From MikroTik Wiki
Jump to navigation Jump to search

Connection Sharing in a Single MAC-Address Restricted Service Access

Some ISP may impose a rule on which only a single pre-registered device is able to get service connection.
This restricts service to a registered single MAC Address of the client’s device. IP Address may be static or dynamic.


With the above scenario, we can use a MikroTik RouterBoard to enable us to provide multiple connections,
over the restrictions indicated above as shown below.


Here’s how it’s done. First, get the MAC Address and IP address of the connected interface of the registered device.

For PC running Windows, type ipconfig /all in the DOS prompt terminal to get these informations.

File:Ipconfig command.jpg

Portion of the ipconfig /all command result File:Ipconfig result.jpg

IP Address =  ; MAC Address = 00:16:D3:CA:BB:6D

Configure the following in your MikroTik Router


Interface facing ISP = Ether1.To_Internet
Interface facing LAN = Ether2.To_LAN

1. Create a Bridge interface with the registered MAC Address inputted to the Admin. MAC Address field.

  /interface bridge
  add name=BR.Internet disabled=no admin-mac=00:16:D3:CA:BB:6D auto-mac=no

2. Add the port facing the ISP to the Bridge Interface.

  /interface bridge port
  add bridge=BR.Internet disabled=no interface=Ether1.To_Internet

3. Assign the registered IP Address to the Bridge interface.

3.1 If Static, Add also default route.
  /ip address
  add address= disabled=no interface=BR.Internet
  /ip route
  add dst-address= gateway= disabled=no distance=1
3.2 If Dynamic,
  /ip dhcp-client
  add interface=BR.Internet disabled=no add-default-route=yes use-peer-dns=yes

4. Create Source NAT, SRCNAT, rule with Masquerading; use the Bridge interface as Output interface.

  /ip firewall nat
  add chain=srcnat disabled=no out-interface=BR.Internet action=masquerade

5. Run DHCP Server for your LAN-side,Ether2.To_LAN interface, with correct DNS settings for your ISP.

  /ip address
  add address= disabled=no interface=Ether2.To_LAN
  /ip pool
  add name=dhcp_pool1 ranges=
  /ip dhcp-server
  add name=dhcp1 address-pool=dhcp_pool1 disabled=no interface=Ether2.To_LAN lease-time=3d
  /ip dhcp-server network
  add address= dns-server=, gateway=

You should be able now to share your single-MAC Address restricted service to multiple terminal
devices in your LAN.

'...opportunity favors a prepared mind...'