MAC alias for WAN Eth1

paulororke · December 11, 2019, 11:29pm

Hi all,

I apologize if this has been answered elsewhere, I searched for it but without luck.

I am looking at changing ISPs and the new ISP has a reservation system that requires a unique MAC for each assigned IP. Currently I have 5 static IPs all aliased to Eth1 and I do port forwarding on IP and port to various services. I believe all the IPs are all associated with the same MAC address for Eth1 on my RB 3011 UAS.

Is it possible to give them each a unique MAC so as to pull an IP from this other provider? The provider insists that with their system there is no way for me to pull multiple IPS using the same MAC address. I do not want to have to set up a WAN interface for each IP, that seems silly when aliasing works so well with my old provider.

What do others do when they have multiple services needing to respond to the same port if not using multiple IPs? Perhaps there is a better approach?

Paul

nescafe2002 · December 12, 2019, 12:14am

Search for multiple dhcp client => http://forum.mikrotik.com/t/multi-dhcp-clients-on-same-wan-port/55267/1

paulororke · December 16, 2019, 9:20pm

Thanks for that nescafe2002

paulororke · February 19, 2020, 5:48pm

I’ve returned to this after a hiatus and am having difficulty with the basics. Most of the solutions I’ve seen involve vrrp:

Multi DHCP clients on same WAN port http://forum.mikrotik.com/t/multi-dhcp-clients-on-same-wan-port/55267/1
Virtual or pseudo ethernet interfaces possible? http://forum.mikrotik.com/t/virtual-or-pseudo-ethernet-interfaces-possible/84948/1

in the latter one was this comment:

How should this would work? I am thinking of the following setup:

I have plugged in 5 ports from my RouterBoard to the switch which goes tot he ISP. The ISP report the 5 MAC addresses that I see in for ether1~5

> interface ethernet print
Flags: X - disabled, R - running, S - slave 
 #    NAME               MTU MAC-ADDRESS       ARP             SWITCH            
 0 R  ether1            1500 74:4D:28:2F:4D:A2 enabled         switch1           
 1 RS ether2            1500 74:4D:28:2F:4D:A3 enabled         switch1           
 2 RS ether3            1500 74:4D:28:2F:4D:A4 enabled         switch1           
 3 RS ether4            1500 74:4D:28:2F:4D:A5 enabled         switch1           
 4 RS ether5            1500 74:4D:28:2F:4D:A6 enabled         switch1           
 5  S ether6            1500 74:4D:28:2F:4D:A8 enabled         switch2           
 6  S ether7            1500 74:4D:28:2F:4D:A9 enabled         switch2           
 7  S ether8            1500 74:4D:28:2F:4D:AA enabled         switch2           
 8 RS ether9            1500 74:4D:28:2F:4D:AB enabled         switch2           
 9 RS ether10           1500 74:4D:28:2F:4D:AC enabled         switch2           
10  S sfp1              1500 74:4D:28:2F:4D:A7 enabled

and say they have set them as “Static”. There is no UI or self serve for the IP assignment, a call to their help desk is the only way to set these.

What would be the steps required to be able to forward 4 of the IPs to the DMZ and 1 to the LAN? Would I need to use mangle to force traffic through the respective WAN interfaces/IPs like when doing Multiple IPs? http://forum.mikrotik.com/t/setup-multiple-isps/135247/1

I get the feeling this is probably easier than I am thinking and that I am over complicating things. Does anyone know of a guide for this set up? I’d be happy to write a wiki page on this once I get a handle on it if that would help others.

Sob · February 19, 2020, 7:38pm

It depends on ISP, if they insist that packets from each IP address have to come from reserved MAC address, then you need to treat it as multi-WAN with five WAN interfaces. The only complication is that same WAN subnet will be on all of them and if you use gateway=, you won’t have control over which interface will be used, but that can be solved with gateway=%.

paulororke · March 24, 2020, 8:15pm

Thanks Sob,

I am having difficulty with the mangle and marking packets. I appreciate that I need to set up multi-WAN. For this test I am using “only” 4 IPs. I thought this would be a good guide, https://www.youtube.com/watch?v=67Dna_ffCvc, it certainly made sense as I watched it. The slides are available here: https://mum.mikrotik.com/presentations/US12/tomas.pdf

On slide 23 of that he says:

Required steps:

Create routing tables

Setup address-lists

Setup mangle

Configure Traffic Monitor

I figured since I am not load balancing, I just want to rout traffic back out the interface it came in on and as such the first three parts are all I need. Maybe that is wrong as I seem to be missing something.

