DHCP fixed IP on IoT devices as additional security measurement

[brightwolf]

I have isolated all my IoT devices on a separate wired guest network and on a separate wireless guest network. DHCP is turned on for those guest networks. Does it make sense to now, as an additional security measurement, log in to each IoT device and make its IP static and to set to the IP it received from the DHCP server? I am thinking that would prevent the IoT devices to come back online after an unwanted router factory reset. Because after a factory reset, both the wired and wireless guest networks would not receive the same subnet but will get a different one (I tested this). Since the IoT now has a static address in a different subnet, it will not be able to connect.

Does this make sense? I am asking since my router is not locked away. If my teenage kids decide to circumvent the router security by factory resetting it when I am on holidays, then at least the IoT devices will not be exposed to the internet or to my other devices.

 

[coxhaus]

DHCP does make it easier to network the devices. Using DHCP you probably need to make a paper list of IPs to devices. Using reservations does make it easer to track online without making paper lists. If you hard code IP addresses outside of your DHCP scope then you can reset your router and the devices will still work without setting them up again providing you keep with the same network. Using reservations and resetting the router is the only setup which will need to be done again if you reset the router.

 

[System Error Message]

Its better to have controlled DHCP rather than fixed IP, the reason is that the device may not obey everything. So having the router control everything is better from DHCP To NTP even DNS as well by hijacking and redirecting packets as necessary, same can be done to prevent WAN access for your devices.

 

[coxhaus]

If you use fixed IPs you will need to supply DNS as well as the IP address. Security wise there is no difference other than you need to manually supply all information that DHCP would have supplied. Your devices still have to pass through the router for internet access so your router is your security. Your router needs to be setup with a network mask big enough to support the fixed IP addresses. This is usually not a problem as the router's are setup using a Class C network mask and the DHCP scope is smaller than a full Class C.

 

[System Error Message]

If you use fixed IPs you will need to supply DNS as well as the IP address. Security wise there is no difference other than you need to manually supply all information that DHCP would have supplied. Your devices still have to pass through the router for internet access so your router is your security. Your router needs to be setup with a network mask big enough to support the fixed IP addresses. This is usually not a problem as the router's are setup using a Class C network mask and the DHCP scope is smaller than a full Class C.

Use a 6to4 tunnel for WAN and have 0.0.0.0/0 as your LAN

 

[coxhaus]

Use a 6to4 tunnel for WAN and have 0.0.0.0/0 as your LAN

Why?

 

[System Error Message]

Why?

for fun . You know when you're a network geek and do something for no particular reason? Besides that also means hardcoded malware will have issues too.