Community discussions

 
northwind
just joined
Topic Author
Posts: 4
Joined: Tue Jan 31, 2017 11:02 am

One MAC many IP

Fri May 31, 2019 10:06 am

NAT for MAC.png
Hello.
Where is the network Lan1(172.31.1.0/24) I have access to it via switch Cisco (only via one port). Cisco port security is on (only one MAC address have access).
I use srcnat (masquerade) for access from Lan2 (192.168.0.1/24) to Lan1 (172.31.1.0/24). It's ok.
But now, I mast connect PC to Lan1 (172.31.1.0/24) via Mikrotik.
Mikrotik and PC mast use one MAC address.
How can I do it?

/interface bridge
add name=Lan1
add name=Lan2
/interface bridge port
add bridge=Lan1 interface=ether1
add bridge=Lan1 interface=ether2
add bridge=Lan2 interface=ether3
add bridge=Lan2 interface=ether4
add bridge=Lan2 interface=ether5
/ip address
add address=172.31.1.2/24 interface=Lan1 network=172.31.1.0
add address=192.168.0.1/24 interface=Lan2 network=192.168.0.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Lan1
You do not have the required permissions to view the files attached to this post.
 
McSee
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Tue Feb 26, 2019 12:49 pm

Re: One MAC many IP

Fri May 31, 2019 11:50 pm

And you can't use different subnet for LAN1 ?
 
sindy
Forum Guru
Forum Guru
Posts: 4011
Joined: Mon Dec 04, 2017 9:19 pm

Re: One MAC many IP

Fri May 31, 2019 11:55 pm

What you need is NATing of MAC addresses at bridge level. NAT at bridge level works different from NAT in IP firewall as there is no connection tracking, so the bridge NAT rules handle every single frame, not just the initial one of each connection. Plus you need to handle not only frames carrying IP packets but also frames carrying ARP packets.

So the whole set of rules will be:
/interface bridge nat
add chain=srcnat action=src-nat out-bridge=bridge out-interface=ether1 mac-protocol=ip src-address=172.31.1.3/32 to-src-mac-address=11:11:11:11:11:11
add chain=srcnat action=src-nat out-bridge=bridge out-interface=ether1 mac-protocol=arp src-mac-address=22:22:22:22:22:22/FF:FF:FF:FF:FF:FF to-src-mac-address=11:11:11:11:11:11
add chain=dstnat action=arp-reply in-bridge=bridge in-interface=ether1 mac-protocol=arp arp-dst-address=172.31.1.3/32 to-arp-reply-mac-address=11:11:11:11:11:11
add chain=dstnat action=dst-nat in-bridge=bridge in-interface=ether1 mac-protocol=ip dst-address=172.31.1.3/32 to-dst-mac-address=22:22:22:22:22:22
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
northwind
just joined
Topic Author
Posts: 4
Joined: Tue Jan 31, 2017 11:02 am

Re: One MAC many IP

Tue Jun 04, 2019 1:24 pm

What you need is NATing of MAC addresses at bridge level. NAT at bridge level works different from NAT in IP firewall as there is no connection tracking, so the bridge NAT rules handle every single frame, not just the initial one of each connection. Plus you need to handle not only frames carrying IP packets but also frames carrying ARP packets.

So the whole set of rules will be:
/interface bridge nat
add chain=srcnat action=src-nat out-bridge=bridge out-interface=ether1 mac-protocol=ip src-address=172.31.1.3/32 to-src-mac-address=11:11:11:11:11:11
add chain=srcnat action=src-nat out-bridge=bridge out-interface=ether1 mac-protocol=arp src-mac-address=22:22:22:22:22:22/FF:FF:FF:FF:FF:FF to-src-mac-address=11:11:11:11:11:11
add chain=dstnat action=arp-reply in-bridge=bridge in-interface=ether1 mac-protocol=arp arp-dst-address=172.31.1.3/32 to-arp-reply-mac-address=11:11:11:11:11:11
add chain=dstnat action=dst-nat in-bridge=bridge in-interface=ether1 mac-protocol=ip dst-address=172.31.1.3/32 to-dst-mac-address=22:22:22:22:22:22

Thanks! I have tred this configuration in GNS3.
Sometimes times it works. But sometimes not.
I could not change MAC addresses, sory... Now
172.31.1.2 is at 00:FF:E5:9C:8A:00
172.31.1.3 is at 00:FF:E5:77:A4:00
2_answer.png
After ARP request “Who has 172.31.1.3?”
You can see tow ARP reply “172.31.1.3 is at 00:ff:e5:9c:8a:00”and “172.31.1.3 is at 00:ff:e5:77:a4:00”.

As result I have two variants.
bad
[admin@MikroTik] > ip arp pr
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete
 #    ADDRESS         MAC-ADDRESS       INTERFACE
 0 DC 172.31.1.2      00:FF:E5:9C:8A:00 sw
 1 DC 172.31.1.3      00:FF:E5:77:A4:00 sw
and good
[admin@MikroTik] > ip arp pr
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete
 #    ADDRESS         MAC-ADDRESS       INTERFACE
 0 DC 172.31.1.2      00:FF:E5:9C:8A:00 sw
 1 DC 172.31.1.3      00:FF:E5:9C:8A:00 sw
How can I block ARP reply “172.31.1.3 is at 00:ff:e5:77:a4:00”?

Router config:
/interface bridge
add name=Lan1 protocol-mode=none
add name=local
/interface bridge nat
add action=src-nat chain=srcnat mac-protocol=ip out-bridge=Lan1 out-interface=ether1 src-address=\
    172.31.1.3/32 to-src-mac-address=00:FF:E5:9C:8A:00
add action=src-nat chain=srcnat mac-protocol=arp out-bridge=Lan1 out-interface=ether1 src-mac-address=\
    00:FF:E5:77:A4:00/FF:FF:FF:FF:FF:FF to-src-mac-address=00:FF:E5:9C:8A:00
add action=arp-reply arp-dst-address=172.31.1.3/32 chain=dstnat in-bridge=Lan1 in-interface=ether1 \
    mac-protocol=arp to-arp-reply-mac-address=00:FF:E5:9C:8A:00
add action=dst-nat chain=dstnat dst-address=172.31.1.3/32 in-bridge=Lan1 in-interface=ether1 mac-protocol=\
    ip to-dst-mac-address=00:FF:E5:77:A4:00
/interface bridge port
add bridge=Lan1 interface=ether1
add bridge=Lan1 interface=ether2
add bridge=local interface=ether3
add bridge=local interface=ether4
add bridge=local interface=ether5
/ip address
add address=172.31.1.2/24 interface=Lan1 network=172.31.1.0
add address=192.168.0.1/24 interface=local network=192.168.0.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Lan1
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 4011
Joined: Mon Dec 04, 2017 9:19 pm

Re: One MAC many IP

Sat Jun 08, 2019 4:36 pm

Yes, sorry, I have also discovered that later on. As the /interface bridge nat can only manipulate the source mac address of the ARP reply but not the response mac address inside the body of the reply, you have to use /interface bridge filter add action=drop arp-opcode=reply chain=forward mac-protocol=arp out-bridge=bridge out-interface=ether1 src-mac-address=22:22:22:22:22:22/FF:FF:FF:FF:FF:FF to prevent the real reply from being delivered; the already existing action=arp-reply rule in chain=dstnat of /interface bridge nat is there to provide an arp response substituting the dropped one.

If the device you want to hide is sending gratuitous ARP requests, you can filter them out using another action=drop rule in filter, using the arp-gratuitous=yes match condition instead of the arp-opcode=reply one, but to my knowledge you cannot substitute them.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 65 guests