My routing tables:

@MikroTik] /ip route> print detail 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=WAN1 gateway-status=WAN1 reachable distance=1 scope=30 target-scope=10 routing-mark=WAN1_Route 

 1 A S  dst-address=0.0.0.0/0 gateway=WAN2 gateway-status=WAN2 reachable distance=1 scope=30 target-scope=10 routing-mark=WAN2_Route 

 2 A S  dst-address=0.0.0.0/0 gateway=WAN3 gateway-status=WAN3 reachable distance=1 scope=30 target-scope=10 routing-mark=WAN3_Route 

 3 A S  dst-address=0.0.0.0/0 gateway=WAN4 gateway-status=WAN4 reachable distance=1 scope=30 target-scope=10 routing-mark=WAN4_Route 

 4 ADS  dst-address=0.0.0.0/0 gateway=154.5.66.1 gateway-status=154.5.66.1 reachable via  WAN1 distance=1 scope=30 target-scope=10 vrf-interface=WAN1 

 5 ADC  dst-address=154.5.66.0/24 pref-src=154.5.66.67 gateway=WAN1 gateway-status=WAN1 reachable distance=0 scope=10 

 6 ADC  dst-address=154.5.66.0/32 pref-src=154.5.66.86 gateway=WAN2,WAN3,WAN4 gateway-status=WAN2 reachable,WAN3 reachable,WAN4 reachable distance=0 scope=10 

 7 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=LAN bridge gateway-status=LAN bridge reachable distance=0 scope=10

I renamed the interfaces:

@MikroTik] /interface> print 
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  WAN1                                ether            1500  1598       8156 74:4D:28:2F:4D:A3
 1  R  WAN2                                ether            1500  1598       8156 74:4D:28:2F:4D:A4
 2  R  WAN3                                ether            1500  1598       8156 74:4D:28:2F:4D:A5
 3  R  WAN4                                ether            1500  1598       8156 74:4D:28:2F:4D:A6
 4     ether5                              ether            1500  1598       8156 74:4D:28:2F:4D:B1
 5  RS ether6                              ether            1500  1598       8156 74:4D:28:2F:4D:B3
 6   S ether7                              ether            1500  1598       8156 74:4D:28:2F:4D:B4
 7   S ether8                              ether            1500  1598       8156 74:4D:28:2F:4D:B5
 8   S ether9                              ether            1500  1598       8156 74:4D:28:2F:4D:B6
 9   S ether10                             ether            1500  1598       8156 74:4D:28:2F:4D:B7
10   S sfp1                                ether            1500  1600       8158 74:4D:28:2F:4D:B2
11  R  ;;; defconf
       LAN bridge                          bridge           1500  1598            74:4D:28:2F:4D:AE

and attempted to mark incoming packets with the interface name:

@MikroTik] /ip firewall mangle> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 

 3    chain=prerouting action=accept src-address-list=Connected dst-address-list=Connected 

 4    chain=input action=mark-connection new-connection-mark=WAN1-->ROS connection-mark=no-mark in-interface=WAN1 

 5    chain=input action=mark-connection new-connection-mark=WAN2-->ROS connection-mark=no-mark in-interface=WAN2 

 6    chain=input action=mark-connection new-connection-mark=WAN3-->ROS connection-mark=no-mark in-interface=WAN3 

 7    chain=input action=mark-connection new-connection-mark=WAN4-->ROS connection-mark=no-mark in-interface=WAN4 

 8    chain=output action=mark-routing new-routing-mark=WAN1_Route connection-mark=WAN1-->ROS 

 9    chain=output action=mark-routing new-routing-mark=WAN2_Route connection-mark=WAN2-->ROS 

