git a/deploy/pxe-setup.sh b/deploy/pxe-setup.sh
index d5853cf..95b378b 100755
--- a/deploy/pxe-setup.sh
+++ b/deploy/pxe-setup.sh
@@ -3,9 +3,12 @@
 #
 # Run AFTER deploy/install.sh on the LXC (or wherever the orchestrator
 # lives). Fetches pinned iPXE binaries, places the live image, and
-# writes the pxe: block of /etc/vetting/vetting.yaml. Does NOT create
-# the PXE bridge — that's a hypervisor-level step, see
-# docs/operations.md.
+# writes the pxe: block of /etc/vetting/vetting.yaml.
+#
+# dnsmasq runs in proxy-DHCP mode: it coexists with whatever DHCP
+# server already serves your LAN (UniFi, pfSense, Asus, etc.) and
+# only supplements the PXE options. No dedicated bridge, no VLAN,
+# no cabling changes.
 #
 # Idempotent: safe to re-run with the same args. A second run with
 # different args overwrites the pxe: block; pass --force to override
@@ -13,9 +16,9 @@
 #
 # Usage:
 #   sudo ./pxe-setup.sh \
-#       --interface eth1 \
-#       --dhcp-range 10.77.0.100,10.77.0.200,12h \
-#       --orchestrator-url http://10.77.0.2:8080
+#       --interface eth0 \
+#       --subnet 192.168.1.0/24 \
+#       --orchestrator-url http://192.168.1.135:8080
 #
 #   Optional:
 #     --tftp-root DIR         default /var/lib/vetting/tftp
@@ -26,7 +29,7 @@
 set -euo pipefail
 
 INTERFACE=""
-DHCP_RANGE=""
+SUBNET=""
 ORCH_URL=""
 TFTP_ROOT="/var/lib/vetting/tftp"
 LIVE_DIR="/var/lib/vetting/live"
@@ -38,13 +41,13 @@ SERVICE_USER="vetting"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 usage() {
-    sed -n '2,24p' "${BASH_SOURCE[0]}"
+    sed -n '2,28p' "${BASH_SOURCE[0]}"
 }
 
 while [[ $# -gt 0 ]]; do
     case "$1" in
         --interface)        INTERFACE="$2"; shift 2 ;;
-        --dhcp-range)       DHCP_RANGE="$2"; shift 2 ;;
+        --subnet)           SUBNET="$2"; shift 2 ;;
         --orchestrator-url) ORCH_URL="$2"; shift 2 ;;
         --tftp-root)        TFTP_ROOT="$2"; shift 2 ;;
         --live-dir)         LIVE_DIR="$2"; shift 2 ;;
@@ -61,9 +64,9 @@ if [[ $EUID -ne 0 ]]; then
     exit 1
 fi
 
-[[ -z "${INTERFACE}" ]]  && { echo "ERROR: --interface is required" >&2; exit 2; }
-[[ -z "${DHCP_RANGE}" ]] && { echo "ERROR: --dhcp-range is required" >&2; exit 2; }
-[[ -z "${ORCH_URL}" ]]   && { echo "ERROR: --orchestrator-url is required" >&2; exit 2; }
+[[ -z "${INTERFACE}" ]] && { echo "ERROR: --interface is required" >&2; exit 2; }
+[[ -z "${SUBNET}" ]]    && { echo "ERROR: --subnet is required (e.g. 192.168.1.0/24)" >&2; exit 2; }
+[[ -z "${ORCH_URL}" ]]  && { echo "ERROR: --orchestrator-url is required" >&2; exit 2; }
 
 # --- sanity checks -----------------------------------------------------
 
@@ -73,10 +76,10 @@ if ! ip link show "${INTERFACE}" >/dev/null 2>&1; then
     exit 1
 fi
 
-# "start_ip,end_ip,lease" — dnsmasq will still validate, but catch the
-# obvious shape errors before we write anything to disk.
-if [[ ! "${DHCP_RANGE}" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3},([0-9]{1,3}\.){3}[0-9]{1,3},[^[:space:]]+$ ]]; then
-    echo "ERROR: --dhcp-range must be start_ip,end_ip,lease (e.g. 10.77.0.100,10.77.0.200,12h)" >&2
+# CIDR shape check — dnsmasq will re-validate, but catch the obvious
+# errors before we write anything to disk.
+if [[ ! "${SUBNET}" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$ ]]; then
+    echo "ERROR: --subnet must be CIDR form (e.g. 192.168.1.0/24), got '${SUBNET}'" >&2
     exit 2
 fi
 
