One MAC many IP

RouterOS General
1

NAT for MAC.png
Hello.
Where is the network Lan1(172.31.1.0/24) I have access to it via switch Cisco (only via one port). Cisco port security is on (only one MAC address have access).
I use srcnat (masquerade) for access from Lan2 (192.168.0.1/24) to Lan1 (172.31.1.0/24). It’s ok.
But now, I mast connect PC to Lan1 (172.31.1.0/24) via Mikrotik.
Mikrotik and PC mast use one MAC address.
How can I do it?

/interface bridge
add name=Lan1
add name=Lan2
/interface bridge port
add bridge=Lan1 interface=ether1
add bridge=Lan1 interface=ether2
add bridge=Lan2 interface=ether3
add bridge=Lan2 interface=ether4
add bridge=Lan2 interface=ether5
/ip address
add address=172.31.1.2/24 interface=Lan1 network=172.31.1.0
add address=192.168.0.1/24 interface=Lan2 network=192.168.0.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Lan1

VLAN bridge with different admin MAC address on each port
Non-Transparent Bridging (Bridge NAT)
2

And you can’t use different subnet for LAN1 ?

3

What you need is NATing of MAC addresses at bridge level. NAT at bridge level works different from NAT in IP firewall as there is no connection tracking, so the bridge NAT rules handle every single frame, not just the initial one of each connection. Plus you need to handle not only frames carrying IP packets but also frames carrying ARP packets.

So the whole set of rules will be:

/interface bridge nat
add chain=srcnat action=src-nat out-bridge=bridge out-interface=ether1 mac-protocol=ip src-address=172.31.1.3/32 to-src-mac-address=11:11:11:11:11:11
add chain=srcnat action=src-nat out-bridge=bridge out-interface=ether1 mac-protocol=arp src-mac-address=22:22:22:22:22:22/FF:FF:FF:FF:FF:FF to-src-mac-address=11:11:11:11:11:11
add chain=dstnat action=arp-reply in-bridge=bridge in-interface=ether1 mac-protocol=arp arp-dst-address=172.31.1.3/32 to-arp-reply-mac-address=11:11:11:11:11:11
add chain=dstnat action=dst-nat in-bridge=bridge in-interface=ether1 mac-protocol=ip dst-address=172.31.1.3/32 to-dst-mac-address=22:22:22:22:22:22
4

Thanks! I have tred this configuration in GNS3.
Sometimes times it works. But sometimes not.
I could not change MAC addresses, sory… Now
172.31.1.2 is at 00:FF:E5:9C:8A:00
172.31.1.3 is at 00:FF:E5:77:A4:00

2_answer.png
2_answer.png1920×1032 80.1 KB

After ARP request “Who has 172.31.1.3?”
You can see tow ARP reply “172.31.1.3 is at 00:ff:e5:9c:8a:00”and “172.31.1.3 is at 00:ff:e5:77:a4:00”.

As result I have two variants.
bad

[admin@MikroTik] > ip arp pr
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete
 #    ADDRESS         MAC-ADDRESS       INTERFACE
 0 DC 172.31.1.2      00:FF:E5:9C:8A:00 sw
 1 DC 172.31.1.3      00:FF:E5:77:A4:00 sw

and good

[admin@MikroTik] > ip arp pr
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete
 #    ADDRESS         MAC-ADDRESS       INTERFACE
 0 DC 172.31.1.2      00:FF:E5:9C:8A:00 sw
 1 DC 172.31.1.3      00:FF:E5:9C:8A:00 sw

How can I block ARP reply “172.31.1.3 is at 00:ff:e5:77:a4:00”?

Router config:

/interface bridge
add name=Lan1 protocol-mode=none
add name=local
/interface bridge nat
add action=src-nat chain=srcnat mac-protocol=ip out-bridge=Lan1 out-interface=ether1 src-address=\
    172.31.1.3/32 to-src-mac-address=00:FF:E5:9C:8A:00
add action=src-nat chain=srcnat mac-protocol=arp out-bridge=Lan1 out-interface=ether1 src-mac-address=\
    00:FF:E5:77:A4:00/FF:FF:FF:FF:FF:FF to-src-mac-address=00:FF:E5:9C:8A:00
add action=arp-reply arp-dst-address=172.31.1.3/32 chain=dstnat in-bridge=Lan1 in-interface=ether1 \
    mac-protocol=arp to-arp-reply-mac-address=00:FF:E5:9C:8A:00
add action=dst-nat chain=dstnat dst-address=172.31.1.3/32 in-bridge=Lan1 in-interface=ether1 mac-protocol=\
    ip to-dst-mac-address=00:FF:E5:77:A4:00
/interface bridge port
add bridge=Lan1 interface=ether1
add bridge=Lan1 interface=ether2
add bridge=local interface=ether3
add bridge=local interface=ether4
add bridge=local interface=ether5
/ip address
add address=172.31.1.2/24 interface=Lan1 network=172.31.1.0
add address=192.168.0.1/24 interface=local network=192.168.0.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Lan1
5

Yes, sorry, I have also discovered that later on. As the /interface bridge nat can only manipulate the source mac address of the ARP reply but not the response mac address inside the body of the reply, you have to use /interface bridge filter add action=drop arp-opcode=reply chain=forward mac-protocol=arp out-bridge=bridge out-interface=ether1 src-mac-address=22:22:22:22:22:22/FF:FF:FF:FF:FF:FF to prevent the real reply from being delivered; the already existing action=arp-reply rule in chain=dstnat of /interface bridge nat is there to provide an arp response substituting the dropped one.

If the device you want to hide is sending gratuitous ARP requests, you can filter them out using another action=drop rule in filter, using the arp-gratuitous=yes match condition instead of the arp-opcode=reply one, but to my knowledge you cannot substitute them.