Hi Stefan,
I believe this is your mistake "I have an any-service allowed rule for the network the hosts are in". If you have a rule with Source 10.10.10.48/28 you will not get a match for that rule. The reason is that the first DHCP request will not have an IP-address in 10.10.10.x network. The destination will be 255.255.255.255.
You can try this:
In SmartConsole open up gateway cluster properties. Network management -> Network interface for 10.10.10.48 -> Topology -> Modify -> Security Zone -> User defined -> Specify Security Zone -> give it a descriptive name for the zone. (Turn on anti-spoofing also).
Define a new rule like this:
Source Destination Services
(Security zone name) Any dchp-request....