Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.
Sign up to join this community
The provider issues 2 static addresses linked to the MAC address of the device on one port. Is it possible to divide the ports of the Mikrotik router into traffic exchange through each address?
For example:
WAN (ether1 port):
192.0.2.11 (gateway 192.0.2.1) MAC 11:11:11:11:11:11
192.0.2.12 (gateway 192.0.2.1) MAC 11:11:11:11:11:12
I want ether2, ether3, wlan1, wlan2 to be on 192.0.2.11 and ether4, ether5 to be on 192.0.2.12
The easiest and cleanest way to achieve this is to split the local network in two private subnets. Let the machines in one subnet use the block 192.168.51.0/24, and the second subnet will be 192.168.52.0/24.
For this, you build two bridges out of interfaces you specified:
interface/bridge/add name=bridge1 protocol-mode=none
interface/bridge/port/add bridge=bridge1 interface=ether2 hw=yes
interface/bridge/port/add bridge=bridge1 interface=ether3 hw=yes
interface/bridge/port/add bridge=bridge1 interface=wlan1
interface/bridge/port/add bridge=bridge1 interface=wlan2
interface/bridge/add name=bridge2 protocol-mode=none
interface/bridge/port/add bridge=bridge1 interface=ether4
interface/bridge/port/add bridge=bridge1 interface=ether5
interface/list/add name=LAN
interface/list/member/add list=LAN interface=bridge1
interface/list/member/add list=LAN interface=bridge2
Notice, however, that you can't use hardware offloaded switching on both bridges, because they share a switch chip.
Then you assign IP addresses: both public addresses go to WAN interface and private addresses to each bridge. I'd give them first address in each network:
ip/address/add address=192.0.2.11/24 interface=ether1
ip/address/add address=192.0.2.12/24 interface=ether1
ip/route/add gateway=192.0.2.1
ip/address/add address=192.168.51.1/24 interface=bridge1
ip/address/add address=192.168.52.1/24 interface=bridge1
Here's how the magic appears: instead of using a common masquerade rule, we use separate src-nat rules for each private subnet:
ip/firewall/nat/add chain=srcnat action=src-nat src-address=192.168.51.0/24 to-addresses=192.0.2.11
ip/firewall/nat/add chain=srcnat action=src-nat src-address=192.168.52.0/24 to-addresses=192.0.2.12
Be sure to remove all other srcnat rules.
In principle, this is minimal viable configuration. Systems from both private subnets will be able communicate with each other. However, when they go to the internet, the systems from the first subnet will appear as 192.0.2.11, and ones from the second will use 192.0.2.12.
You have to assign addresses of the form 192.168.51.X with subnet mask /24 = 255.255.255.0, to the machines that are connected to the first subnet, on ports ether2, ether3, wlan1, and wlan2. It is likely you want to use DHCP server for this:
ip/pool/add name=lan-51 ranges=192.168.51.0/24
ip/dhcp-server/add name=dhcp-51 address-pool=lan-51 interface=bridge1
ip/dhcp-server/network/add address=192.168.51.0/24 gateway=192.168.51.1 dns-server=192.168.51.1
For this to work, your router should enable remote requests. Similar setup will be needed if you want to add DHCP to second subnet.
It is likely you'd also want to build a firewall, set up local DNS. If there are any resources in local subnets that you need to make available from the Internet, you just add dst-nat rules as usual.
There is another way. It does not required you to split the network in two. However, you'd be in the constant need to update the address lists which specify who is mapped to which public address:
ip/address/add address=192.0.2.11/24 interface=ether1
ip/address/add address=192.0.2.12/24 interface=ether1
ip/route/add gateway=192.0.2.1
ip/firewall/nat/add chain=srcnat action=src-nat src-address-list=mapped-to-11 to-addresses=192.0.2.11
ip/firewall/nat/add chain=srcnat action=src-nat src-address-list=mapped-to-12 to-addresses=192.0.2.12
ip/firewall/address-list/add list=mapped-to-11 address=192.168.88.15
ip/firewall/address-list/add list=mapped-to-11 address=192.168.88.16
ip/firewall/address-list/add list=mapped-to-11 address=192.168.88.17
...
ip/firewall/address-list/add list=mapped-to-12 address=192.168.88.25
ip/firewall/address-list/add list=mapped-to-12 address=192.168.88.26
...
This will become boring very soon. There is a way to automate this based on the port, but it is complicated and involves advanced scripting (the script has to identify which port the DHCP request came from and fill the entry in the respective address list) and I'd rather not be going that way. The most elegant way is to have two networks. Unmapped addresses (not present in any list) will not have any access to the Internet.
If the list of private IP addresses mapped to the second public IP address is relatively constant, you may use the first address as the "default" entry and have only a single list instead:
ip/firewall/nat/add chain=srcnat action=src-nat src-address-list=mapped-to-12 to-addresses=192.0.2.12
ip/firewall/nat/add chain=srcnat action=src-nat to-addresses=192.0.2.11
ip/firewall/address-list/add list=mapped-to-12 address=192.168.88.25
ip/firewall/address-list/add list=mapped-to-12 address=192.168.88.26
...
The order of rules matters: it will first check if the station is in the list, if it does, it will NAT it to the second public IP and finish this chain processing, but if the station is not in the list, it will be mapped to the first public address.
Notice nowhere any MAC addresses appear. Because it is nowhere needed, your problem as defined is completely at the layer 3. Also you specify the default route for the router itself just once; there is no need to specify the gateway "for each public address".
