In my inherited physical network setup with 2 MikroTik Cloud Core Routers CCR1009, I notice there are 2 bridges configured with different names but both bridges have somehow been assigned the same identical MAC address. Each bridge sees the other and both report the same MAC address as its bridge MAC. It seems these two bridges are isolated from one another but somehow see the others MAC. When I emulate the physical environment in the virtual environment I notice when I create bridges each bridge get assigned a different MAC.
Could anyone share some insight in this MikroTik setup as far as bridging goes?
I understand that when a new bridge is created, I think this new bridge inherits the MAC address of the first port (interface) assigns to the bridge. If this is the case, Is it possible to have the same port (interface) in two different bridges on the same single router?
Although I would like to understand how RouterOS assigns Mac addresses to newly created bridges, I’d like more to know how I could change the MAC address of at least one bridge AND are there any negative side affects with this sort of change???
Details included in this message to hopefully help others that may run into this same issue - No charge!!
Why do I need this change: This change is needed as both bridges currently have the same MAC address assigned, confusion abound.
How I am testing:
I configured 2 bridges named B500 and B600 on hardware platform RB4011iGS+RM version v6.46.4 in my isolated LAB environment
I used this cli command to change the MAC address of the first bridge: /interface bridge set B500 admin-mac=11:22:33:AA:BB:CC auto-mac=no
I used this cli command to change the MAC address of the 2nd bridge /interface bridge set B600 admin-mac=11:22:33:DD:EE:FF auto-mac=no NOTE: Using the Winbox GUI, I didn't see an option to set the other required option auto-mac=noso perhaps the CLI is required for this change. UPDATE 8-18-2021: In the GUI (Graphical User Interface) it turns out the required option -- auto-mac -- is automatically set to no when you add your own MAC address and save (click ok).
RESULTS:
Strange thing is only bridge B600 will take on and use my newly assigned MAC address. B500 continues to use original MAC and it changes at every reboot.
When bridge B500 is disabled (within Winbox) it shows my manually assigned MAC address (color light gray) but reenabling B500, it reverts back to original MAC assigned to this bridge this time. Rebooting and/or repowering does not make any differences other than dynamically setting a new and different MAC address and of course it just wastes more of my time.
The CLI configurations shows both bridges are configured the same except for different MAC addresses.
[admin@RB02] > /interface bridge print (other bridge details omitted for clarity)
Flags: X - disabled, R running
0 R name="B500" mac-address=9E:1D:11:EA:78:4F auto-mac=no admin-mac=11:22:33:AA:BB:CC
1 R name="B600" mac-address=11:22:33:DD:EE:FF auto-mac=no admin-mac=11:22:33:DD:EE:FF
I tested changing the bridge MAC addresses (as above) on my Cloud Hosted Router version v6.47.10 in my isolated test lab and admin-mac address changed worked as advertised without any problems. Perhaps a RouterOS code bug on the physical infrastructure.
Thanks, more research
Any help would be greatly appreciated
Frank
I was able to reproduce the “fault” with WinBox.
Using WinBOX i created two Bridges and assigned the same admin.MAC (11:22:33:DD:EE:FF & 11:22:33:AA:BB:CC) and got the same Results you got.
Solution:
I went Online and found a MAC-Address Generator (for Exemple : [reported link removed])
Every MAC-Address i generated, i was able to enter as “admin. MAC Address” and it worked !!!
I didn’t even have to use the “auto-mac=no” command.
I am not sure what is your problem with that. I am running a CCR1009 with several bridges that have the same MAC address and it works just fine.
Of course the bridges are not connected, they are on different VLANs on the same ethernet port and they all use the MAC address of that particular ethernet port.
(I have copied that to the admin-mac address so I am sure it remains static, but that is no different from an automatically assigned address that is derived from the port MAC address and of course is the same for every VLAN)
Ancient way of dealing with VLANs on devices without switch chip(s). And some other tasks which can be done by (ab)using VLAN functionality (e.g. segmentation of switch).
I agree that in modern times more than one bridge per device is mostly not needed.
I have standardized on making a separate bridge for each "application" in the router. I.e. the LAN, the internet connection, the guest network(s), etc.
I put all configuration like IP address, firewall, queues, etc etc on the bridge, then put a single ethernet interface into the bridge.
