How to reserve a static-ip on Mikrotik router for a device that is attached to a fixed router’s Ethernet port

I am trying hard to figure out how can I force any DHCP client device connects to the port ETH10 on Mikrotik router get assigned a fixed IP-address.

Please note that the device MAC address is unknown and I will not reserve the static IP address binded to a MAC address of the attached device on the router side, in addition the attached devices are set as DHCP client and not possible to offer a static IP.

To clarify more in the following you can find more explanation
I have created [on the Mikrotik router] bridge1 with IP range 192.168.20.0/24 assigned to Eth1,Eth2,Eth3 ports, and all of attached devices to the router's ports Eth1,Eth2,Eth3 gets a dynamic ip address from the router's DCHP server with pool 192.168.20.100-19.168.20.110, in addition the ETh1,Eth2,Eth3 attached devices should have access to the internet and their address should always get obtained dynamically from the routers DHCP server.

The problem is as follows,
I would like to reserve Port Eth10 on mikrotik to offer only and only and always a static IP address of 192.168.20.115 to any IoT device whose its Ethernet interface is connected to the Router's ETH10, all the ethernet port of the IoT devises are configured as DHCP client and its not possible to change it.

The Mikrotik router should not at all assign a static IP address to the IoT device based on the reserved MAC address of the attached IoT device ethernet interface, since there are many of these IoT devices are going to get attached and then detached later and it is not possible to reserve/store those MAC addresses on the router.

In addition for security reason any IoT device should be reachable from any of the devices connected to the ETH1-ETH3 and vice versa but the IoT device should not get access to the internet at all, while ETH1-ETH3 devices can get access to internet and talk/reach each other.

I have created the DHCP server in the Mikrotik and shared the internet with ETH1-ETH3 devices but I failed to make/assign a static IP address to ETH10 connected device and blocking internet to it.
All of my googling offers MAC address based static ip assigning which I have no use for it.

Any guide/settings on how to achieve non-MAC address based static IP assigning and blocking internet on specific IP address in a subnet that works on Mikrotik is appreciated.

/ip address add address=192.168.20.114/31 interface=eth10 /ip pool add name="iot-static" ranges=192.168.20.115 /ip dhcp-server add name="iot-dchp" interface=eth10 lease-time=1m address-pool=iot-static add-arp=yes authoritative=yes use-radius=no /ip dhcp-server network add address=192.168.20.114/31 gateway=192.168.20.114 netmask=31 dns-none=yes

Best Answer

Set up a separate dhcp server on eth10 which dynamically hands out that single address with a short lease time and no DNS settings.

To block every traffic from IoT devices but allow replies setup a firewall filter rule that blocks new connections from the IoT device:

/ip firewall filter add chain=forward action=reject reject-with=icmp-admin-prohibited connection-state=new src-address=192.168.20.115 in-interface=eth10 log=no

If you want to block only the internet traffic then use a different filter rule:

/ip firewall filter add chain forward action=reject reject-with=icmp-admin-prohibited src-address=192.168.20.115 out-interface=eth-internet log=no

Best Answer

Related Solutions

Virtual Machines – Safe Range of MAC Addresses for Virtual Machines

IP Conflicts from mikrotik router for multiple ip addresses (that it isnt assigned)

Related Topic