Connection Sharing in a Single MAC-Address Restricted Service Access

From MikroTik Wiki
Jump to: navigation, search

Connection Sharing in a Single MAC-Address Restricted Service Access

Some ISP may impose a rule on which only a single pre-registered device is able to get service connection.
This restricts service to a registered single MAC Address of the client’s device. IP Address may be static or dynamic.

Netconfig01.jpg

With the above scenario, we can use a MikroTik RouterBoard to enable us to provide multiple connections,
over the restrictions indicated above as shown below.

Netconfig02.jpg

Here’s how it’s done. First, get the MAC Address and IP address of the connected interface of the registered device.

For PC running Windows, type ipconfig /all in the DOS prompt terminal to get these informations.

Ipconfig command.jpg

Portion of the ipconfig /all command result Ipconfig result.jpg

IP Address = 203.84.100.100/24  ; MAC Address = 00:16:D3:CA:BB:6D

Configure the following in your MikroTik Router

Assumptions:

Interface facing ISP = Ether1.To_Internet
Interface facing LAN = Ether2.To_LAN


1. Create a Bridge interface with the registered MAC Address inputted to the Admin. MAC Address field.

  /interface bridge
  add name=BR.Internet disabled=no admin-mac=00:16:D3:CA:BB:6D auto-mac=no

2. Add the port facing the ISP to the Bridge Interface.

  /interface bridge port
  add bridge=BR.Internet disabled=no interface=Ether1.To_Internet

3. Assign the registered IP Address to the Bridge interface.

3.1 If Static, Add also default route.
  /ip address
  add address=203.84.100.100/24 disabled=no interface=BR.Internet
  /ip route
  add dst-address=0.0.0.0/0 gateway=203.84.100.254 disabled=no distance=1
3.2 If Dynamic,
  /ip dhcp-client
  add interface=BR.Internet disabled=no add-default-route=yes use-peer-dns=yes

4. Create Source NAT, SRCNAT, rule with Masquerading; use the Bridge interface as Output interface.

  /ip firewall nat
  add chain=srcnat disabled=no out-interface=BR.Internet action=masquerade

5. Run DHCP Server for your LAN-side,Ether2.To_LAN interface, with correct DNS settings for your ISP.

  /ip address
  add address=192.168.0.254/24 disabled=no interface=Ether2.To_LAN
  /ip pool
  add name=dhcp_pool1 ranges=192.168.0.1-192.168.0.253
  /ip dhcp-server
  add name=dhcp1 address-pool=dhcp_pool1 disabled=no interface=Ether2.To_LAN lease-time=3d
  /ip dhcp-server network
  add address=192.168.0.0/24 dns-server=203.84.191.216,203.84.216.3 gateway=192.168.0.254

You should be able now to share your single-MAC Address restricted service to multiple terminal
devices in your LAN.





'amdg'
'...opportunity favors a prepared mind...'
[EDIT]

You can do all of that with a "normal" NAT setup (without bridge), and modify the MAC of the external interface (the one facing the ISP) with :

   /interface ethernet set interface_facing_isp mac-address=xx:xx:xx:xx:xx:xx.


Of course, depending on your particular situation, you might be needed to change the mac of the computer wich you are replacing with the router, in order not to have duplicate MAC on the network, and confuse the router.