10    chain=output action=mark-routing new-routing-mark=WAN3_Route connection-mark=WAN3-->ROS 

11    chain=output action=mark-routing new-routing-mark=WAN4_Route connection-mark=WAN4-->ROS

I then try to port forward http,https, and ssh :

@MikroTik] /ip firewall nat> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=*2000010 ipsec-policy=out,none 

 1    chain=srcnat action=masquerade out-interface=WAN1 log=yes log-prefix="WAN1_masquerade" 

 2    chain=srcnat action=masquerade out-interface=WAN2 log=yes log-prefix="WAN2_masquerade" 

 3    chain=srcnat action=masquerade out-interface=WAN3 log=yes log-prefix="WAN3_masquerade" 

 4    chain=srcnat action=masquerade out-interface=WAN4 log=yes log-prefix="WAN4_masquerade" 

 5    ;;; test1_ http
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=80 protocol=tcp dst-address=154.5.66.67 dst-port=80 log=yes log-prefix="test1_http" 

 6    ;;; test1_https
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=443 protocol=tcp dst-address=154.5.66.67 dst-port=443 log=yes log-prefix="test1_https" 

 7    ;;; test1_ssh
      chain=dstnat action=dst-nat to-addresses=192.168.88.10 to-ports=22 protocol=tcp dst-address=154.5.66.67 dst-port=22 log=yes log-prefix="test1_ssh" 

 8    ;;; TEST2_HTTPS
      chain=dstnat action=dst-nat to-addresses=192.168.88.20 to-ports=443 protocol=tcp dst-address=154.5.66.86 dst-port=443 log=yes log-prefix="TEST2_HTTPS" 

 9    ;;; TEST2_HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.88.20 to-ports=80 protocol=tcp dst-address=154.5.66.86 dst-port=80 log=yes log-prefix="TEST2_HTTP" 

10    ;;; TEST2_SSH
      chain=dstnat action=dst-nat to-addresses=192.168.88.20 to-ports=22 protocol=tcp dst-address=154.5.66.86 dst-port=22 log=yes log-prefix="TEST2_SSH" 

11    ;;; test3_https
      chain=dstnat action=dst-nat to-addresses=192.168.88.30 to-ports=443 protocol=tcp dst-address=154.5.66.91 dst-port=443 log=yes log-prefix="test3_https" 

12    ;;; test3_http
      chain=dstnat action=dst-nat to-addresses=192.168.88.30 to-ports=80 protocol=tcp dst-address=154.5.66.91 dst-port=80 log=yes log-prefix="test3_http" 

13    ;;; test3_ssh
      chain=dstnat action=dst-nat to-addresses=192.168.88.30 to-ports=22 protocol=tcp dst-address=154.5.66.91 dst-port=22 log=yes log-prefix="test3_ssh" 

14    ;;; TEST4_HTTPS
      chain=dstnat action=dst-nat to-addresses=192.168.88.40 to-ports=443 protocol=tcp dst-address=154.5.66.92 dst-port=443 log=yes log-prefix="TEST4_HTTPS" 

15    ;;; TEST4_HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.88.40 to-ports=80 protocol=tcp dst-address=154.5.66.92 dst-port=80 log=yes log-prefix="TEST4_HTTP" 

16    ;;; TEST4_SSH
      chain=dstnat action=dst-nat to-addresses=192.168.88.40 to-ports=22 protocol=tcp dst-address=154.5.66.92 dst-port=22 log=yes log-prefix="TEST4_SSH"

I am seeing a lot of “out: unknown” in the logs:

