Can we change the source address of a packet?
Suppose a device that sends a packet to a bridge device, the bridge device to a router and the router to a computer.
Is it possible to change the source address of this packet in the bridge device (hAP lite) or in the router (hAP ac3) but BEFORE the bridge IP firewall rules of the router apply?
The actual problem is that I have 2 devices with the same fixed IP, both connected to the same router, and I'm looking for a way to distinguish their packets and be able to know what packet comes from what of these devices. Using MAC addresses is my last option.

Source NAT maybe!
https://help.mikrotik.com/docs/display/ ... -SourceNAT

I believe similar (or same) problem was covered in this thread.

Source NAT maybe!
https://help.mikrotik.com/docs/display/ ... -SourceNAT

So I checked "use IP firewall" on the Bridge interface because this is what I use and then added
/ip firewall nat add chain=srcnat src-address=xxx.xxx.xx.x/24 action=src-nat to-addresses=xxx.xxx.xx.x out-interface=bridge
When I add it the communication between the device and my computer stops, plus I'm monitoring the packets coming to my computer with Wireshark, there is no incoming/outgoing packet with the "to-address" IP.

I believe similar (or same) problem was covered in this thread.

I'll give it a try if I don't find any other solution although I'm not familiar with mangle and I'm not sure I understand the logic behing this solution. I thought changing the source address of a packet and then send it out would be relatively easy

Some posts in the forum ... (some more are around, but I'm lacking the reference)

viewtopic.php?t=182895
viewtopic.php?p=639899#p639899

PS: the one I was looking for

viewtopic.php?p=784317

Although I don't get exactly how those solutions work because I'm not familiar with mangle, I'll try to replicate them.

The big problem, not trivially solvable, is this:

The actual problem is that I have 2 devices with the same fixed IP, both connected to the same router

So source address is not enough for IP layer to distinguish between the two devices for packets origintaing those devices, ingress port or src MAC address has to be used to distinguish. Similarly hard problem is to decide where to push egress packet because normal IP stack can not decide which egress port to use so mangle and two routing tables are needed.

Big Problem? I don't see the problem. Unless one insists in using only that same address to connect to different devices for initiating the connection.

I have configured routers and devices, with many addresses configured, and then I have identical hardware with exactly the same configuration (and IP addresses), there is absolutly no problem for keeping them apart in my LAN, and doing things like synchronizing their config files.

They are identified with different IP address in my LAN addresses. Their interface addresses do not belong to the LAN range, but only to that small sub-LAN (also sometimes called DMZ) that is NATted to that device range.

We do it all the time. 100.000 LAN's contain a device with IP address 192.168.1.100. They all go to Internet, and if we allow (incoming) port forwarding, they can be addressed from Internet, with their public address. This works because we use srcNAT/MAsquerade/dstNAT in the transition between the Internet (WAN) and LAN. Those devices cannot be addressed with 192.168.1.100 from the Internet, but nobody seems to need that. (Well even then it could work with a double conversion: (192.168.1.100 ->unique WAN address of wanted device -> 192.168.1.100) see last Forum link given above)

One way of explaining this, is thinking of your LAN as being the Internet, where your router is connected with it's WAN port to your LAN. And the LAN ethernet ports of your routers leading to private LAN's that use 192.168.x.0/24 address ranges. If multiple identical rangess are needed then the WAN port needs multiple addresses for separate incoming addressing, and "%ether" must be added in the IP route. Then one does srcNAT/Masquerade/dstNAT as with an Internet connection. Outcoming direction can be done with one (Masquerade) or multiple WAN-port addresses.

Big Problem? I don't see the problem.
[snip]
We do it all the time. 100.000 LAN's contain a device with IP address 192.168.1.100.

And NAT for all of those 100k devices using very same address at the very same time is done by a single NAT server? IMO and AFAIK the problem is not NAT, the problem is how to reach two devices using same IP address, connected to different L2 subnets of same router - from that router (i.e. without 3rd device doing additional NAT). If this issue is solved, then the rest of universe benefits from this solution.

OP's issue is trivially solvable if each of those devices hardcoded to use same address, are behind separate NAT routers. Which is actually the case with all those LANs using same ISP network.

I assumed it was solved. One device with the same IP address and same IP subnet on all the independent ports, one device per port (ethernet ports).

viewtopic.php?t=107142

If not enough ethernet ports on the router , then maybe VLANs can be trunked to a multiport switch with access ports.
Well you will need one ethernet port per device. (Not solved for 100k devices, with one setup. But should work for some devices limited by # of ethernet ports)

I assumed it was solved. One device with the same IP address and same IP subnet on all the independent ports, one device per port (ethernet ports).

viewtopic.php?t=107142

It is solved. I was replying to OP's post #5 above, where he wrote:

I thought changing the source address of a packet and then send it out would be relatively easy

and the point of my response is that it's easy to do it ... if only one connected device is using IP address. If multiple connected devices use same IP address it's not easy any more ... and yes, basic prerequisite is that those devices are separated in L2 (either physical router ports or VLAN ... which assumes a VLAN-capable switch downstream).