DHCP MAC Address Filtering
DHCP MAC Address Filtering
Section titled “DHCP MAC Address Filtering”Overview
Section titled “Overview”By default, the RouterOS DHCP server assigns addresses to any client that requests one. To restrict access so that only pre-registered MAC addresses receive leases, use two cooperating features:
- Static leases — pre-register each allowed device by MAC address with a reserved IP.
address-pool=static-only— instruct the DHCP server to issue leases only to clients that have a matching static lease. All other clients are silently ignored.
| Setting | Value | Effect |
|---|---|---|
address-pool | static-only | Only clients with a static lease get an IP |
address-pool | <pool-name> (default) | Any client may get an IP from the pool |
This approach acts as a simple Layer 2 access control list at the IP address assignment layer. It does not prevent a determined attacker from spoofing a registered MAC address; for stronger isolation, combine with 802.1X authentication or firewall rules.
Prerequisites
Section titled “Prerequisites”- RouterOS 6.x or 7.x
- A working DHCP server configured on the relevant interface (see
/ip dhcp-server) - Administrator access
- The MAC addresses of all devices that should be allowed to receive an IP
Configuration
Section titled “Configuration”Step 1 — Set the DHCP server to static-only
Section titled “Step 1 — Set the DHCP server to static-only”Identify your DHCP server name (e.g., dhcp1) and set its address-pool to
static-only:
/ip dhcp-server set [find name="dhcp1"] address-pool=static-onlyFrom this point, no new dynamic leases will be issued. Existing dynamic leases continue until they expire; they are not revoked immediately.
Step 2 — Add static leases for allowed devices
Section titled “Step 2 — Add static leases for allowed devices”For each allowed device, create a static lease binding its MAC address to a specific IP address:
/ip dhcp-server lease add \ server=dhcp1 \ address=192.168.1.10 \ mac-address=AA:BB:CC:DD:EE:01 \ comment="Office laptop"
/ip dhcp-server lease add \ server=dhcp1 \ address=192.168.1.11 \ mac-address=AA:BB:CC:DD:EE:02 \ comment="Office printer"
/ip dhcp-server lease add \ server=dhcp1 \ address=192.168.1.12 \ mac-address=AA:BB:CC:DD:EE:03 \ comment="Access point"The addresses you assign must fall within the subnet served by the DHCP server
but do not need to be inside a dynamic address pool — since static-only
bypasses pool allocation entirely.
Step 3 (optional) — Populate the ARP table automatically
Section titled “Step 3 (optional) — Populate the ARP table automatically”Setting add-arp=yes on the DHCP server causes RouterOS to add a static ARP
entry each time a lease is bound. This prevents ARP spoofing for registered
clients and is useful when the interface has arp=reply-only:
/ip dhcp-server set [find name="dhcp1"] add-arp=yesNote:
add-arp=yesrequires the interface’s ARP mode to permit adding entries (i.e., notarp=disabled). When usingarp=reply-onlyon the interface, setadd-arp=yeson the DHCP server so ARP entries are populated from static leases.
Complete example
Section titled “Complete example”# Restrict DHCP to registered MACs only/ip dhcp-server set [find name="dhcp1"] \ address-pool=static-only \ add-arp=yes
# Register allowed devices/ip dhcp-server lease add server=dhcp1 address=192.168.1.10 mac-address=AA:BB:CC:DD:EE:01 comment="Laptop"/ip dhcp-server lease add server=dhcp1 address=192.168.1.11 mac-address=AA:BB:CC:DD:EE:02 comment="Printer"/ip dhcp-server lease add server=dhcp1 address=192.168.1.12 mac-address=AA:BB:CC:DD:EE:03 comment="AP"Verification
Section titled “Verification”Confirm static-only is active:
/ip dhcp-server print detailLook for address-pool: static-only in the output.
List all registered static leases:
/ip dhcp-server lease print where dynamic=noCheck which clients currently hold leases:
/ip dhcp-server lease printEntries with dynamic=yes are leases granted from a pool (these will not
renew once address-pool=static-only is in effect). Entries with dynamic=no
are your registered static leases.
Verify an unknown device is not assigned an IP:
Connect a device whose MAC is not in the static lease list. It should receive no IP address (DHCP request times out on the client). Confirm no new lease appears:
/ip dhcp-server lease print where dynamic=yesNo new entries should appear after the client’s DHCP request.
Troubleshooting
Section titled “Troubleshooting”A registered device is not getting an IP
- Verify the MAC address in the static lease exactly matches the client’s MAC
(case-insensitive, but hyphens vs colons can cause issues on some versions —
use colons):
/ip dhcp-server lease print detail where mac-address="AA:BB:CC:DD:EE:01"
- Check the
server=field on the lease matches the name of the DHCP server instance serving that interface. - Ensure the IP address in the lease is reachable from that interface’s subnet.
Existing dynamic leases are still active after switching to static-only
Dynamic leases created before the change remain active until they expire or are released. To force removal of all existing dynamic leases immediately:
/ip dhcp-server lease remove [find dynamic=yes]Unknown clients are still receiving IPs
Confirm address-pool is actually static-only — it is easy to set it on the
wrong server instance if multiple DHCP servers exist:
/ip dhcp-server print detailIf there are multiple server instances and an unknown client is on an interface
served by a different instance, that instance also needs address-pool=static-only.
add-arp=yes is set but ARP entries are missing
Ensure the interface’s ARP mode is not arp=disabled. Use arp=reply-only to
restrict ARP responses to known entries while still allowing the DHCP server to
add them:
/interface ethernet set [find name="bridge1"] arp=reply-onlySee Also
Section titled “See Also”- DHCP Server — full DHCP server reference including all lease and server properties
- Static Leases — detailed static lease configuration
- ARP — ARP modes including
reply-onlyanddisabled - Firewall Filter — complement MAC filtering with Layer 3 firewall rules