Router Security DHCP Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests DNS Resources Stats Search Popular Pages
NOTE: I will be giving a presentation on Defensive Computing at the HOPE conference in New York City in July 2022. The talk is based on my Defensive Computing Checklist website. The conference runs from July 22nd through the 24th, I am scheduled for the 23rd at 1PM ET. Attending in person costs $200 for all three days. You can also stream the entire conference live for $99. More about the talk here.


DHCP is used to assign temporary IP addresses to devices that have not been configured to use a fixed (a.k.a. static) IP address. That's most devices. Temporary is called Dynamic and that's the D in DHCP. Normally IP addresses expire after a day and that should be a perfectly fine default. The life span of dynamic IP address can be changed, perhaps to 2 days, perhaps to 12 hours, but that's not a security issue.

After changing the LAN side (local) IP address of the router, and picking a non-standard subnet for it, you should then adjust the DHCP range.

Hopefully, the router does part of this job automatically. For example, if you tell the router its IP address is now, then the router, on its own, may well change the DHCP range from to But we can do better, by leaving some IP addresses available for static (a.k.a. fixed) assignment.

For example, if you use the 10.10.10.x subnet, then only let the DHCP server give out addresses between and There are a number of reasons for this.

First, it can increase security to forward some ports to IP addresses that will never be used. Also, if your router can limit local administration by IP address, then, for security, you can limit it to an IP address that is not normally assigned and use that IP address only when needed (yes, this would be a big hassle). It also makes it easier to deal with network devices, such as a printer or a NAS, if they have a fixed/static IP address.

Finally, there is a way to statically assign a dynamically allocated IP address. As an example, assume that a network printer was assigned by the DHCP server software in the router. After this IP address has been assigned, you can then tell the router to always assign the printer the same IP address. You might call this a virtually fixed IP address (my term). The more technical terms for this are DHCP reservation and DHCP static lease. I have seen a DLINK router refer to this as "Reserved IP addresses". I prefer to segregate the static and dynamic IP addresses, but there are times where DHCP reservation is useful.

Page Created: June 3, 2015      
Last Updated: May 5, 2019 10PM CT
Viewed 29,655 times
(11/day over 2,585 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Copyright 2015 - 2022