What is the oneliner command to add my host to the "deadgateway" dhcp tag?

shodanx · February 5, 2026, 11:49am

Hello,

The "deadgateway" tag, is a dhcp tag applies to a dynamic dhcp lease which returns a non-responding address for the default gateway.

I am asking is anyone has a oneliner command, which can be run on linux or windows (10 22h2,not updated), which will tell the router to apply the "deadgateway" tag to the requested host.

In other words, it is a single line command, which will ask the router NOT to allow my host to connect to the internet.

And I would also like the oneliner to reverse this.

I am asking in case someone has already achieved this.

This command must only use utilities already present and may not download anything from the internet beyond the command itself.

As placeholder values, the router username will be root, the router password will be MYPASSWORD, and the router's root authorized key will be

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZwJPg2MC8zVu9o0hlQoyvZC1h+4VJJqvfeRtpfSkPcNMxaoT9rWmTE6EGxLz0+Zc1yMW+PsH32uN7/PaizaN46Pebl6OBqhl6b3OhTdFitHP0s/pwplUlL1UG8y/L6hnNFpqfV7NSdW7c1juBYSurRwHQIWWqsIKHb8xDNPrisVZyL1HyaaBPSJK6Me/6w7qsEFeFEI69PybJq5oL/gdOgDEJ1NZyf82y05uw/65WUo4b5XTSwGnvfin0L+zv9RQmIVkMTg+B5NNszONgeIQ6bSI8nSqCv6cqs77JGH1gknuAZOX6PLa44teHKt3QpIKIqFg1RvBjubHHFpvclgRP rsa-key-20260205```

And the dummy example private key

(It appears that this has to be passed as a multiple lines, how inconvenient !)

shodanx · February 5, 2026, 12:01pm

More information

A dynamic lease can only be created by implementing the following change (otherwise, only a static lease can be created

The commands to implement this change is as follows

grep -A10 'config_get name "$cfg" name' /etc/init.d/dnsmasqsed -i '/\[ -z "\$ip" \] && \[ -z "\$name" \] && \[ -z "\$hostid" \] && return 0/d' /etc/init.d/dnsmasq
sed -i '/^[[:space:]]*config_get \(mac\|duid\) "\$cfg" \(mac\|duid\)/d' /etc/init.d/dnsmasq
sed -i '/config_get hostid "\$cfg" hostid/a\        config_get mac "$cfg" mac' /etc/init.d/dnsmasq
sed -i '/config_get mac "\$cfg" mac/a\        config_get duid "$cfg" duid' /etc/init.d/dnsmasq
sed -i '/config_get duid "$cfg" duid/a\        [ -z "$ip" ] && [ -z "$name" ] && [ -z "$hostid" ] && [ -z "$mac" ] && [ -z "$duid" ] && return 0' /etc/init.d/dnsmasq
grep -A10 'config_get name "$cfg" name' /etc/init.d/dnsmasq

The command to create a deadgateway tag, is (using my network address, so a more advanced command would automatically find the network address from br-lan and also scan for a dead host that also has no static lease and is outside the dhcp lease range)
This only needs to run once

# create deadgateway dhcp tag
uci set dhcp.deadgateway=tag; uci add_list dhcp.deadgateway.dhcp_option='3,10.0.0.254' ; uci commit

the command to create the dynamic lease is as follows, where host mac address is DE:AD:BE:EF:69:67

uci add dhcp host ; uci add_list dhcp.@host[-1].mac='DE:AD:BE:EF:69:67' ; uci add_list dhcp.@host[-1].match_tag='deadgateway' ; uci commit

The command to delete this lease... is emmm

uci del dhcp.cfg5afe63

But that only works here, I guess there needs to be another command to find what that command will be

takimata · February 5, 2026, 1:38pm

No. It's asking the router to give an useless default route to the client. Giving wrong directions to the client is superficially effective, but it does not disallow access to the internet.

Block the host from accessing the internet in the firewall. That's its purpose.

shodanx · February 5, 2026, 2:00pm

I understand your concern, but this is how I want to do it.

And I want to do it and undo with with a single command from the host.

I understand this offends IT orthodoxy, like many things that i do.

takimata · February 5, 2026, 2:11pm

There is no single UCI command that means "delete the host entry with this MAC". UCI requires you to identify the section first. You could try grepping using the MAC address in the output of uci show dhcp to identify the section.

This has nothing to do with “orthodoxy”, belief systems, or personal sensibilities. Giving a bogus gateway to a client simply does not block its internet access. That's not a norm, that's a fact.

shodanx · February 5, 2026, 2:36pm

I have done extensive testing, a computer with a non router gateway, cannot access the internet

dave14305 · February 5, 2026, 2:37pm

Instead of this, can you put the MAC in a variable and use the MAC in the section name?

hostmac="DE:AD:BE:EF:69:67"
uci set dhcp.host_${hostmac//:/}=host
…
uci del dhcp.host_${hostmac//:/}

takimata · February 5, 2026, 2:53pm

We don't disagree about whether this can work. It’s about whether it enforces it in a reliable way. DHCP only proposes a configuration. The client ultimately decides what routes exist and may add others independently of DHCP. As soon as any alternate path exists (IPv6 RA, static route, VPN, manual change, reconnection race), your brittle workaround breaks.

Firewalls exist exactly for the purpose of conditionally allowing and blocking traffic between zones, and your router is already running one. If you, for whichever reason, still insist to sidestep that in favour of your "unorthodox" approach, I won't continue to argue with you and leave you to enjoy its many exciting edge cases.

lleachii · February 5, 2026, 10:46pm

How would the host obtain the deadgateway if it already obtained a DHCP lease including the working Internet gateway?

I assume you also plan to command the client to drop the lease in order to obtain a new one?

If you insist on the one liner (and its inverse) for the client, simply use commands to go from A.) DHCP to B.) manual config (with invalid "dead" gateway).

The OP could do that.

I think the user could:

create a host entry for this client
then the one liner could add the tag to the entry
and a one liner to remove the tag only

use/create an SSH key
add the public key to the OpenWrt
use the private key on the client to login

(This is usually done by having the key saved in a file. Your post with a sample key leads me to suggest you review the manual for the ssh command.)