Your existing dnsmasq configuration already handles static IP assignments for known MAC addresses through entries like:
dhcp-host=00:11:22:33:44:55,192.168.1.100
dhcp-host=00:11:22:33:44:56,192.168.1.101
dhcp-host=00:11:22:33:44:57,192.168.1.102
To implement MAC filtering in dnsmasq, we'll use the dhcp-ignore directive combined with dhcp-host. Here's how to modify your configuration:
# Enable DHCP range with empty pool (forces MAC filtering)
dhcp-range=192.168.1.100,192.168.1.200,12h
# Static assignments (allowed devices)
dhcp-host=00:11:22:33:44:55,192.168.1.100
dhcp-host=00:11:22:33:44:56,192.168.1.101
dhcp-host=00:11:22:33:44:57,192.168.1.102
# Ignore all other MAC addresses
dhcp-ignore=tag:!known
For a different approach that still maintains your static IP assignments:
# First declare all known MACs with tag 'known'
dhcp-host=00:11:22:33:44:55,set:known,192.168.1.100
dhcp-host=00:11:22:33:44:56,set:known,192.168.1.101
dhcp-host=00:11:22:33:44:57,set:known,192.168.1.102
# Then ignore all requests without the 'known' tag
dhcp-ignore=tag:!known
After implementing these changes, test your configuration:
# Restart dnsmasq with new config
sudo systemctl restart dnsmasq
# Check logs for DHCP requests
sudo tail -f /var/log/syslog | grep dnsmasq
You should see entries like:
dnsmasq-dhcp[1234]: DHCPDISCOVER(eth0) 00:11:22:33:44:58
dnsmasq-dhcp[1234]: DHCPDISCOVER(eth0) 00:11:22:33:44:55
dnsmasq-dhcp[1234]: DHCPOFFER(eth0) 192.168.1.100 00:11:22:33:44:55
For enhanced security, consider combining MAC filtering with VLANs:
# Different subnets for different device types
dhcp-range=eth0.10,192.168.10.100,192.168.10.200,12h
dhcp-range=eth0.20,192.168.20.100,192.168.20.200,12h
# Assign devices to appropriate VLANs
dhcp-host=00:11:22:33:44:55,set:iot-vlan,192.168.10.100
dhcp-host=00:11:22:33:44:56,set:admin-vlan,192.168.20.101
When managing a network, there are scenarios where you want to restrict DHCP leases only to pre-approved devices while maintaining static IP assignments for specific MAC addresses. This security measure prevents unauthorized devices from joining your network automatically.
The solution lies in combining two dnsmasq features: static address assignment and lease filtering. Here's how to modify your configuration:
# Enable strict MAC filtering
dhcp-ignore=tag:!known
dhcp-host=00:11:22:33:44:55,192.168.1.100,set:known
dhcp-host=00:11:22:33:44:56,192.168.1.101,set:known
dhcp-host=00:11:22:33:44:57,192.168.1.102,set:known
The dhcp-ignore=tag:!known directive tells dnsmasq to ignore all DHCP requests from devices that don't have the 'known' tag. Each dhcp-host entry now includes set:known to mark approved devices.
For environments with a mix of static and dynamic assignments:
# Only serve DHCP to specified MACs (no dynamic pool)
dhcp-range=192.168.1.100,192.168.1.150,static
dhcp-host=00:11:22:33:44:55,192.168.1.100
dhcp-host=00:11:22:33:44:56,192.168.1.101
After implementing these changes:
- Restart dnsmasq:
sudo systemctl restart dnsmasq - Attempt connection from both approved and unapproved devices
- Check logs:
tail -f /var/log/syslog | grep dnsmasq
For enhanced security, consider implementing VLANs alongside MAC filtering:
# Example for VLAN 10
dhcp-range=eth0.10,192.168.10.100,192.168.10.150,static
dhcp-host=eth0.10,00:11:22:33:44:55,192.168.10.100,set:known
If devices aren't receiving IPs:
- Verify MAC address formatting (lowercase vs uppercase)
- Check for duplicate IP assignments
- Confirm configuration file is being loaded (use
dnsmasq --test)