MikroTik configuration Basic configuration # Bridge eth2-3-4 Security Warning: a packet sent with 9999/UDP port on the public address of your router will generate a broadcast packet on your internal network, so it is highly reccomended to rate-limit the number of packets that are forwarded.
Then MikroTik will route the packet toward lan_bridge, which is on that subnet, and when it will prepare the ethernet frame that will contain the forwarded packet it will put FF:FF:FF:FF:FF:FF as destination Mac Address, thus producing a broadcast packet on the internal LAN, even if the destination IP address is a unicast IP. Implement a pre-routing destination-nat rule on MikroTik router in order to change incoming traffic directed to its Internet-facing interface and to UDP port X (let’s choose 9999) by changing the destination address to 192.168.1.100 and the destination port to 9Įt voilà, now when you’ll send a magic packet to 192.168.60.141 with destination port 9999/UDP, MikroTik pre-routing NAT processing will change the destination address to 192.168.1.100.Define a static ARP resolution on MikroTik router, setting FF:FF:FF:FF:FF:FF as 192.168.1.100 mac address.So, how can we generate the magic packet on the 192.168.1.0/24 lan to power up our devices? We can implement the following trick: We could generate a magic packet directed to the public IP address of our home router, but then how can we force it to change it to a broadcast packet? The first simplest solution that came into my mind was to use destination NAT to change the magic packet destined to 192.168.60.141 to 192.168.1.255 but on MikroTik or Linux-based routers this doesn’t work (I think that directed broadcast forwarding is not supported) and the packet is discarder. I’ve build this simple setup in Eve-NG network simulator, with a virtual MikroTik router that simulates our home router, with eth1 as WAN interface (I’m using private IP addressing in 192.168.60.0/24 but consider it a public address exposed on the Internet) and eth2-3-4 grouped in a bridge called lan_bridge with IP address 192.168.1.1/24 and a DHCP server enabled with 192.168.1.10-192.168.1.50 pool of addresses available for clients on the internal LAN. Suppose that you have a NAS in your home network that you would like to power on only when needed, to get some documents you have stored on it, and that you don’t have other devices active on the home network to which you can connect in order to use WOL, wouldn’t it be useful to be able to use WOL from the Internet? How can we produce a broadcast frame on the internal LAN from the public network? You can find more info on WOL on Wikipedia. BTW, I will use UDP port 9 in the examples. Usually the magic packet is an UDP packet with destination port 0, 7 or 9, but this is not mandatory. When the powered off device’s ethernet card detects this special frame, it powers up the device. What does it make this packet magic? The fact that it must contain the Mac Address of the device to be woken up, repeated 16 times. This broadcast frame is processed by all the hosts on the lan segment. WOL is usually done by generating a packet with destination IP address the broadcast address of the network (in a common 192.168.0.0/24 network, it is directed to 192.168.0.255 or 255.255.255.255), which produces an ethernet frame with FF:FF:FF:FF:FF:FF destination mac address. Some network devices and PCs can listen for incoming special packets on their ethernet interfaces even when shutdown, and this is used to allow them to be powered up with a special magic packet, which is used by Wake-On-Lan (from now WOL).