How can I allow ONLY DCHP server IP ady to connect?

We have a Surf SOHO with f/w 8.1.2.
I did a quick search and found no answer. In our “on the road” & home office setup, I want ONLY those IP and/or MAC addresses to be allowed to connect to the router–by WiFi and LAN. How can I do this?

I currently have the DCHP Server “table” filled with all our devices. Sometimes an iPhone IP ady gets changed as seen in the Client list. The name gets changed–but obviously the MAC is the same as the DCHP Table.

The few blocked devices I used the MAC, vs IP ady which can not be changed.

Thanks for any help,

Not sure I understand the question. Zoom out. Whats the ultimate purpose of the requirement? Do you have some devices that you don’t want to have internet access?

Normally these would be on a VLAN that is then not allowed to access the internet…


if I understood your problem correct, than you have the problem only with IOS. This could be the MAC Randomization on iOS Devices.
You can disable that if it, if you run into a problem.

  1. Open the Settings on your iPhone , iPad, or iPod, then tap Wi-Fi or WLAN.
  2. Tap the information button next to your network.
  3. Turn off Private Address.
  4. Re-join the network.
1 Like

I’ll mention that @dennis.hofheinz has put forth the correct answer. The MAC address randomization “thing” is part of Apple’s initiative to improve privacy. The steps he outlined are exactly correct in my experience. - Rick

1 Like

Thanks for the replies. Simply put–Whether WiFi or LAN, IOS or Windows, I want to block every IP or MAC address which is NOT in my DCHP Server table. WiFi is more important than LAN because when on the road–no one has access to my SOHO via LAN, but they do have the ability to get in via WiFi.

We will turn off Private Address in our IOS devises–thanks for that info.

Hi Ron,

to do that, you need a NAC soloution.
Let’s make a short brainstorm…
you create a VLAN wich is blocked in the Firewall and the DHCP scope is open, and the other (your productive DHCP) is disabled.
Then you need a fixed IP or a reservation to get an IP. If someone knows you IP-range, he can plugin a networkcable and could use ist.

Maybe the Captive Portal could be usefull, there you can use user and password. Without that you can’t access the network.


Isn’t a VLAN only on the Ethernet ports–NOT the WiFi. It is the WiFi that needs the protection MUCH more than the LAN.

You assign the particular SSID to a VLAN - and then you get the protection component.