The principle of Arp-nat (MAC Address translation)

Some of the pictures in this article come from:

http://wiki.deliberant.com/faq/wireless-bridge-routing-arpnat/

Https://wiki.openwrt.org/doc/howto/clientmode

The principle of mat

The MAT (MAC Address translation) is also called Arp-nat, and the NAT principle in the IP network is similar. The following abbreviation is Mat.

NAT exists to allow multiple machines in the intranet to share the IP address of a public network. Similarly, the mat allows multiple machines in the Ethernet to share a MAC address. But this sharing is a result, not an end.

Why to use Mat

This is the only phenomenon in the WiFi network. The most common AP design for WiFi networks is to pass Ethernet packets . It adds a WiFi-specific MAC address on Ethernet (DA,SA), which is the MAC address of the WiFi package outside the Ethernet address.

For the AP, the MAC address of the AP is wrapped in BSSID, which is the form of 802.11 packets sent and received by the AP in the wireless network (DA,SA,BSSID).

For WDS, the MAC address (Ta,ra) of the two WDS devices is wrapped, which is the form of (Da,sa,ta,ra).

Then for the WiFi network STA package, just joined the Bssid only, and did not add its own WiFi device address, the end result to see it does not have WiFi MAC address, but will own the Ethernet address to use as WiFi address.

So in order to pass the Ethernet Packet , in the case of only the link layer (not using NAT), the following network mode will not work, and need mat help.

The principle of mat

The Fundamentals of Mat:

L does not affect the IP layer, that is, the IP address of the packet does not change

L mat is transparent for internal device communication on the MAC layer. That is, if there is a mat device, the address of the packets sent and received by the internal device is not different.

L Mat for external devices, all internal devices are shielded and replaced by themselves. That is, the source Mac of the package emitted by the internal device will be replaced by the Mac of the mat device. As a follow-up, the target Mac of the packet that the mat receives is replaced with the Mac that corresponds to the internal device.

The main problem with Mat:

L Arp-nat Cache may time out, which can cause network connections to be interrupted immediately

L Arp-nat cache may overflow, which can cause problems with network connectivity

L Other Unknown issues

The work flow of mat

Device A, as STA, connects to the AP, and the computer is connected to device a. Device a internal to the STA interface Ethernet interface to do the drive level of processing and forwarding. In fact, if device a again released a WiFi AP, the computer's wireless card connected to it, the principle is the same.  

DHCP process

After the computer issues DHCP Discover, device A changes SA,AP returns the offer package, device a changes the DA back to the computer. Here the mat may have to be placed broadcast flag before the DHCP package goes out, otherwise the AP may simply unicast the packet to the computer based on the MAC address of the frame body, which will not work because the computer is not connected to the AP. So here the AP replies to the broadcast DHCP Offer,mat as long as the broadcast is forwarded, there is no need to modify the DA.

Because the computer does not have an IP address in the DHCP process, the mat on the device a side is forwarded based on the MAC address information inside the DHCP package. Mat does not modify the data inside the frame body of the DHCP package.

After the DHCP is over, the mat driver should have remembered the correspondence of the Ip-mac.

ARP process

The ARP package will carry an IP address and MAC address, except that the mat changes the SA when it is sent, and when it is received, it changes the DA,

It also changes the arp frame body 's SA at the time of sending, and changes the DA of the ARP frame when it receives it. For MAT devices, the IP address of the ARP frame body is used to determine which device is available.

In addition, the clutch found that the computer will also broadcast "free" ARP, tell others their own MAC address and IP address of the corresponding relationship. Mat also does not hesitate to replace its SA and frame-body SA with its own MAC address.

So the end result is that the mat device has multiple IP addresses, although this is not true.

Packet flow

The process of the packet is simple, that is, the mat device modifies the computer packet's SA to send the ap,ap back to the change Da and forwards it to the computer.

The basic flow is shown, where Mat replaces the SA with SA1 and replaces da with DA1.

The principle of Arp-nat (MAC Address translation)