Community discussions

MikroTik App
 
jryanhill
newbie
Topic Author
Posts: 36
Joined: Wed Aug 03, 2011 7:20 pm

Forwarding traffic inside the same subnet without replacing the source MAC

Thu Jan 03, 2019 10:07 pm

The main question is whether it is possible to have a Mikrotik with only a single IP and single interface act as a router without replacing the source mac addresses with it own mac address when forwarding traffic on. See below for explanation of why.

So I have a firewall router as my WAN device that has the option of tracking clients by IP address or by MAC address. It is a Cisco Meraki for anyone that may feel it necessary to know. We have a Mikrotik acting as our internal router on the same subnet as the LAN interface of the Meraki. The Mikrotik not only acts as a VPN endpoint for various reasons, but it also handles some NAT rules that the Meraki cannot do. As such, the Mikrotik is the default gateway for the overall subnet, with the Meraki being the Mikrotik's default gateway. Because the Mikrotik replaces the source MAC address of outbound traffic with its own, the Meraki must track clients via IP address. This was all well and good until we were asked to add Meraki Access Points to the network. In order for them to be inside the same Meraki network as the firewall, the firewall must track clients by MAC address. I could put the APs in a separate Meraki network, but that's not quite the point of asking this question. I prefer to track by MAC address anyway. So is there a way to not replace the MAC address? This would of course cause asymmetric routing, in that the connection outbound would go through the Mikrotik AND the Meraki, but inbound would skip the Mikrotik. What issues might that cause from the Mikrotik side, if any?

Thanks for the assistance in advance. I've been working with Mikrotiks for years, and I only ever seem to post with very convoluted problems.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1783
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Forwarding traffic inside the same subnet without replacing the source MAC

Thu Jan 03, 2019 10:13 pm

"...Because the Mikrotik replaces the source MAC address of outbound traffic with its own..."

This is not Mikrotik, but how IP & routing works
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1797
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Forwarding traffic inside the same subnet without replacing the source MAC

Thu Jan 03, 2019 10:18 pm

Indeed, since Mt is the router it forwards packets on behalf of others, which translates into replacing macs.
 
mkx
Forum Guru
Forum Guru
Posts: 4632
Joined: Thu Mar 03, 2016 10:23 pm

Re: Forwarding traffic inside the same subnet without replacing the source MAC

Thu Jan 03, 2019 10:59 pm

This would of course cause asymmetric routing, in that the connection outbound would go through the Mikrotik AND the Meraki, but inbound would skip the Mikrotik. What issues might that cause from the Mikrotik side, if any?

Even if we dismiss what @CZfan and @sebastia brought forward and we should not ... NAT implies connection tracking and assymetric routing trashes connection tracking.

There is a mechanism which would help you but I don't have slightest idea if ROS implements it (it might not, many think of mechanism negatively): ICMP route redirect.
BR,
Metod
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1783
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Forwarding traffic inside the same subnet without replacing the source MAC

Fri Jan 04, 2019 12:35 am

The description in the OP is also a bit confusing to me. But why not place the Cisco Meraking inside the LAN of the Miktoik router users gateway points to the Meraki, go through the Meraki to the MT Router where things get routed and NATed. Just open the necessary ports on the MT in order for the Mraki to communicate with the cloud for management system
That way all devices on the Subnet / LAN must speak to the outside via the security device as well as traffic coming in before hitting the internal network and will be able to report on internal clients MAC Addresses
MTCNA, MTCTCE, MTCRE & MTCINE

Who is online

Users browsing this forum: Bing [Bot], DarkNate, sindy, vili11 and 108 guests