MikroTik

Hi,

"This mode is available for all protocols except nv2 and should be avoided when possible."
http://wiki.mikrotik.com/wiki/Manual:Wi ... eudobridge

However this mode is very useful and I don't know how to replace it. The drawback of poor handling non-IP traffic is negligible.

Great advantage of station-pseudobridge is that it masks MAC address of hosts on ether1 - this guarantees that MAC is not spoofed.

Can anyone propose an easy solution too secure against MAC spoofing on ether1? Filtering MACs is NOT easy - requires me to reconfigure MT every time the MAC changes.

is it used as a CPE ?

if yes, why are you bridging, maybe your mikrotik box will be a router ??

Yes, CPE. Routing creates other problems. Routers need to know what IP is behind the CPE and I can't divide address space into small subnets (to little public IPs).

I understand, only way to avoid mac spoofing is a static ARP on a next L3 device,

Do you use DHCP with static leases ? If yes then DHCP server can automatically set static ARP entry,

If not you have to do it manually yourself



thinking.... pseudobridge is doing nothing esle then MAC-SRC-NAT istn't ???

in bridge you have NAT tab try to make a SRC-NAT chain with SRC-NAT action, maybe this will work

Does MAC NAT maintain any NAT table as in L3 NAT? I guess it doesn't. So we need to DNAT returning packet (first check in L3 if it's not directed to MT itself). For DNAT we need to set host MAC address which again forces us to reconfigure MT after each MAC change.