4:11:46 firewall,info test3_http dstnat: in:WAN3 out:(unknown 0), src-mac 84:26:2b:60:8f:17, proto TCP (SYN), 64.251.74.210:50987->154.5.66.91:80, len 52 
14:11:46 firewall,info test1_ssh dstnat: in:WAN1 out:(unknown 0), src-mac 84:26:2b:60:8f:17, proto TCP (SYN), 222.186.15.91:42956->154.5.66.67:22, len 60 
14:11:46 firewall,info TEST4_HTTP dstnat: in:LAN bridge out:(unknown 0), src-mac 00:15:17:4a:88:1e, proto TCP (SYN), 192.168.88.44:59354->154.5.66.92:80, len 60 
14:11:46 firewall,info test3_http dstnat: in:WAN3 out:(unknown 0), src-mac 84:26:2b:60:8f:17, proto TCP (SYN), 64.251.74.210:50988->154.5.66.91:80, len 52 
14:11:47 firewall,info TEST4_HTTP dstnat: in:LAN bridge out:(unknown 0), src-mac 00:15:17:4a:88:1e, proto TCP (SYN), 192.168.88.44:59356->154.5.66.92:80, len 60 
14:11:48 firewall,info TEST2_HTTP dstnat: in:WAN2 out:(unknown 0), src-mac 84:26:2b:60:8f:17, proto TCP (SYN), 64.251.74.210:50989->154.5.66.86:80, len 52 
14:11:49 firewall,info TEST2_HTTP dstnat: in:WAN2 out:(unknown 0), src-mac 84:26:2b:60:8f:17, proto TCP (SYN), 64.251.74.210:50990->154.5.66.86:80, len 52 
14:11:52 firewall,info test1_https dstnat: in:WAN1 out:(unknown 0), src-mac 84:26:2b:60:8f:17, proto TCP (SYN), 64.251.74.210:50991->154.5.66.67:443, len 52

I feel like I am close, but missing something very important.

Can anyone help me to get this working?

iHyenDeer · March 24, 2020, 9:01pm

http://forum.mikrotik.com/t/virtual-or-pseudo-ethernet-interfaces-possible/84948/1

This dude might have the solution

Sob · March 24, 2020, 11:34pm

You have wrong routes, gateway=WANx won’t work with ethernet, use gateway=154.5.66.1%WANx (I assume the address of gateway stays same; if not, you’d have to use lease script to update it).
You currently mark connections from internet in chain=input, but it covers only connections to router itself, not forwarded ports. Move it to chain=prerouting and it will cover both.
Related to 2), you also need to mark routing for responses from LAN:

/ip firewall mangle
add chain=prerouting in-interface="LAN bridge" connection-mark="WAN1-->ROS" action=mark-routing new-routing-mark=WAN1_Route
add chain=prerouting in-interface="LAN bridge" connection-mark="WAN2-->ROS" action=mark-routing new-routing-mark=WAN2_Route
...

Route #6 seems strange. But since it’s dynamic, do you have some different config between dhcp clients on WAN1 and the rest?

paulororke · March 28, 2020, 12:32am

Thank you Sob, the input (pun fully intended) was most helpful.

In mangle I changed input to prerouting as you suggested, added the marks to responses from the LAN.

I did have a difference in the DHCP clients, ether1 still had the client that was, I think, added by the Quickset when I used it previously. I deleted it and added a new on on that interface. Now they all match.

I now have a functional 4 WAN port router and it appears traffic is flowing as desired on my test network.

but I still get Dynamic routes I don’t understand:

@MikroTik] > ip route print detail 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=154.5.66.1%WAN1 gateway-status=154.5.66.1 reachable WAN1 distance=1 scope=30 target-scope=10 routing-mark=WAN1_Route 

 1 A S  dst-address=0.0.0.0/0 gateway=154.5.66.1%WAN2 gateway-status=154.5.66.1 reachable WAN2 distance=1 scope=30 target-scope=10 routing-mark=WAN2_Route 

 2 A S  dst-address=0.0.0.0/0 gateway=154.5.66.1%WAN3 gateway-status=154.5.66.1 reachable WAN3 distance=1 scope=30 target-scope=10 routing-mark=WAN3_Route 

 3 A S  dst-address=0.0.0.0/0 gateway=154.5.66.1%WAN4 gateway-status=154.5.66.1 reachable WAN4 distance=1 scope=30 target-scope=10 routing-mark=WAN4_Route 

 4 ADS  dst-address=0.0.0.0/0 gateway=154.5.66.1 gateway-status=154.5.66.1 reachable via  WAN4 distance=1 scope=30 target-scope=10 vrf-interface=WAN1 

