Hello everyone,
I have the following situation:
- many industrial devices needing firmware update
- a PC with updater software capable of parallel flashing
but: all devices share the same default MAC address and there is no easy way to change that.
We have two spare Mikrotik AX3 here, so I'm looking for a way to set them up to translate/isolate those same MACs to allow simultaneous connections of those devices to the same PC.
So far I've removed several ether ports from default LAN bridge, tried MAC srcnat/dstnat in bridge/NAT, but it complains when I specify any of ether interfaces as src/dst.
Any ideas how to do that? Perhaps there is some other way?
More details about those "broken" devices:
- they act as DHCP clients, falling back to same 169.254.x.x IP on timeout
- they advertise themselves by sending UDP broadcasts to a fixed port known by PC
- the PC updater listens for those broadcasts and connects to broadcast source IPs to a fixed known TCP port
Re: Multiple wired clients with same MAC addresses
The 169.254.x.x (with netmask 255.255.0.0) is an APIPA address.
If the protocol is implemented correctly it should essentially:
https://www.spiceworks.com/tech/network ... pipa/#_002
1) look for a DHCP server
2) if it cannot find one, assign to the interface a "random" IP in the range 169.254.1.0 to 169.254.254.255 with netmask 255.255.0.0
3) make an ARP request on the network to find if there is another device with same MAC address and if there is one, loop to #2
It has to be seen experimentally how two of those devices behave in step #3 above, they may well:
a. enter in a loop with #2 above
b. understand that there is another device with same MAC but with a different IP address and go on happily
If then the upgrade software identifies the devices by IP (and not MAC) all should be well.
How are these devices connected in "normal" operation?
And how are they assigned an IP (again in normal operation)?
Having two devices with the same MAC on a same network segment is a no-no AFAIK, so I doubt you can connect two[1] of them (via a "dumb" switch) to a same ethernet interface of the AX3 and use it as DHCP server.
If you connect each of the two devices to different ethernet ports of the AX3 then you can have a different DHCP server on each interface, but when you add more, you won't have more than 3 or 4 devices connected at the same time.
[1] let's take the simpler example of two devices before extending to the "many" (BTW how many?, 2, 20 or 200?)
If the protocol is implemented correctly it should essentially:
https://www.spiceworks.com/tech/network ... pipa/#_002
1) look for a DHCP server
2) if it cannot find one, assign to the interface a "random" IP in the range 169.254.1.0 to 169.254.254.255 with netmask 255.255.0.0
3) make an ARP request on the network to find if there is another device with same MAC address and if there is one, loop to #2
It has to be seen experimentally how two of those devices behave in step #3 above, they may well:
a. enter in a loop with #2 above
b. understand that there is another device with same MAC but with a different IP address and go on happily
If then the upgrade software identifies the devices by IP (and not MAC) all should be well.
How are these devices connected in "normal" operation?
And how are they assigned an IP (again in normal operation)?
Having two devices with the same MAC on a same network segment is a no-no AFAIK, so I doubt you can connect two[1] of them (via a "dumb" switch) to a same ethernet interface of the AX3 and use it as DHCP server.
If you connect each of the two devices to different ethernet ports of the AX3 then you can have a different DHCP server on each interface, but when you add more, you won't have more than 3 or 4 devices connected at the same time.
[1] let's take the simpler example of two devices before extending to the "many" (BTW how many?, 2, 20 or 200?)
Re: Multiple wired clients with same MAC addresses
You could try the following:
Perhaps leave the ports attached to the bridge.
In bridge filter, mark each packet with its incoming port number, (if it matches your industrial devices mac address)
Then in bridge nat
Unique src mac for each port.
You have one industrial device per ax3 ethernet port.
Connections between the 2 ax3's and to the Updater PC would be via unfiltered ports (likely to a switch)
Edit:
Probably also need to turn off hardware offload on filtered ports.
(Could perhaps use switch rules to redirect incoming packets with industrial device mac to cpu, leaving hardware offload enabled)
Perhaps leave the ports attached to the bridge.