@@ -226,17 +229,17 @@ extract_yaml_value() {
     ' "${path}"
 }
 
-existing_iface="$(extract_yaml_value interface  "${CONFIG}")"
-existing_range="$(extract_yaml_value dhcp_range "${CONFIG}")"
+existing_iface="$(extract_yaml_value interface "${CONFIG}")"
+existing_subnet="$(extract_yaml_value subnet   "${CONFIG}")"
 
 if [[ -n "${existing_iface}" && "${existing_iface}" != "${INTERFACE}" && ${FORCE} -eq 0 ]]; then
     echo "ERROR: pxe.interface in ${CONFIG} is already set to ${existing_iface}, which" >&2
     echo "       differs from --interface ${INTERFACE}. Pass --force to overwrite." >&2
     exit 1
 fi
-if [[ -n "${existing_range}" && "${existing_range}" != "${DHCP_RANGE}" && ${FORCE} -eq 0 ]]; then
-    echo "ERROR: pxe.dhcp_range in ${CONFIG} is already ${existing_range}, which" >&2
-    echo "       differs from --dhcp-range ${DHCP_RANGE}. Pass --force to overwrite." >&2
+if [[ -n "${existing_subnet}" && "${existing_subnet}" != "${SUBNET}" && ${FORCE} -eq 0 ]]; then
+    echo "ERROR: pxe.subnet in ${CONFIG} is already ${existing_subnet}, which" >&2
+    echo "       differs from --subnet ${SUBNET}. Pass --force to overwrite." >&2
     exit 1
 fi
 
@@ -244,7 +247,7 @@ new_block=$(cat <<EOF
 pxe:
   enabled: true
   interface: "${INTERFACE}"
-  dhcp_range: "${DHCP_RANGE}"
+  subnet: "${SUBNET}"
   orchestrator_url: "${ORCH_URL}"
   tftp_root: "${TFTP_ROOT}"
   live_dir: "${LIVE_DIR}"
diff --git a/deploy/vetting.example.yaml b/deploy/vetting.example.yaml
index b18e000..373efd2 100644
--- a/deploy/vetting.example.yaml
+++ b/deploy/vetting.example.yaml
@@ -35,9 +35,9 @@ dispatcher:
 
 pxe:
   enabled: false
-  interface: ""                          # e.g. "eth0"
-  dhcp_range: ""                         # e.g. "10.77.0.100,10.77.0.200,12h"
-  orchestrator_url: ""                   # e.g. "http://10.77.0.1:8080"
+  interface: ""                          # LAN NIC, e.g. "eth0"
+  subnet: ""                             # LAN CIDR, e.g. "192.168.1.0/24"; proxy-DHCP scope
+  orchestrator_url: ""                   # e.g. "http://192.168.1.135:8080"
   tftp_root: ""                          # holds ipxe.efi + undionly.kpxe
   live_dir: ""                           # holds vmlinuz + initrd.img; served at /live/*
 
diff --git a/deploy/vetting.production.yaml b/deploy/vetting.production.yaml
index a2026e0..2191661 100644
--- a/deploy/vetting.production.yaml
+++ b/deploy/vetting.production.yaml
@@ -33,9 +33,9 @@ dispatcher:
 
 pxe:
   enabled: false
-  interface: ""                          # e.g. "eth0"
-  dhcp_range: ""                         # e.g. "10.77.0.100,10.77.0.200,12h"
-  orchestrator_url: ""                   # e.g. "http://10.77.0.1:8080"
+  interface: ""                          # LAN NIC, e.g. "eth0"
+  subnet: ""                             # LAN CIDR, e.g. "192.168.1.0/24"; dnsmasq runs in proxy-DHCP mode scoped to this subnet, coexisting with the LAN's existing DHCP server
+  orchestrator_url: ""                   # e.g. "http://192.168.1.135:8080"
   tftp_root: "/var/lib/vetting/tftp"     # holds ipxe.efi + undionly.kpxe
   live_dir: "/var/lib/vetting/live"      # holds vmlinuz + initrd.img; served at /live/*
 
