DHCP Static Leases, Lease Time, and Unknown Device Alerts
DHCP Static Leases, Lease Time, and Unknown Device Alerts
Section titled “DHCP Static Leases, Lease Time, and Unknown Device Alerts”Overview
Section titled “Overview”RouterOS DHCP provides three complementary mechanisms for controlling client address assignment and monitoring:
| Mechanism | Menu | Purpose |
|---|---|---|
| Static lease | /ip dhcp-server lease | Permanently bind a MAC to a specific IP |
| Lease time | /ip dhcp-server + /ip dhcp-server lease | Control how long a lease is valid |
| Lease script | /ip dhcp-server lease-script property | Run a script on every lease event |
Static leases guarantee a device always receives the same IP. Lease time tuning balances address table churn against responsiveness to network changes. Lease scripts can detect unknown MAC addresses and fire alerts before an unauthorized device has had a chance to use the network for long.
Static Lease Reservations
Section titled “Static Lease Reservations”Creating a Static Lease
Section titled “Creating a Static Lease”A static lease binds an IP address to a MAC address. The DHCP server always assigns that IP to that MAC, regardless of which dynamic pool it came from.
/ip dhcp-server leaseadd address=192.168.88.50 mac-address=AA:BB:CC:DD:EE:FF \ server=dhcp1 comment="Office Printer"Key parameters:
| Parameter | Description |
|---|---|
address | The IP to reserve — must be within the server’s network |
mac-address | Client MAC address in XX:XX:XX:XX:XX:XX format |
server | DHCP server name this reservation belongs to |
comment | Optional label for identification |
lease-time | Override the server default; 0s means never expires |
block-access | Set yes to reject this MAC entirely (blocklist) |
dhcp-option-set | Apply a custom option set to this client only |
Address must be routable from the DHCP network. The reserved IP does not need to come from the server’s pool — you can reserve IPs outside the pool range as long as they are within the network range configured under
/ip dhcp-server network. This prevents pool exhaustion for dynamic clients.
Converting a Dynamic Lease to Static
Section titled “Converting a Dynamic Lease to Static”When a device has already received a dynamic lease, use make-static to
permanently reserve that IP for its MAC without retyping the address:
# Find the lease by MAC, then make it static/ip dhcp-server lease make-static [find mac-address="AA:BB:CC:DD:EE:FF"]
# Or by current IP address/ip dhcp-server lease make-static [find address="192.168.88.105"]After running make-static, the lease type changes from dynamic to static.
The client keeps its current IP on the next renewal.
Viewing and Filtering Leases
Section titled “Viewing and Filtering Leases”# Show all leases with details/ip dhcp-server lease print detail
# Show only static leases/ip dhcp-server lease print where status=bound type=static
# Show only dynamic leases/ip dhcp-server lease print where type=dynamicRemoving a Reservation
Section titled “Removing a Reservation”/ip dhcp-server lease remove [find mac-address="AA:BB:CC:DD:EE:FF"]Removing a static lease does not disconnect the client immediately. The client keeps its IP until the current lease expires, then falls back into the dynamic pool.
Blocking a MAC Address
Section titled “Blocking a MAC Address”Set block-access=yes to silently reject DHCP requests from a specific MAC.
The client receives no offer and cannot obtain an address from this server:
/ip dhcp-server leaseadd mac-address=DE:AD:BE:EF:00:01 server=dhcp1 \ block-access=yes comment="Blocked device"Lease Time Configuration
Section titled “Lease Time Configuration”How Lease Time Works
Section titled “How Lease Time Works”RouterOS DHCP follows the standard renewal schedule:
- At T/2 (half the lease duration) the client sends a unicast renewal to the server.
- At T×7/8 it broadcasts a rebind request to any available server.
- At T the lease expires and the client must start over with a DISCOVER.
The effective lease time a client receives is determined by the first matching level in this precedence chain (highest wins):
RADIUS Session-Timeout > per-lease lease-time > server lease-timeServer-Level Lease Time
Section titled “Server-Level Lease Time”Set the default for all dynamic leases issued by a server:
/ip dhcp-server set [find name=dhcp1] lease-time=8hThe factory default is 30m. Common values:
| Scenario | Recommended lease-time |
|---|---|
| Stable LAN (servers, printers, workstations) | 8h – 24h |
| IoT VLAN (always-on sensors, cameras) | 1d – 7d |
| Guest Wi-Fi / high client churn | 30m – 2h |
| Captive portal / short-term access | 10m – 30m |
Longer leases reduce server load and DHCP broadcast traffic but delay address reclamation when clients leave. Shorter leases reclaim addresses faster at the cost of more renewal traffic.
Per-Lease Override
Section titled “Per-Lease Override”Override the server default for a specific device. This is most useful for static reservations that should never expire:
# Static reservation that never expires/ip dhcp-server leaseadd address=192.168.88.10 mac-address=AA:BB:CC:DD:EE:FF \ server=dhcp1 lease-time=0s comment="Always-on server"
# Shorten lease for a guest device/ip dhcp-server leaseset [find mac-address=11:22:33:44:55:66] lease-time=1hA lease-time=0s on a static lease means the lease never expires — the
device holds its address indefinitely without needing to renew.
Per-lease
lease-timeoverrides the server default but not RADIUS. If you use RADIUS authentication, theSession-Timeoutattribute takes precedence over both per-lease and server settings.
