What I would like to do is to block access to port 8291 from inside and outside the network except for specific MAC address. I have been able to Block and allow specific MAC address’s from the inside to the outside across the entire range of ports by using these, (and by removing the NOT mark in the firewall rule.
The source MAC address of a packet changes as the packet travels through the L3 network - it is always the MAC address of the local L2 source of the packet, i.e. in case of packets coming from the internet via your ISP uplink, it is the MAC address of your ISP’s gateway device, not of your Android phone many L3 hops away (or it is not there at all if your uplink is an L3 tunnel like PPPoE).
If you want to permit a device to connect via the internet, use of VPN is the only solution of additional authentication beyond username and password check of the service (Winbox in this case).
Leaving aside that to forge your source MAC address is a very simple task on most contemporary computers, so even on LAN, authentication by MAC address is easily breakable.
Other than that, it is much safer to have the firewall rules composed as “selectively accept what you need to accept and drop the rest” than “selectively drop what you need to drop and accept the rest”. If you forget to permit something, your legitimate users will let you know quickly; if you forget to deny something, your illegitimate users will never let you know.
Why is it when you have a stroke of genius in the middle of the night when you were not even thinking about the problem, you overlook the one fact that stops you from making it work until you blurt it out to everyone. Thank you for not calling me an idiot for overlooking the fact that the MAC address changes. I also knew the rest but was willing to overlook it for an easy solution. Thank you for reminding me of the facts.