 5  DS  dst-address=0.0.0.0/0 gateway=154.5.66.1 gateway-status=154.5.66.1 reachable via  WAN4 distance=1 scope=30 target-scope=10 vrf-interface=WAN2 

 6  DS  dst-address=0.0.0.0/0 gateway=154.5.66.1 gateway-status=154.5.66.1 reachable via  WAN4 distance=1 scope=30 target-scope=10 vrf-interface=WAN4 

 7  DS  dst-address=0.0.0.0/0 gateway=154.5.66.1 gateway-status=154.5.66.1 reachable via  WAN4 distance=1 scope=30 target-scope=10 vrf-interface=WAN3 

 8 ADC  dst-address=154.5.66.0/24 pref-src=154.5.66.67 gateway=WAN1,WAN2,WAN3,WAN4 gateway-status=WAN1 reachable,WAN2 reachable,WAN3 reachable,WAN4 reachable distance=0 scope=10 

 9 ADC  dst-address=154.5.66.0/32 pref-src=154.5.66.67 gateway=WAN2,WAN3,WAN4,WAN1 gateway-status=WAN2 reachable,WAN3 reachable,WAN4 reachable,WAN1 reachable distance=0 scope=10 

10 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=LAN bridge gateway-status=LAN bridge reachable distance=0 scope=10

Again, Sob, I really appreciate the help. I can now apply it to a production router next.

Is there any point in posting my working config for others who might want to do this?

Sob · March 28, 2020, 9:42pm

Routes #4-7 are default routes from dhcp. You could get rid of them if you disable option to add default route. But you do need some default route in main routing table, so if you do that, you’d have to add it manually (just one with same gateway, but without %WANx suffix and routing-mark option). Route #8 is connected route for WAN subnet and it’s ok. Strange one for me is #9, because /32 is single address and .0 at the end is network address. I don’t get it when I try same config as yours. What RouterOS version do you have?

Whole config is probably not interesting, it’s nothing complicated, same old basic stuff. Ale people don’t read anyway..

paulororke · March 30, 2020, 3:20pm

Right,

I implemented it on a remote site over the weekend and it works like a charm! I am extremely grateful for the help Sob.

Paul

paulororke · April 8, 2020, 9:57pm

So I spent some time happily thinking this was working, but it is only working for people who are on the ISP’s same subnet as me.
It turns out both locations I was testing from are on 154.5.66.0/24.

What confuses me is that the sites respond to requests outside, but incredibly slowly.:
https://mail.warmlandsystemsolutions.com
https://www.warmlandsystemsolutions.com
https://files.paulororke.net

It’s like the traffic is hairpinning at the ISP’s gateway, 154.5.66.1. Just to make sure I am not being throttled or otherwise filtered, I set two of these up each using their own router hardware and I could serve pages just fine. When I use this multi-WAN set up traffic flow crawls to a halt.

I am not even sure where to start looking.

Using Torch I see connections from IPs outside but most show 0bps Tx ans Rx and to be honest I don’t really understand how to best use Torch.

Can anyone suggest what I should be reading/researching for the right tools/methods to troubleshoot this?

sindy · April 9, 2020, 7:25am

The mandatory question whenever “connection marking” and “works but slow” appear in the same topic is: “have you disabled the action=fasttrack rule in chain=forward of /ip firewall filter”?

@Sob’s remark regarding no need to post your configuration as inspiration for others is correct, but now the context has changed. So if disabling the rule above doesn’t help, proceed by posting the complete configuration (see anonymization hints in my automatic signature below).

paulororke · April 9, 2020, 3:02pm

Sindy,

thank you. Really, thank you.

I don’t know how long I was looking right at that and not seeing it but it seems to have been the cause. Can you see those three sites load now?

I think it is working properly now.

Thank you both so much.

sindy · April 9, 2020, 3:11pm

I haven’t tried “before” so I cannot compare with “after”, but “after” just feels like a normal web site to me. Nothing annoyingly slow.

paulororke · April 9, 2020, 5:04pm

Thanks Sindy,

A friend testing from Europe said previously it took minutes to load even the simple static website. The fact that they load like a “normal” web page is a win.

Thanks again to both you and Sob!