Hi there,

at many e.g. campsites or marinas or probably other places, you can have free wifi access for only one device. That's not enough usually. So my solution is that I use a Mikrotik with 2 wlan cards. With one interface I connect to the public wifi AP and with the second I make my own network. In between NAT. Many of these public APs remember clients by MAC address. Therefore in my solution they only see the MAC address of the connecting wlan interface and all other devices are hidden behind this MAC.

But... I had following situation. I connected with my phone to an public access point and got Internet. Then I took my Mikrotik and put the MAC address of my phone as the MAC of the wlan interface. Mikrotik connected to the network and I had access. But now I couldnt connect with my phone to my wifi network provided by the second wlan card?!!? In my situation the wlan1 and my phone trying to connect to wlan2 had the same MAC address. The problem occurred right when the phone has to authenticate to wlan2. It asked for password and said password not correct and asked again. (password was correct, because I when I do the same where the MAC addresses are different, then there is no problem)

First I thought there should be one MAC-IP-table per interface, but there is only one MAC-IP-table (IP>ARP>print)
Second I thought that if a packet passes from one network to another the MAC address is rewritten and therefore there should not be a problem if one IP-interface and one device connected to another IP-interface in a different network have the same MAC address
Third when I do source NAT (or masquarading), NAT isnt using MAC addresses.

But it seems that the problem is with the device associating with the AP
Fazit from me is that you cant associate a device with an MAC equal to an existing interfaces' one.

I'm a bit puzzled. Why does this happen? Anyone an idea? I am just curious.
Thanks

The way is to have the Mikrotik with WIFI connect to the hotspot. Then use a second WIFI device to setup a private network. Setting it up on a single chain WIFI is more difficult.

The hotspot only sees the MAC of the Mikrotik WIFI and what is behind that is not visible for the hotspot.

What you say is correct!

MACs need only be unique on the Layer 2 network. However as the Mikrotik can support many Layer 2 networks, it's probably computationally easier and faster to have a single ARP table across all Layer 2 networks. Because of the single arp table, you wouldn't be able to have a duplicate MAC across any interfaces.

So your solutions would be...
- use a laptop or device that you can change it's mac too (Can iPhones change their mac??)
- use two Mikrotik devices, such as two mAPs connected via a short cable instead of a single Mikrotik with two wlans.

Ya, thanks, problem would be solved if I would use 2 Mikrotiks and connect them via Ehternet.

It seems there is no way to change the MAC of an iPhone or Android if they are not rooted.

The weird thing is that the device with the same MAC as the other wlan card gets connected for a split second and then receives immediately a deauthentication. well somehow routerOS has a MAC conflict.

thats a bit annoying because as you have mentioned, 2 same MAC addresses in 2 different networks shouldnt conflict.

I tried with debug but didnt get much more info.
some logs:
10:54:15 wireless,debug wlan2LAN: 78:4B:87:88:2F:67 attempts to associate
10:54:15 wireless,debug wlan2LAN: 78:4B:87:88:2F:67 in local ACL, accept
10:54:15 wireless,info 78:4B:87:88:2F:67@wlan2LAN: connected
10:54:15 wireless,info 78:4B:87:88:2F:67@wlan2LAN: disconnected, received deauth: authentication not valid (2)
10:54:15 wireless,info wlan2LAN: data from unknown device 78:4B:87:88:2F:67, sent deauth
10:54:15 wireless,info wlan2LAN: data from unknown device 78:4B:87:88:2F:67, sent deauth
10:54:23 wireless,debug wlan2LAN: 78:4B:87:88:2F:67 attempts to associate
10:54:23 wireless,debug wlan2LAN: reject 78:4B:87:88:2F:67, banned (last failure - received deauth: authentication not valid (2))
10:54:37 wireless,debug wlan2LAN: 78:4B:87:88:2F:67 attempts to associate
10:54:37 wireless,debug wlan2LAN: reject 78:4B:87:88:2F:67, banned (last failure - received deauth: authentication not valid (2))

You have dual chain WiFi network one is and look if there is a bridge/master-slave between them. Access to the one that connects to hotspot should only be accessable through NAT and be MASQed.

The second chain keeps it bridge/master-slave to the ethernet.

You can even separate it more by connecting the hotspot at only 5GHz and the private only at 2.4GHz

the two WiFi cards are in different networks and there is NAT masq in between them. They are not on a bridge.

I tried the following. I gave an ethernet port the same MAC as my cell phone trying to connect to wlan2. Funny enough there was no problem.
I updated to the latest routeros v6.39.2. and tried again, i.e. wlan1 card and cell phone trying to connect to wlan2 with the same MAC address. ... no doesnt work. this time I have got an IP address but a blink later got the deauth and the phone asked me for the network password again. same without security on wlan2
setting the MAC on wlan1 to a different or orig MAC and all works fine.

anyways
thanks for trying to help