Using Tags to define range in which IP address should be assigned from

Hi there,

I currently have setup a walled garden range of IP addresses which don't have access to the Internet (i.e. deny rules in both UPNP as well as Firewall). This works as intended.

The clients are currently setup with a static ip address in the range. I have also add a tag for such devices (currently unused).

config host
        option name 'some-iot-device'
        option dns '1'
        option mac 'XX:XX:XX:XX:XX:XX'
        option tag 'iot-no-internet'
        option ip ''

I know that using dhcp-option 6 one is able to hand out specific DNS based on tags. For example:


This also works fine.

My Question:
(How) am I able to automatically, based on the tag, have dhcp assign an IP automatically within a given range.

I will then set this range to be outside my normal DHCP range...
Like I said, the manual definition of static IPs works fine, but I'm trying to do something a little more elegant as an excercise. :slight_smile:


1 Like

Deleted the above post as I noticed I had misunderstood something in what the Luci UI actually defines into the "list dhcp_option" parameters of the dhcp file. My error was actually reading "dhcp_option" as "dhcp-option" in the above. :slight_smile:

I tried adding:


to the lan->advanced->dhcp-options. The dhcp file for the device I'm testing has:

config host
        option name 'Test Device'
        option dns '1'
        option mac '88:64:XX:XX:XX:XX'
        option tag 'tag-test'

Strangely this setup caused my device to not be able to get an IP, and the PC I was working on to setup to lose DNS...

Will have to step away for a few hours, but will try playing with this a little. Once I get it running I'll be sure to post back here in case others search in the future.

PS. I know in the different posts I'm showing IPs in both the 192.168.1.X as well as 192.168.0.X. This is "intentional" as my netmask is

A massive thank you to @pavelgl who helped immensely; The below is his write-up with two complete recipes for approaches.


There are two possible options:

A) The whole configuration could be set in /etc/config/dhcp, using the UCI syntax.

You could create a tagged group with individual DHCP options for the IOT devices and then create a static lease for each device, assigning IP addresses outside the regular DHCP pool (the tags are not visible in LuCI).

Example with custom DNS and disabled default gateway:

uci set dhcp.iot="tag"
uci add_list dhcp.iot.dhcp_option="6,,"
uci add_list dhcp.iot.dhcp_option="3"

uci add dhcp host
uci set dhcp.@host[-1].name="iot1"
uci set dhcp.@host[-1].mac="XX:XX:XX:XX:8d:88"
uci set dhcp.@host[-1].ip=""
uci set dhcp.@host[-1].tag="iot"

uci add dhcp host
uci set dhcp.@host[-1].name="iot2"
uci set dhcp.@host[-1].mac="XX:XX:XX:XX:8d:89"
uci set dhcp.@host[-1].ip=""
uci set dhcp.@host[-1].tag="iot"

uci commit dhcp
/etc/init.d/dnsmasq restart

In /etc/config/dhcp the configuration should look like this:

config tag 'iot'
        list dhcp_option '6,,'
        list dhcp_option '3'

config host
        option name 'iot1'
        option mac 'XX:XX:XX:XX:8d:88'
        option ip ''
        option tag 'iot'

config host
        option name 'iot2'
        option mac 'XX:XX:XX:XX:8d:89'
        option ip ''
        option tag 'iot'

You can use copy / paste if it's easier for you.

B) If you insist on a separate DHCP pool, you must use an additional custom configuration file, using the native dnsmasq syntax.

Move the dnsmasq additional configuration directory from tmp to etc:

uci set dhcp.@dnsmasq[0].confdir=/etc/dnsmasq.d
uci commit dhcp
/etc/init.d/dnsmasq restart

Here is the analog of the previous configuration, but here is used a separate DHCP pool and the dnsmasq syntax. The additional file must be located in /etc/dnsmasq.d/. You can use any filename.


In any case, you will need to manually enter the MAC address of each IOT device in order to set the tag, so I would recommend using option A. Option B is not so "canonical" and does not save you much work.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.