Why did you start a new thread for this?
What you're asking for is not possible, at least not automatically. They will still have internet access, but you CAN prevent them from doing DNS lookups to external servers. There is no way, even with Merlin, to block all internet access if the router senses that the person is not using DHCP or has set a static DNS. That would be a very advanced script that would need to update your firewall rules every time a DHCP lease is issued, essentially only permitting traffic if the IP was assigned by DHCP. While a script like that may be possible, it would be pretty complex. And it still would not prevent them from setting a custom DNS entry since that is separate from DHCP, you would still need to do DNS filtering or blocking to prevent that part.
To prevent them from reaching external DNS servers, you have two options:
Option 1 is what you've already done, using dnsfilter to intercept their DNS traffic and force it to use your router's DNS. You already have that configured, and it is working. The user won't know it, they'll think it is hitting 8.8.8.8 or whatever but in reality the response is coming from your router. The only thing you need to tweak is your WAN DNS settings are currently using "adguard" but if you want to block malicious sites you'd be better with one of the other options like Quad9.
The other option is to go into Firewall - Network services filter and add two deny rules, one for UDP 53 and one for TCP 53. That will block them from hitting all servers other than your router IP. It will not redirect traffic, their DNS lookup will fail. You would disable the dnsfilter if you wanted to do that (have their lookup fail instead of being redirected).
They can still use a VPN or encrypted DNS (DOH, etc) to bypass this. There are blacklists you can install to block those but you'll need to update them periodically and it won't catch them all.
As I mentioned in the other thread, if you do want to try and block static IPs from hitting the internet at all, and don't mind having a lot of management overhead, you could give every client a random IP reservation in DNS (from a large subnet that is difficult to guess), then add that IP to your firewall rules (with the firewall set to "permit list" which means it will block all others). All clients not matching will have no internet access. But again, that will not stop a client with a DHCP IP from changing their DNS server. You would still need to block DNS requests or use DNS filtering.
Can you be more clear on what you want to do?
1. If a user sets a static IP (not static DNS server, static IP address), block their internet entirely (which will require a lot of work on your part to manually assign IPs to each device and create 2 firewall rules for each, this must be done every time a new device connects). NOTE this option will limit you to 64 devices (possibly 32 if you also want to block external DNS, which would require 4 firewall rules per client).
2. If a user sets a custom DNS server, ignore that setting and use your router instead (DNS filter)
3. If a user sets a custom DNS server, block them from doing any DNS lookups (not blocking internet, but unless they know an IP to connect to, effectively making their internet pretty useless).
Or a combination of 1 and 2 or 1 and 3 (if you do option 1, you still need one of the other options to stop them from setting a custom DNS server).
