Router Security | DHCP |
Website by Michael Horowitz |
DHCP is used to assign temporary IP addresses to devices that have not been configured to use a fixed (a.k.a. static) IP address. That's most devices. Temporary is called Dynamic and that's the D in DHCP. Normally IP addresses expire after a day and that should be a perfectly fine default. The life span of dynamic IP address can be changed, perhaps to 2 days, perhaps to 12 hours, but that's not a security issue.
After changing the LAN side (local) IP address of the router, and picking a non-standard subnet for it, you should then adjust the DHCP range.
Hopefully, the router does part of this job automatically. For example, if you tell the router its IP address is now 10.10.10.2, then the router, on its own, may well change the DHCP range from 192.168.1.2-254 to 10.10.10.3-254. But we can do better, by leaving some IP addresses available for static (a.k.a. fixed) assignment.
For example, if you use the 10.10.10.x subnet, then only let the DHCP server give out addresses between 10.10.10.100 and 10.10.10.253. There are a number of reasons for this.
First, it can increase security to forward some ports to IP addresses that will never be used. Also, if your router can limit local administration by IP address, then, for security, you can limit it to an IP address that is not normally assigned and use that IP address only when needed (yes, this would be a big hassle). It also makes it easier to deal with network devices, such as a printer or a NAS, if they have a fixed/static IP address.
Finally, there is a way to statically assign a dynamically allocated IP address. As an example, assume that a network printer was assigned 10.10.10.222 by the DHCP server software in the router. After this IP address has been assigned, you can then tell the router to always assign the printer the same IP address. You might call this a virtually fixed IP address (my term). The more technical terms for this are DHCP reservation and DHCP static lease. I have seen a DLINK router refer to this as "Reserved IP addresses". I prefer to segregate the static and dynamic IP addresses, but there are times where DHCP reservation is useful.