diff --git a/internal/config/config.go b/internal/config/config.go
index 9371299..a064f20 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -66,7 +66,7 @@ type Network struct {
 type PXE struct {
 	Enabled         bool   `yaml:"enabled"`
 	Interface       string `yaml:"interface"`
-	DHCPRange       string `yaml:"dhcp_range"`
+	Subnet          string `yaml:"subnet"` // LAN CIDR, e.g. "192.168.1.0/24"; dnsmasq runs in proxy-DHCP mode scoped to this subnet
 	OrchestratorURL string `yaml:"orchestrator_url"`
 	TFTPRoot        string `yaml:"tftp_root"` // holds ipxe.efi + undionly.kpxe
 	LiveDir         string `yaml:"live_dir"`  // holds vmlinuz + initrd.img; served at /live
diff --git a/internal/pxe/dnsmasq.go b/internal/pxe/dnsmasq.go
index 7e201a7..56943af 100644
--- a/internal/pxe/dnsmasq.go
+++ b/internal/pxe/dnsmasq.go
@@ -11,7 +11,6 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
-	"regexp"
 	"runtime"
 	"strings"
 	"sync"
@@ -25,7 +24,7 @@ import (
 type SupervisorConfig struct {
 	Enabled         bool
 	Interface       string // e.g. "eth0"
-	DHCPRange       string // e.g. "10.77.0.100,10.77.0.200,12h"
+	Subnet          string // LAN CIDR, e.g. "192.168.1.0/24"; scopes the proxy-DHCP response
 	OrchestratorURL string // baked into iPXE scripts
 	RuntimeDir      string // writable dir for dnsmasq.conf and leases
 	TFTPRoot        string // holds ipxe.efi, undionly.kpxe
@@ -50,11 +49,6 @@ func NewSupervisor(cfg SupervisorConfig) *Supervisor {
 	return &Supervisor{cfg: cfg}
 }
 
-// dhcpRangeRE matches "start_ip,end_ip,lease" — the three-field form
-// dnsmasq expects. Lease can be "12h", "infinite", etc.; any non-empty
-// token is accepted here and dnsmasq will reject nonsense at startup.
-var dhcpRangeRE = regexp.MustCompile(`^(\d{1,3}\.){3}\d{1,3},(\d{1,3}\.){3}\d{1,3},\S+$`)
-
 // Validate checks the preconditions required for dnsmasq to actually
 // serve PXE boots: the interface must exist, the iPXE payloads must
 // be on disk, the DHCP range + orchestrator URL must parse. Returns
@@ -94,10 +88,10 @@ func (s *Supervisor) Validate() error {
 		}
 	}
 
-	if s.cfg.DHCPRange == "" {
-		errs = append(errs, fmt.Errorf("pxe.dhcp_range is required (e.g. \"10.77.0.100,10.77.0.200,12h\")"))
-	} else if !dhcpRangeRE.MatchString(s.cfg.DHCPRange) {
-		errs = append(errs, fmt.Errorf("pxe.dhcp_range %q must be \"start_ip,end_ip,lease\"", s.cfg.DHCPRange))
+	if s.cfg.Subnet == "" {
+		errs = append(errs, fmt.Errorf("pxe.subnet is required (e.g. \"192.168.1.0/24\") — the LAN CIDR dnsmasq proxy-DHCP scopes to"))
+	} else if _, _, err := net.ParseCIDR(s.cfg.Subnet); err != nil {
+		errs = append(errs, fmt.Errorf("pxe.subnet %q is not a valid CIDR: %v", s.cfg.Subnet, err))
 	}
 
 	if s.cfg.OrchestratorURL == "" {
@@ -267,38 +261,36 @@ domain-needed
 bogus-priv
 no-resolv
 
+# Proxy DHCP: coexist with the LAN's real DHCP server. We never hand
+# out an IP — we only answer the PXE options (option 66/67 and the
+# PXE BINL on port 4011) when a registered MAC boots from the network.
+dhcp-range={{ .Cfg.Subnet }},proxy
+
 # MAC allowlist: dnsmasq only answers DHCP for MACs with a dhcp-host= below.
 dhcp-ignore=tag:!known
 {{- range .Hosts }}
 dhcp-host={{ .MAC }},set:known
 {{- end }}
 
-# DHCP range (broader subnet coverage is fine; allowlist above gates replies).
-dhcp-range={{ .Cfg.DHCPRange }}
-
 # Keep runtime state inside RuntimeDir so the systemd sandbox
 # (ReadWritePaths=/var/lib/vetting ...) doesn't block writes to the
 # distro defaults (/var/lib/misc/dnsmasq.leases, /run/dnsmasq.pid).
 dhcp-leasefile={{ .Cfg.RuntimeDir }}/dhcp.leases
 pid-file={{ .Cfg.RuntimeDir }}/dnsmasq.pid
 
