I have a case where we have several RB450G routers in one building that communicate to the same gateway (server). I want to setup firewall rules to block winbox, webfig, possible Mac discovery for winbox just on the ETH port 1 of all the routers, I can manage them locally amd do not want remote access. I would like to still be able to access via winbox on the other ETH ports.
I saw this example while searching for a solution, sorry if I wasn’t suppose to post this. This example allowed a particular IP access to winbox, is it possible to rework this so that no winbox access is available from ETH1? Thanks
/tool mac-server
add disabled=yes interface=all
/tool mac-server ping
set enabled=no
/ip firewall filter
add action=drop chain=input comment=“block mikrotik discovery” disabled=no dst-port=5678 protocol=udp
add action=drop chain=input comment=“ALL WINBOX REQUEST By MAC Address” disabled=no dst-port=20561 protocol=udp
add action=drop chain=input comment=“ALL WINBOX REQUEST EXCEPT FROM MY PC” disabled=no dst-port=8291 protocol=tcp src-address=!192.168.2.6
You can Also Disable Network Neighbor Discovery on the interface to which your network users are connected
Example: /ip neighbor discovery set ether1 discover=no