How to ignore or deny a client in dhcpv4/dhcpv6?

[heypppoe]

How to ignore or deny a client in dhcpv4/dhcpv6 by MAC address?

[_Alchemist_]

With DHCPv4, you can go to "Services > DHCP > LAN", create "DHCP Static Mappings" for all clients you want to get an IPv4 address from your DHCP server and then enable "Deny unknown clients".

There does not appear to be an equivalent option for DHCPv6.

[heypppoe]

Is that possible to add a firewall rule to deny dhcp request by MAC?

[meyergru]

What are you trying to accomplish?

If you want to exclude a specific MAC from your network, you might as well block any traffic by MAC, because otherwise even if DHCP is denied, the client can always use a static IP.

Then again, the MAC may be faked as well and probably already is with modern iOS or Android devices (aka "private WLAN address").

Thus, blacklisting does not really help. Even whitelisting plus "Deny unknown clients" can be faked when someone knows some of your device MACs.

Network access control is something that is beyond the duties of a firewall. For ethernet, you can do it via 802.1x if your network hardware allows it. For WLAN, it is up to you whom you give the password.

[CJ]

What are you trying to accomplish?

If you want to exclude a specific MAC from your network, you might as well block any traffic by MAC, because otherwise even if DHCP is denied, the client can always use a static IP.

Then again, the MAC may be faked as well and probably already is with modern iOS or Android devices (aka "private WLAN address").

Thus, blacklisting does not really help. Even whitelisting plus "Deny unknown clients" can be faked when someone knows some of your device MACs.

Network access control is something that is beyond the duties of a firewall. For ethernet, you can do it via 802.1x if your network hardware allows it. For WLAN, it is up to you whom you give the password.

There are ways to lock down wireless to more than just a password but it's more hassle than it's worth for the average user.