-# TFTP + HTTP boot (iPXE chainload).
+# TFTP for first-boot BIOS/UEFI clients; already-iPXE clients skip it.
 enable-tftp
 tftp-root={{ .Cfg.TFTPRoot }}
 
-# BIOS (undionly.kpxe) and UEFI (ipxe.efi) clients both get iPXE first,
-# which then re-requests a per-MAC script from the orchestrator.
-dhcp-match=set:bios,option:client-arch,0
-dhcp-match=set:efi64,option:client-arch,7
-dhcp-match=set:efi64,option:client-arch,9
-
-# If the client is iPXE itself, send it the per-MAC HTTP script.
+# Already-iPXE clients: chainload the per-MAC HTTP script directly.
 dhcp-match=set:ipxe,175
 dhcp-boot=tag:ipxe,{{ .Cfg.OrchestratorURL }}/ipxe/${mac}
 
-# Otherwise (first boot from ROM) chainload iPXE from TFTP.
-dhcp-boot=tag:!ipxe,tag:bios,undionly.kpxe
-dhcp-boot=tag:!ipxe,tag:efi64,ipxe.efi
+# First-boot PXE ROM -> iPXE. In proxy-DHCP mode, chainloading uses
+# pxe-service= (not dhcp-boot=) because the real LAN DHCP has already
+# assigned the IP; we only supplement the boot menu.
+pxe-service=tag:!ipxe,x86PC,"iPXE (BIOS)",undionly.kpxe
+pxe-service=tag:!ipxe,X86-64_EFI,"iPXE (UEFI)",ipxe.efi
 
 log-facility=-
 `
diff --git a/internal/pxe/dnsmasq_test.go b/internal/pxe/dnsmasq_test.go
index 3f23014..29f2179 100644
--- a/internal/pxe/dnsmasq_test.go
+++ b/internal/pxe/dnsmasq_test.go
@@ -39,8 +39,8 @@ func goodCfg(t *testing.T, tftpRoot string) SupervisorConfig {
 	return SupervisorConfig{
 		Enabled:         true,
 		Interface:       existingInterface(t),
-		DHCPRange:       "10.77.0.100,10.77.0.200,12h",
-		OrchestratorURL: "http://10.77.0.1:8080",
+		Subnet:          "192.168.1.0/24",
+		OrchestratorURL: "http://192.168.1.2:8080",
 		TFTPRoot:        tftpRoot,
 	}
 }
@@ -128,26 +128,26 @@ func TestValidate_LiveDirEmptySkipsLiveChecks(t *testing.T) {
 	}
 }
 
-func TestValidate_MalformedDHCPRange(t *testing.T) {
+func TestValidate_MalformedSubnet(t *testing.T) {
 	tftp := t.TempDir()
 	seedTFTP(t, tftp, "ipxe.efi", "undionly.kpxe")
 	cases := []struct {
-		name string
-		dhcp string
+		name   string
+		subnet string
 	}{
-		{"single field", "10.77.0.100"},
-		{"two fields", "10.77.0.100,10.77.0.200"},
-		{"non-ip start", "hello,10.77.0.200,12h"},
-		{"empty lease", "10.77.0.100,10.77.0.200,"},
+		{"no mask", "192.168.1.0"},
+		{"bad ip", "hello/24"},
+		{"bad mask", "192.168.1.0/99"},
+		{"leftover dhcp_range form", "192.168.1.100,192.168.1.200,12h"},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			cfg := goodCfg(t, tftp)
-			cfg.DHCPRange = tc.dhcp
+			cfg.Subnet = tc.subnet
 			s := NewSupervisor(cfg)
 			err := s.Validate()
-			if err == nil || !strings.Contains(err.Error(), "dhcp_range") {
-				t.Fatalf("expected dhcp_range error for %q, got: %v", tc.dhcp, err)
+			if err == nil || !strings.Contains(err.Error(), "pxe.subnet") {
+				t.Fatalf("expected pxe.subnet error for %q, got: %v", tc.subnet, err)
 			}
 		})
 	}
@@ -183,7 +183,7 @@ func TestValidate_AggregatesErrors(t *testing.T) {
 	if err == nil {
 		t.Fatalf("expected aggregated error")
 	}
-	for _, want := range []string{"pxe.interface", "pxe.tftp_root", "pxe.dhcp_range", "pxe.orchestrator_url"} {
+	for _, want := range []string{"pxe.interface", "pxe.tftp_root", "pxe.subnet", "pxe.orchestrator_url"} {
 		if !strings.Contains(err.Error(), want) {
 			t.Fatalf("expected %q in aggregated error, got: %v", want, err)
 		}