How to block LAN MAC from getting a DHCP address

I have an unknown MAC address on my lan. It is probably something of mine, but I want to block it from getting an IP address. I know I can block it from connections with a firewall rule, but I'd rather block it form getting an IP address (ipv4 or ipv6). I believe this is possible with dnsmasq:
how do you do this with Openwrt? CLI or LuCI?


Use ignore as IP.


If you can't identify the device and either confirm that it is safe or shut it down, it would be safest to make a firewall rule to block it from everything.

So, I already have a Firewall rule set to reject. I added this to the firewall list:

I have added this to the DHCP reserved list:

Yet is still has an IP address in the Active DHCP leases. How do I get rid of it?

You have rejected forwarding. However getting an address by dhcp or querying the dns server is considered input, that means from lan without destination (or the device).

You'll have to wait for the lease to expire. Or find the device and reboot it :stuck_out_tongue:


put this in your rc.local (system > startup > local startup)

ip neighbor replace lladdr $BOGONMAC nud permanent dev br-lan 2>/dev/null
ip neighbor add lladdr $BOGONMAC nud permanent dev br-lan 2>/dev/null
route add gw lo 2>/dev/null

or similar... (then reboot)

@trendy Thanks for the help.
Actually, I remembered that I could go into /tmp/dhcp.leases and delete the row, save the file, then select 'Reset' from the DHCP page in Luci and the address disappears from the list.
It would be a nice addition to Luci if we could select 'release', like we can for wireless connections to release the DHCP address.

Like this you just don't see it, but it is still there.
A DHCP release can be invoked only by the client, not the server.

1 Like