In bridge filter, mark each packet with its incoming port number, (if it matches your industrial devices mac address)
Code: Select all
/interface bridge filter
add action=mark-packet chain=forward disabled=yes in-interface=ether3 new-packet-mark=fromEther3 src-mac-address=industrial_device_mac/FF:FF:FF:FF:FF:FF
Code: Select all
/interface bridge nat
add action=src-nat chain=srcnat disabled=yes packet-mark=fromEther3 to-src-mac-address=some_unique_mac
You have one industrial device per ax3 ethernet port.
Connections between the 2 ax3's and to the Updater PC would be via unfiltered ports (likely to a switch)
Edit:
Probably also need to turn off hardware offload on filtered ports.
(Could perhaps use switch rules to redirect incoming packets with industrial device mac to cpu, leaving hardware offload enabled)
Re: Multiple wired clients with same MAC addresses
Sorry, on further thought, the above won't work 
The return traffic nat processing can't be setup.
I am now thinking perhaps an individual bridge per port to do the src-nat from the port and dst-nat to the port might work.
With the individual bridges then connected using vlan interfaces to a central bridge.
The return traffic nat processing can't be setup.
I am now thinking perhaps an individual bridge per port to do the src-nat from the port and dst-nat to the port might work.
With the individual bridges then connected using vlan interfaces to a central bridge.
Re: Multiple wired clients with same MAC addresses
I trialled this for a while, but couldn't get it to work.
I eventually needed a bridge to bridge joiner, which Mikrotik traditionally seems unkeen on.
I tried another approach with which I had some success and may work, but have been unable to get it to pass through broadcast
packets. (If they are a critical part of the protocol)
Alternate approach:
Remove ether ports off the bridge, and make each port have the same /32 IP address, with the network address being a single IP address for 1 client. Setup a DHCP server for this.
The client still thinks it is on a /24 IP range, and neighbors are connected using proxy arp.
eg.
port 2, has ip 192.168.88.1/32, network 192.168.88.102
(bridge still has 192.168.88.1/24 assigned to it)
proxy arp enabled on both port 2, and bridge.
dhcp setup to only assign 192.168.88.102 to device on port 2.
Approximate config changes to default config (for ether2 and ether3)
;
Not tested, but with a similar config to above, you may be able to use vlan interfaces,
eg. From a switches trunk port.
which would allow potentially a lot of devices to be connected.
I eventually needed a bridge to bridge joiner, which Mikrotik traditionally seems unkeen on.
I tried another approach with which I had some success and may work, but have been unable to get it to pass through broadcast
packets. (If they are a critical part of the protocol)
Alternate approach:
Remove ether ports off the bridge, and make each port have the same /32 IP address, with the network address being a single IP address for 1 client. Setup a DHCP server for this.
The client still thinks it is on a /24 IP range, and neighbors are connected using proxy arp.
eg.
port 2, has ip 192.168.88.1/32, network 192.168.88.102
(bridge still has 192.168.88.1/24 assigned to it)
proxy arp enabled on both port 2, and bridge.
dhcp setup to only assign 192.168.88.102 to device on port 2.
Approximate config changes to default config (for ether2 and ether3)
;
Code: Select all
; bridge changed has arp=proxy-arp
/interface bridge
add admin-mac=48:A9:8A:35:7C:CE arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
;Remove/disable ports used from bridge
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether2
add bridge=bridge comment=defconf disabled=yes interface=ether3
; ports also need proxy arp
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
set [ find default-name=ether3 ] arp=proxy-arp
;setup dhcp servers
;Alter default pool and add single IP address pools for allocation to clients.
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.100
add name=pool102 ranges=192.168.88.102
add name=pool103 ranges=192.168.88.103
;Add dhcp server for ether2 and ether3
/ip dhcp-server
; add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=pool102 interface=ether2 name=dhcp102
add address-pool=pool103 interface=ether3 name=dhcp103
; Add new interfaces to LAN list
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
; Setup so can talk to connected devices (Only 1 device allowed per port)
/ip address
add address=192.168.88.1 interface=ether2 network=192.168.88.102
add address=192.168.88.1 interface=ether3 network=192.168.88.103
eg. From a switches trunk port.
which would allow potentially a lot of devices to be connected.
Who is online
Users browsing this forum: No registered users and 4 guests