ARP-NAT not performing as expected

Au_Wireless · January 20, 2018, 5:29pm

I am trying to get ARP-NAT working in our lab and not getting the results I expected...

Our SMs are in bridge mode to avoid a tripple NAT. Most of our residential customers are already served a private from our routers due to a lack of IPv4 public space. This works fine. We give public IPs to those that need them.

Anyway, I really want a way to track customer MAC addresses in our Mikrotik's better. When a customer replaces a home router, it messes up our queues for that customer and is becomming a headache to keep track of.

I thought by reading the description in the SM about ARP-NAT, I would leave the SM in bridge mode but all traffic behind it would show as coming from the Ethernet MAC address of the SM. That is not the case with my testing.

If I do not create a 255.255.255.255 relay in our DHCP server, the devices behind the SM never pull an address. Once I add that, they pull an IP but the MAC associated with that IP is the MAC of the computer or router behind the SM, not the SM Ethernet MAC like I was expecting.

Am I missing the concept here of ARP-NAT? I really want to avoid running the SM in router or NAT mode since that creates a tripple NAT and that seems to be asking for trouble down the road...

Fedor · January 21, 2018, 8:29pm

Was it tested with 3.5.1 FW?

Thank you.

Au_Wireless · January 21, 2018, 11:04pm

Yes. 3.5.1 on the SM and the AP. It's a lab setup.

Fedor · January 22, 2018, 4:21pm

For now I can say ARP-NAT works in case of regular traffic passing in both directions.

Your scenario is more complex one and we will test it asap.

I'll revert to you shortly with results.

Thank you.

Au_Wireless · January 22, 2018, 5:19pm

What do you mean by regualr traffic? I don't think I am very complicated... SM in bridge mode, router behind SM. That's it. Put SM in ARP-NAT mode and all traffic appears to be coming to/from the MAC of the SM, not the router behind it. Right? I can't even make that work. When I do that (put the SM in ARP-NAT mode), traffic still comes to/from the MAC of the device behind the SM, not the SM itself.

Fedor · January 23, 2018, 4:20pm

Hi Chad,

We have tested ARP-NAT one more time and it works as expected.

Source address in the Ethernet frames coming from devices below SM are replaced by SM's Wireless Interface address.

In your case with DHCP, DHCP requests is also goes from SM with replaced Source MAC address in Ethernet Frame, however inside DHCP request field "Client Hardware Address" isn't replaced.

DHCP server associates IP addresses not with Source MAC address from Ethernet frame, but with "Client Hardware Address" packed inside DHCP request.

Please find image with format of DHCP requst attached.

Hope it explains why you cannot bind IP Addresses on DHCP server with SMs MAC addresses.

Also please find captures from DHCP server.

Thank you.

DHCPrequest.png (15.9 KB)
dhcp_packets_arp_nat.png (177 KB)