That way I can port the configuration easily to another router model where the port layout is different, or e.g. change the internet connection from ethernet to SFP.
Usually the bridge has only one port, and in that case the "fast forward" option can be enabled on the bridge and the overhead is less (no host table).
I am quite sure anyone reading this thread is more than confident enough to create a MAC address but thanks for your assistance.
:
:
I really hope folks don’t click on your link, this is a good example of how attacks start.
:
:
Yes, having the same MAC address on 2 different virtual bridges within the same physical MikroTik router works. Any traffic (frames) being forwarded TO either bridge would most likely only be bridge management traffic. However the Management address of this MikroTik router is tied to an L3 router interface not either of the L2 bridge address. The layer-3 portion of this setup will ARP for the next hop to obtain the L2 address to forward a packet, the next hop will be an end-device on a local routed interface or next-hop L3 router address on some VLAN segment running through (not to) either of the 2 bridges. - I get that, traffic (data or management) doesn’t really need to communicate with either of the bridge MAC addresses - same MAC or not - I’m guessing no traffic (management nor data) is ever forwarded to either bridge as spanning-tree is disabled- MikroTik documents specifically state spanning-tree be disabled due to CPU oversubscription issues. I’m sure you are aware at L2, MAC addresses are the only unique element used to prevent bridging loops and this vendor requests this feature be disabled because the CPU cannot handle the load. Which leads me to think the bridge MAC address -in this configuration- are never used.
Being new to MikroTik and this environment I find this confusing at best. All I want to do is change the MAC address on at least 1 bridge to distil a little sanity.
An easy way to create a new MAC address is, go to /Interfaces Eoip, click add and then check the Mac address field, you can copy and use that MAC address…
Do not click OK, just exit from EoIP Facility…
But what are we talking about?
MAC addresses do not have verification code inside(*), just type 12 hexadecimal digits randomly
(for those who don’t know they range from 0 to 9 and the letters A-B-C-D-E-F)
and put the “:” every 2 characters (start and end excluded)
For example, if I type randomly
82:c3:64:1e:0b:32
oh look, a MAC address !!!
(*) excluding special caase like all 0, all F (no matter now 1st and 2nd less significative bit on 1st Byte)
I’m pointing out that the idea of putting a random mac-address is a bullshit.
Inside a bridge must be put one mac-address choiced from a real interface inside the bridge,
not one MAC invented without the slightest criterion.
Usually or the bridge do it automatically, or is put the MAC address of the interface IN THE BRIDGE with the smallest MAC,
usually the ethernet IN THE BRIDGE with the smallest number.
But, so much I see, is discovered in this topic the hot water.
I’m pointing out that the idea of putting a random mac-address is a bullshit.
Any actual reference on that instead of your personal opinion ?
The addresses created with the way i described above, are locally administered unicast MAC addresses, as far as i know and remember…
So it does not look that random…
However, just typing random HEX values as you said earlier, is certainly random …
Also, check here https://wiki.mikrotik.com/wiki/Manual:Interface/EoIP The address numeration authority IANA allows the use of MAC addresses in the range from 00:00:5E:80:00:00 - 00:00:5E:FF:FF:FF freely
Does that still seem random ?
When you “invent” a “random” MAC address for local use, you have to make sure its first byte adheres to some rules:
the first byte must be an EVEN value. When it is ODD, it will be received by everyone (multicast address)
the second to last bit of the first byte indicates if it is an address from an officially assigned range, or if it is a locally invented address.
When you want to do it “the official way”, you would want to use a locally invented address and your first byte has to be of the form xxxxxx10 (binary), or
when written in HEX it has to be one of the values x2 x6 xA or xE, so e.g. 02 or 46 or 8A or 9E or similar.
The other bytes can be any value 00..FF in this case.
Look at what the router itself does when it auto-generates a MAC address e.g. when you create a new virtual Wireless interface.
When your main MAC address starts with 4C:5E:0C (one of the older ranges assigned to MikroTik), it will make that into 4E:5E:0C for the first automatically
assigned address, which is a locally invented address adhering to the above criteria.
However, when making a bridge which has one or more ethernet ports from the router in it, there is no need to invent a completely new MAC address,
you can just use the MAC of the first (or any) port in the bridge. That is what the router itself also does. You can copy the chosen address to the admin
MAC address to get a stable value (which is desirable e.g. when you run a DHCP server on it).
