Custom firewall rules with DHCP and radius

I am running a DHCP server on the RB1000 that uses an external radius server. I use the Mikrotik-Rate-Limit attribute to assign bandwidth limits to users. I would like to limit access to DHCP users only (disallow static IP users) by dynamically adding appropriate rules to the FORWARD chain (perferably by MAC, not IP). Is this possible using the Filter-Id attribute, or possibly some custom script/attribute?

Thanks.

Try to set arp to reply-only and for dhp check “add arp for leases only”.
I think that this way if user sets static ip manualy he will not be able to pass through because mikrotik doesn’t have his mac address in arp table.

Thanks Smith, Works great. I will just have to remember to set a static ARP entry if I allow someone to use a static IP address.