[Solved] DHCP and Static Leases

I have a working internet setup running 15.05.1 and A list of static mac addresses with their static IPs. I want to know if there is any option or setting where I can restrict the issuing of DHCP IP addresses to only those who are already listed in my static IP addresses list. If someone else tries to connect to the network they dont get issued a valid IP address so they dont get internet access.

Furthermore I have multiple devices connected to a singe main router running Openwrt, so using the mac filter for Wireless is not possible. Any other suggestions? Thanks

First, I'd strongly consider upgrading to 17.01.4 if you can. There have been many important security-related patches since then.

In general, what you are asking to do is accomplished by not providing a "pool" for leases. option limit 0 in the config file, or entered through LuCI may work (though I can't try it as my DHCP is served elsewhere).

There is a "dynamicdhcp" option, set to 0 in the interface section may work.

It is basically no security since someone could statically configure their client if DHCP does not work for them.

I used 17.01.4 but it increases CPU usage so much that the LuCi is not reachable anymore so I had to revert back to 15.05.1. My device has 4mb of flash and extroot set up on it and the network doesn't need so much of the security so I am okay with 15.05.1 for now.

Yes setting dynamicdhcp in lan is working and it doesn't provide IP addresses dynamically and yes I understand that. Thanks

Glad you're going again.

When you can, might want to read https://www.us-cert.gov/ncas/alerts/TA18-106A and remember that the outside interface of your router matches the description what is being attacked reasonably well. While you may not need security inside your network, you're potentially providing a hiding place for a multi-hop attack on something more interesting.

1 Like

Yes I understand that but if I see my local place I see people who don't even know what a router is to be honest, and keeping that in mind I dont see many possible threaths coming my way anytime soon. :wink: On the other side, I keep a close eye on my network and I know who is connecting to it and when so I think I will be okay. Thanks for the efforts, really appreciate it.

Regrettably, it is just that lax approach that makes home/SOHO routers and IoT devices so dangerous to everyone. While people around you may not know what a router is, there are far too many on the Internet just a couple hundred milliseconds away that do. Your router might well be the one that is used to mount an attack on your bank and takes your money away.

15.xx.xx does not have current patches and should be considered known insecure and should be upgraded.


I know the risks and I will change it as soon as I can.

1 Like

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.