Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Untanglit
    Join Date
    Aug 2018
    Posts
    18

    Default Use same Mac address for devices on different NICs

    I am currently setting up an Untangle u25 as my main home router/gateway.
    Today I ran into something interesting.

    I am using a Draytek AP900 to serve as a Wifi Access point.
    The AP900 provides two separate isolated LAN ports (Lan-A and Lan-B) so it can serve as access point for two different subnets, providing the functionality of two separate accesspoints (with different ssids etc) within one device.
    The way I have used it for many years.

    While setting up the Untangle u25 I found out the two LAN ports on the AP900 actually use the same mac address…

    This led to an error in the Untangle setup while defining fixed IP addresses to certain mac addresses.
    Although used on two different subnets (via NIC 1 and NIC2), with different IP ranges and dhcp servers, I cannot use the same mac address twice.
    (BTW: no NAT on the internal nics since they need to be able talk to eachother for certain devices)
    As far as I understand this error is raised because Untangle in the background actually uses the same dhcp server for all internal nics.
    See picture for setup.

    macaddress issue.JPG

    Any suggestion on how to maintain my AP900 as a 'one-device-multiple-access point' solution?

  2. #2
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    624

    Default

    I'll be curious to see what others say, but I don't think that is possible in Untangle.

    More so, I think that is a bizarre and non-standard compliant design on Draytek's part... But my opinion is just that, and has nothing to do with your question.

  3. #3
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    527

    Default

    The AP-900 can support two completely independent LANs. Each is connected via its own independent RJ45 Ethernet interface. There are Ethernet RJ45 interfaces for LAN A (4 ports) and LAN B (one port). These networks remain completely isolated from each other. Each LAN can be assigned its own separate Wireless SSID so they remain separated even on the Wireless LAN. This is the equivalent of having two completely separate access points and ideal for public and private networks in the same location or wireless LANs for two separate companies.

    Having two physical LAN interfaces provides a much simpler alternative to using tagged VLANs and/or a Radius server for authentication. It is also much easier/quicker to set up (that said, the AP-900 can also support tagged VLANs and Radius).
    This sounds like two physical interfaces…meaning there should be two unique physical addresses.
    Last edited by Sam Graf; 09-11-2018 at 01:13 PM.

  4. #4
    Untanglit
    Join Date
    Aug 2018
    Posts
    18

    Default

    Quote Originally Posted by Sam Graf View Post
    This sounds like two physical interfaces…meaning there should be two unique physical addresses.
    Yeah that’s what I thought as well, but they really have the same mac address.
    Probably a software separated setup.

    I think I need to buy a new seperate accesspoint

  5. #5
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    527

    Default

    I guess my thought was to contact DreyTek support and get some clarification. It seems like the AP-900 isn’t working as advertised, so troubleshooting there first might solve the whole thing.

  6. #6
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,292

    Default

    By chance can be change via web gui in the drayteck the mac address? The 1900 series routers can in wan interfaces
    The world is divided into 10 kinds of people, who know binary and those not

  7. #7
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,564

    Default

    Quote Originally Posted by homenetwork View Post
    The AP900 provides two separate isolated LAN ports (Lan-A and Lan-B) so it can serve as access point for two different subnets, providing the functionality of two separate accesspoints (with different ssids etc) within one device.
    Lots of devices can map multiple SSIDs to different subnets, but it's extremely unusual to need two different physical sets of cables and ports to accomplish this. It's much more normal to map the different wireless SSIDs to different vlans on the same interface.

    Even newer AC devices that have multiple network ports to handle wireless connections with the potential for > 1Gbps throughput will not use those ports for individual ssids. They still use vlans, and the multiple ports are bonded/teamed, typically using LACP aggregation

    What's really cool is when you have just one SSID map to several different vlan subnets depending on what device/user connects to it based on a RADIUS lookup. You sign in, and your (recognized) device ends up on your primary network. You give your friend the same password to the same SSID (or, even better, use a certificate or username/password challenge/response on that SSID), and they end up on the guest subnet.

    This is how all the big campus deployments work. There are many access points working together. They only broadcast one SSID (and potentially a 2nd SSID dedicated to onboarding users or a third doing MAC authentication for those few devices that can't do 802.1x), but you may end up on one of many different subnets depending on the results of your authentication.
    Last edited by jcoehoorn; 09-13-2018 at 09:35 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.0 to protect 700Mbits for ~400 residential college students and associated staff and faculty

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,580

    Default

    And more importantly those interfaces are independent, with unique mac addresses per port as per the Ethernet standards.

    If I had a device on my network that used the same MAC address on more than one port, my response is to throw it away. That is garbage, and a blatant source of issues.

    The design here indicated will not work, because Untangle like any sane router has a singular ARP table, and it cannot have two IP addresses mapping to the same MAC and still know which port it's going to send traffic on. That's why we have MAC addresses to begin with, to uniquely identify a device on a hardware level so we can keep things straight.

    That's why we have all this technology to protect us from ARP cache poisoning, this configuration is poisoned from the start. It will never work, it cannot ever work. And any vendor that tries to force you to use this is braindead...

    And no Untangle isn't immune, this WAP described here is the Rerouter of their world... Older folks around here will remember Untangle rerouter, know that it attempted to play with ARP in some ugly ways very similar to this and as a result had all sorts of problems.

    Just say no to ARP shenanigans.

    Heck you can't even do bonding if the MACs are the same... even LACP needs unique layer 2 addressing!

    At very least you should explore using a single NIC on the WAP to connect it to the Untangle, and use VLANs to provide your two SSID's the appropriate IP network. If that cannot work, then yes... time for a new WAP. A Unifi AC-Lite WAP is a substantial upgrade over the AP-900, and it's a whopping $80. You've already spent more than that in time on this thread alone. Time to cut your losses and get equipment that works.
    Last edited by sky-knight; 09-13-2018 at 10:34 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untanglit
    Join Date
    Aug 2018
    Posts
    18

    Default

    Quote Originally Posted by sky-knight View Post
    .... It will never work, it cannot ever work. And any vendor that tries to force you to use this is braindead...
    Well it did work in my ‘post Untangle’ setup, where I had two different fysical routers ‘serving’ both the subnets ( = two ARP tables)

    Anyway, things change....
    I will remain using it as one AP for the time being, contact Draytek for explanation and start looking into the Ubiquity APs en Vlan setups.
    Thanks.

  10. #10
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    527

    Default

    Quote Originally Posted by homenetwork View Post
    …and start looking into the Ubiquity APs en Vlan setups.
    Just as a reminder, according to the advertising blurb I posted earlier, your AP-900 is said to support VLANS.

    I'm hoping DrayTek can resolve this. Something doesn't add up.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2