DHCP Alerts for Unknown Devices
Section titled “DHCP Alerts for Unknown Devices”How Lease Scripts Work
Section titled “How Lease Scripts Work”The lease-script property on /ip dhcp-server runs a RouterOS script on
every lease event. The script receives these environment variables:
| Variable | Value |
|---|---|
leaseBound | 1 when a lease is granted; 0 when it expires |
leaseServerName | Name of the DHCP server issuing the lease |
leaseActMAC | Client MAC address |
leaseActIP | IP address assigned |
lease-hostname | Client-reported hostname (option 12), if sent |
Address-List Approach: Known vs Unknown
Section titled “Address-List Approach: Known vs Unknown”Maintain an address-list of known MAC addresses. On each new lease, check
whether the MAC is in the list. If not, log an alert and add the device to a
dhcp-unknown address-list for further action (firewall, monitoring):
/ip dhcp-serverset [find name=dhcp1] lease-script=":if (\$leaseBound = 1) do={ :local mac \$leaseActMAC :local ip \$leaseActIP :local host \$lease-hostname
# Check if this MAC is in the known-devices address-list :if ([:len [/ip firewall address-list find \ list=dhcp-known-macs address=\$mac]] = 0) do={
# Unknown device — log a warning :log warning (\"DHCP-ALERT: unknown device \" . \$mac . \" got \" . \$ip . \" (\" . \$host . \")\")
# Add to unknown-devices list for firewall action /ip firewall address-list add list=dhcp-unknown-macs address=\$mac comment=(\$ip . \" \" . \$host) }}"Populate the known list with your authorized MAC addresses:
/ip firewall address-listadd list=dhcp-known-macs address=AA:BB:CC:DD:EE:FF comment="Office Printer"add list=dhcp-known-macs address=11:22:33:44:55:66 comment="NAS"add list=dhcp-known-macs address=DE:AD:BE:EF:CA:FE comment="Workstation-1"You can then drop traffic from unknown MACs in the firewall:
/ip firewall filteradd chain=forward src-mac-address="" \ src-address-list=dhcp-unknown-macs \ action=drop comment="Block unrecognized DHCP clients"Note: MAC-based firewall rules only work reliably at Layer 2 (same broadcast domain). Clients behind a router or NAT will appear with the router’s MAC, not their own.
Email Alert on Unknown Device
Section titled “Email Alert on Unknown Device”Send an email when an unknown device appears. Requires /tool e-mail to be
configured with a valid SMTP server:
# Configure email transport once/tool e-mailset server=smtp.example.com port=587 \ password=secret tls=starttls
# Lease script with email alert/ip dhcp-serverset [find name=dhcp1] lease-script=":if (\$leaseBound = 1) do={ :local mac \$leaseActMAC :local ip \$leaseActIP
:if ([:len [/ip firewall address-list find \ list=dhcp-known-macs address=\$mac]] = 0) do={
:log warning (\"DHCP-ALERT: unknown \" . \$mac . \" at \" . \$ip)
/tool e-mail send \ subject=(\"Unknown DHCP device: \" . \$mac) \ body=(\"Device \" . \$mac . \" was assigned \" . \$ip . \" by \" . \$leaseServerName) }}"Throttle email alerts in production. A burst of unknown devices (e.g., after a power cycle) will trigger one email per device. Use a rate-limiting script variable or a scheduler-based aggregation approach to avoid email floods.
Log-Only Approach (Simpler)
Section titled “Log-Only Approach (Simpler)”If you only need a log trail without address-list tracking:
/ip dhcp-serverset [find name=dhcp1] lease-script=":if (\$leaseBound = 1) do={ :log info (\"DHCP lease: \" . \$leaseActMAC . \" -> \" . \$leaseActIP . \" on \" . \$leaseServerName)}"View these events in the system log:
/log print where topics~"system"Or send to a remote syslog server:
/system logging actionset [find name=remote] remote=192.168.88.200 remote-port=514
/system loggingadd action=remote topics=systemTroubleshooting
Section titled “Troubleshooting”Static Lease Not Applied
Section titled “Static Lease Not Applied”- Verify
server=matches the DHCP server name exactly:/ip dhcp-server lease print detail/ip dhcp-server print - Check the client is sending the expected MAC. Some devices randomize MACs (common on modern phones and laptops). Disable MAC randomization on the client or match by hostname if supported.
- Confirm the reserved IP is within the DHCP network range:
/ip dhcp-server network print
Client Gets Dynamic IP Instead of Reservation
Section titled “Client Gets Dynamic IP Instead of Reservation”If the client already holds a dynamic lease with a different IP, it may renew that lease rather than requesting a new one. Force a new lease:
- Remove the existing dynamic lease from the server:
/ip dhcp-server lease remove [find mac-address="AA:BB:CC:DD:EE:FF" type=dynamic]
- Release and renew on the client side (OS-dependent).
Lease Script Not Firing
Section titled “Lease Script Not Firing”- Confirm the script is set on the correct server:
/ip dhcp-server print detail
- Check the system log for script errors:
/log print where topics~"script"
- Script errors are silently swallowed on some RouterOS versions. Test the
script logic in the terminal using
:localvariables before assigning it to the server.
Related Features
Section titled “Related Features”- Custom DHCP Options, PXE Boot, and Vendor Option Sets — option 43, 60, 66, 67 and matcher rules
- DHCP Relay Option 82 — relay agent information for subscriber tracking
- DHCP — DHCP server, client, relay, and lease management overview
References
Section titled “References”- RFC 2131 — Dynamic Host Configuration Protocol
- RFC 2132 — DHCP Options and BOOTP Vendor Extensions
- MikroTik DHCP Documentation