MikroTik - several addresses and several different MAC on one interface

Infrequently, but with an enviable periodicity on the specialized forums, the same question arose: “how on one interface of the MikroTik router can I get two IP addresses with different MAC?”. Usually this question remains unanswered, or the questioner is answered “no way”. Indeed, the task is not trivial. In the standard configuration, the rule “1 interface = 1 MAC” is observed. In this article I will explain how to get around this restriction using the advanced MikroTik functionality.



First, remember the hardware part RouterBoard. In addition to routing, MikroTik devices can perform switching. To do this, some of them have a separate switch chip, as well as the ability to combine interfaces using a soft switch - bridge. Bridge (in Russian terminology "bridge") performs packet switching at the expense of the device processor resources. With the help of the bridge, heterogeneous ethernet-shaped network interfaces — ethernet, wlan, vlan, eoip, vpls — are also interconnected.





')

The bridge in the hierarchy of microtic interfaces is a higher, unifying entity. When interfaces are combined using a bridge, the MAC address is set to it, which will be transmitted to all slave interfaces. MAC addresses of the subinterfaces are no longer used and are replaced in the outgoing frames by the bridge MAC address.



Accordingly, the IP address and all services associated with the IP protocol should be tied NOT to the dependent interfaces, but to the upstream bridge .



Due to the fact that the bridge is implemented by CPU resources, it has a very broad functionality for traffic management. The filtering of incoming and transit packets, as well as the ability to translate MAC addresses immediately attracted my attention. So, the tool for solving the problem will be a bridge, or rather a bridge NAT.







Let's get started Our experimental router has an internal bridge-local bridge, which is assigned the address 192.0.2.1/24 and which is the gateway for computers on the local network. For “bridge-local”, the administrator assigned MAC D4: CA: 6D: C7: 11: 11 The physical interface Ether2 is one of the slave ports of the bridge-local bridge and is directly connected to the local network.



Task: add an address to the router from the same IP subnet, but with a different MAC address. The combination of IP 192.0.2.111/24 and MAC: D4: CA: 6D: C7: 22: 22 is selected for the example.



Since the rule “1 interface = 1 MAC” cannot be overcome, we will go around. To begin with, we will create an auxiliary interface “bridge111” where we will attach an additional IP address and MAC:





Now we understand what, from where and where it will be necessary to substitute using the bridge. To do this, look at the description of the ARP protocol: ru.wikipedia.org/wiki/ARP#.D0.9F.D1.80.D0.B8.D0.BD.D1.86.D0.B8.D0.BF_.D1.80 .D0.B0.D0.B1.D0.BE.D1.82.D1.8B

Obviously, we need to intercept ARP requests from nodes requesting MAC devices with IP 192.0.2.111. For this, there is a separate action “arp-reply” in NAT:





The attempt to execute the “ping 192.0.2.111” command from the computer did not give an explicit result, however, when viewing the local arp-table on the computer, it became apparent that the new IP address was mapped to the new MAC. It turns out we won the ARP protocol.





Moving on to the next step — we need to achieve IP connectivity. To do this, we capture packets going for an extra pair of MAC + IP:





After this command, a kind of connectivity appears. The computer's local ARP table contains two entries — one for each MAC + IP pair. MAC addresses in it differ, as we wanted. Ping to the address 192.0.2.111 and the answers regularly arrive.



But let's look at the received packets through wireshark:







We see that echo replies come from the D4: CA: 6D: C7: 11: 11 MAC address associated with the first IP address 192.0.2.1. Although there is coherence, the solution is incomplete. We also need to substitute MAC addresses in the outgoing packets from the router that have src-ip 192.0.2.111. Let's do it:





Here, now the packets on the network look right - they have the right combination of src-IP and src-MAC:







In the winbox window, the configured translation rules look like this:







In a similar way, you can add as many additional IPs as you want to the interface, each with its own MAC specifying the appropriate address translation rules. Masquerade to help you.







Update: Added test results with Bridge L2-NAT turned on and turned off.

For the test, RB951Ui-2HnD with an AR9344 processor was used. CPU load varies slightly, within the error of measuring instruments. The average increase was 2% per 100M interface.



L2-NAT is disabled :





L2-NAT enabled :