I want DHCP server work, only registered mac address.
if connecting unregister mac address or static IP hosts must auto block.
ty,
On the DHCP server:
- for the address pool, select static-only
- check yes for “Add ARP for Leases”
On the IP interface, set arp=reply-only
This should do what you want.
This will keep any static IP hosts from getting on the Internet in general - but there is still one hole open: UDP can still go out and work, so long as the sender doesn’t need any replies…
If you want to close this hole, then you could specify a lease script that simply adds the IP address to /ip firewall address-list address= list=LEASED_HOSTS timeout=
In your firewall forward filter, make the first rule that specifically applies to the LAN be this:
chain=forward action=drop src-address-list=!LEASED_HOSTS in-interface=lan
The script might need to be made slightly more sophisticated - make it first check if the address is in the list, if so, then update the timeout, and if not, then add with the timeout.
Of course this doesn’t stop all shenanigans - rogue DHCP, Rogue RA/NDP (ipv6), netcut, arp poisoning, etc is all possible and the router can’t do anything to BLOCK such things. The only way to lock this down is with access-layer security - switches that support dot1x port security, and use dot1x supplicants on the devices.