Skip to content
MikroTik RouterOS Docs

DHCP MAC Whitelist

DHCP MAC Whitelist

Section titled “DHCP MAC Whitelist”

Overview

Section titled “Overview”

By default, RouterOS DHCP assigns an IP address to any client that requests one. To restrict access so that only registered (whitelisted) devices receive IP addresses, RouterOS provides two complementary mechanisms:

  1. Static-only DHCP pool — the DHCP server only serves clients that have a pre-configured static lease entry. Unknown MACs receive no IP.
  2. ARP enforcement — setting add-arp=yes on the DHCP server combined with arp=reply-only on the LAN interface prevents devices that self-assign IPs from communicating, closing the gap left by DHCP-only controls.

Together these controls ensure that only explicitly registered devices can get an address and communicate on the network.

Prerequisites

Section titled “Prerequisites”
  • RouterOS 7.x
  • A configured DHCP server on the LAN interface or bridge (see /ip dhcp-server)
  • Administrative access via Winbox, WebFig, or SSH

Configuration

Section titled “Configuration”

Step 1 — Switch the DHCP server to static-only

Section titled “Step 1 — Switch the DHCP server to static-only”

Set the DHCP server’s address pool to static-only. This instructs RouterOS to refuse DHCP offers to any client that does not have a matching static lease.

/ip dhcp-server
set [find name="dhcp1"] address-pool=static-only add-arp=yes
ParameterValueEffect
address-poolstatic-onlyNo dynamic pool — only static leases are served
add-arp=yesenabledAutomatically creates an ARP entry for each active static lease

RouterOS 7 note: The authoritative property existed in RouterOS 6 but is not present in RouterOS 7. With address-pool=static-only, RouterOS 7 silently ignores DHCP requests from unknown MACs — no DHCPNAK is sent. This is the expected behavior and requires no additional configuration.

Step 2 — Create static lease entries for allowed devices

Section titled “Step 2 — Create static lease entries for allowed devices”

Add one static lease per approved MAC address. Use a descriptive comment for auditability.

/ip dhcp-server lease
add server=dhcp1 mac-address=AA:BB:CC:DD:EE:01 address=192.168.88.10 comment="Workstation-Alice"
add server=dhcp1 mac-address=AA:BB:CC:DD:EE:02 address=192.168.88.11 comment="Workstation-Bob"
add server=dhcp1 mac-address=AA:BB:CC:DD:EE:03 address=192.168.88.12 comment="Printer-Office"

Devices whose MAC addresses are not in this list will receive no DHCP response.

Step 3 — Enable ARP reply-only on the LAN bridge or interface

Section titled “Step 3 — Enable ARP reply-only on the LAN bridge or interface”

address-pool=static-only prevents unknown clients from obtaining an IP via DHCP, but does not stop a device from self-assigning an IP address. Combining add-arp=yes (Step 1) with arp=reply-only on the LAN interface closes this gap: the router only replies to ARP requests for addresses that are already in its ARP table (populated from active static leases), so self-assigned devices cannot reach the gateway.

For a bridge-based LAN (typical setup):

/interface bridge
set [find name="bridge-lan"] arp=reply-only

For a single LAN interface without a bridge:

/interface ethernet
set [find name="ether2"] arp=reply-only

Warning: After enabling arp=reply-only, any statically configured host (e.g., the router’s own management PC) must have a corresponding ARP entry. Add a static ARP entry if needed:

/ip arp add interface=bridge-lan address=192.168.88.2 mac-address=AA:BB:CC:DD:EE:FF

Step 4 (Optional) — Log DHCP bind events with a lease-script

Section titled “Step 4 (Optional) — Log DHCP bind events with a lease-script”

Use a lease-script to log every bind/release event for auditing:

/ip dhcp-server
set dhcp1 lease-script=":if (\$leaseBound = 1) do={\
    :log info (\"DHCP bound: MAC=\".\$leaseActMAC.\" IP=\".\$leaseActIP);\
} else={\
    :log info (\"DHCP released: MAC=\".\$leaseActMAC.\" IP=\".\$leaseActIP);\
}"

Step 5 (Optional) — Bridge MAC filter for strict L2 enforcement

Section titled “Step 5 (Optional) — Bridge MAC filter for strict L2 enforcement”

For environments that require strict Layer 2 access control (e.g., blocking unknown devices from any LAN traffic, not just routed traffic), use bridge filter rules to enforce a MAC allowlist.

Warning: Incorrect bridge filter rules can lock you out of the router. Configure with a fallback plan (console access or a scheduled reset script).

/interface bridge filter
add chain=forward src-mac-address=AA:BB:CC:DD:EE:01/FF:FF:FF:FF:FF:FF action=accept comment="Allow Workstation-Alice"
add chain=forward src-mac-address=AA:BB:CC:DD:EE:02/FF:FF:FF:FF:FF:FF action=accept comment="Allow Workstation-Bob"
add chain=forward src-mac-address=AA:BB:CC:DD:EE:03/FF:FF:FF:FF:FF:FF action=accept comment="Allow Printer-Office"
add chain=forward in-bridge=bridge-lan action=drop comment="Drop all unknown source MACs"

Add additional accept rules before the drop rule for any infrastructure traffic (e.g., router’s own MAC, uplink, VoIP gateway).

Verification

Section titled “Verification”

Confirm the DHCP server is in static-only mode

Section titled “Confirm the DHCP server is in static-only mode”
/ip dhcp-server print detail

Look for address-pool: static-only and add-arp: yes in the output.

List all static leases

Section titled “List all static leases”
/ip dhcp-server lease print

Check the ARP table

Section titled “Check the ARP table”

Active static leases should appear in the ARP table after the client connects:

/ip arp print

Entries populated by DHCP (add-arp=yes) appear as dynamic. Static entries you added manually appear as static.

Test rejection of an unknown device

Section titled “Test rejection of an unknown device”

Connect a device whose MAC is not in the lease table. It should:

  1. Receive no DHCP offer (visible in router log: /log print where topics~"dhcp")
  2. Be unable to reach the gateway even with a self-assigned IP (due to arp=reply-only)

Troubleshooting

Section titled “Troubleshooting”

Known device not getting an IP

  • Verify the MAC address is correctly entered: mac-address is case-insensitive but must be exact. 
    /ip dhcp-server lease print where mac-address="AA:BB:CC:DD:EE:01"
  • Confirm the DHCP server name in the lease matches the server handling that interface: 
    /ip dhcp-server print
    /ip dhcp-server lease print

Device self-assigned an IP but can still reach the gateway

  • Confirm arp=reply-only is set on the correct interface/bridge: 
    /interface bridge print detail where name="bridge-lan"
  • Confirm add-arp=yes is enabled on the DHCP server so static-lease ARP entries are created automatically.

Router lost management access after enabling reply-only

The router’s own management interface needs an ARP entry if the management host is not covered by a static DHCP lease:

/ip arp add interface=bridge-lan address=<management-pc-ip> mac-address=<management-pc-mac>

DHCP log shows lease attempts from unknown MACs

Monitor attempted connections to identify devices to either approve or investigate:

/log print where topics~"dhcp"

See Also

Section titled “See Also”
  • ARP — ARP modes, reply-only, proxy ARP, and static ARP entries
  • IP Pools — Managing dynamic and static address pools
  • /ip dhcp-server — RouterOS DHCP server reference (official MikroTik wiki)
  • /interface bridge filter — Bridge firewall for L2 MAC filtering