Proper way to disable DHCP and DNS servers completely (again)

porkepik · February 14, 2026, 7:47pm

Hello,

I had that option on My Ubiquiti ERL3 with its original config and it worked pretty good. Basically, I attribute a LAN IP address to each device connected on the LAN based on its MAC address (static IPs). Then I disabled DHCP. An alternative could have been do deny all traffic from / to the DHCP IP address ranges, as 192.x.x.100 +

Goal: Deny acces to anyone unpluging the ethernet cable of a camera for example, connecting its computer to the LAN, and acquiring an IP via DHCP.

Like I said, it worked with original router software. Since I installed OpenWrt and it’s way better in any sense. However the DHCP is still active and is defeating my goal.

Could you tell me exactly what is to be done to deactivate and still have my devices on the LAN obtain an IP based on MAC addresses. My static addresses are already defined.

If it’s impossible, please tell me which rules to add to the firewall to block all IPs greater or equal to 192.x.x.100

I’m using both IPV4 and IPV6

I will have better sleep once this is set.

My actual /etc/config/dhcp, anonymized:

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/xxxx.net/'
        option domain 'xxxx.net'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ndp 'relay'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option ra_prefix 'yes'
        option ra_prefix_len '56'
        option piofolder '/tmp/odhcpd-piofolder'

config domain
        option name 'ANON-46'
        option ip 'xxx.xxx.xxx.xxx'

config domain
        option name 'ANON-50'
        option ip 'xxx.xxx.xxx.xxx'

config domain
        option name 'ANON-54'
        option ip 'xxx.xxx.xxx.xxx'

config domain
        option name 'ANON-58'
        option ip 'xxx.xxx.xxx.xxx'

config domain
        option name 'ANON-62'
        option ip 'xxx.xxx.xxx.xxx'

config domain
        option name 'ANON-66'
        option ip 'xxx.xxx.xxx.xxx'

config domain
        option name 'ANON-70'
        option ip 'xxx.xxx.xxx.xxx'

config domain
        option name 'ANON-74'
        option ip 'xxx.xxx.xxx.xxx'

config domain
        option name 'ANON-78'
        option ip 'xxx.xxx.xxx.xxx'

config domain
        option name 'ANON-82'
        option ip 'xxx.xxx.xxx.xxx'

config domain
        option name 'ANON-86'
        option ip 'xxx.xxx.xxx.xxx'

config domain
        option name 'ANON-90'
        option ip 'xxx.xxx.xxx.xxx'

config domain
        option name 'ANON-94'
        option ip 'xxx.xxx.xxx.xxx'

config domain
        option name 'ANON-98'
        option ip 'xxx.xxx.xxx.xxx'

config host
        option name 'ANON-102'
        option ip 'xxx.xxx.xxx.xxx'
        list mac 'xx:xx:xx:xx:xx:xx'
        list mac 'xx:xx:xx:xx:xx:xx'
        list mac 'xx:xx:xx:xx:xx:xx'

config host
        option name 'ANON-109'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip 'xxx.xxx.xxx.xxx'

config host
        option name 'ANON-114'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip 'xxx.xxx.xxx.xxx'

config host
        option name 'ANON-119'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip 'xxx.xxx.xxx.xxx'

config host
        option name 'ANON-124'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip 'xxx.xxx.xxx.xxx'

config host
        option name 'ANON-129'
        option ip 'xxx.xxx.xxx.xxx'
        list mac 'xx:xx:xx:xx:xx:xx'

config host
        option name 'ANON-134'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip 'xxx.xxx.xxx.xxx'

config host
        option name 'ANON-139'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip 'xxx.xxx.xxx.xxx'

config host
        option name 'ANON-144'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip 'xxx.xxx.xxx.xxx'

config host
        option name 'ANON-149'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip 'xxx.xxx.xxx.xxx'

config host
        option name 'ANON-154'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip 'xxx.xxx.xxx.xxx'

config host
        option name 'ANON-159'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip 'xxx.xxx.xxx.xxx'

config host
        option name 'ANON-164'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip 'xxx.xxx.xxx.xxx'

_bernd · February 14, 2026, 7:49pm

You will find these kind of features with professional enterprise gear. Like Cisco, HP or juniper. But sadly OpenWrt does not provide a way to use 802.1x with Ethernet.
Sure you can hack yourself a Mac address based filter but everyone with 3 brain cells would simply clone the Mac address of the camera and got access...

Edit ps. You may want to introduce vlans into your network so you can assign firewalls to each interface or some and not for individual clients which always a kind of bad till stupid idea.
Only excepts are dynamic firewall rules with sets where you put the client addresses into a set and configure firewall rules for these sets.

porkepik · February 14, 2026, 7:56pm

porkepik:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ndp 'relay'

Is to add option dynamicdhcp '0' to the dhcp lan config an option?

I think most won’t. Only LEO searching for something. Normies wouldn’t bother.

porkepik · February 14, 2026, 8:16pm

Seems that did the trick.

I made:

uci set dhcp.lan.dynamicdhcp="0"
uci commit dhcp
service dnsmasq restart

Which generated an updated lan section:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ndp 'relay'
        option dynamicdhcp '0'

And logread said static dhcp:

Sat Feb 14 15:10:46 2026 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM
Sat Feb 14 15:10:51 2026 daemon.info dnsmasq[1]: started, version 2.90 cachesize 1000
Sat Feb 14 15:10:51 2026 daemon.info dnsmasq[1]: DNS service limited to local subnets
Sat Feb 14 15:10:51 2026 daemon.info dnsmasq[1]: DNS service limited to local subnets
Sat Feb 14 15:10:51 2026 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Sat Feb 14 15:10:51 2026 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Sat Feb 14 15:10:51 2026 daemon.info dnsmasq-dhcp[1]: DHCP, static leases only on 192.xxx.xxx.100, lease time 12h

, whereas it used to be

Thu Feb 12 20:25:54 2026 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.xxx.xxx.100 -- 192.xxx.xxx.249, lease time 12h

before adding the dynamicdhcp option.

Yet to be tested with an unknown (to the config) device connected to the LAN.

porkepik · February 14, 2026, 9:19pm

I’m interested in what you were trying to say.