I am trying to allow only admin computers that are on a “Winbox_Admin” firewall address list to see the neighbor discovery results from winbox connections to MNDP UDP on port 5678. I want to leave Neighbors Discover settings on my management interface running but block the “results” to admin IPs that are on a firewall address list. To be clear - I don’t want non-admin users (i.e. not on the Winbox_Admin list) to run winbox and see the neighbor discovery results.
I have tried blocking input UDP 5678 broadcast packets completely with no luck. Any advice, hints or suggestions?
Despite the fact MNDP is located in /ip neighbor menu, it should be considered as L2 protocol because both dst-MAC and dst-IP are broadcasts. Due to that, /ip firewall (both filter and raw) see the packets but can’t drop them. (personally I consider that as bug - either it should count matched packets and drop them, or if it does not drop them, then it should not count them)
To block it you need to use /interface bridge filter. If you want to block it on interface which is not bridged, you cant. Only way I found is to add the interface to bridge alone (again useless waste of CPU power) and apply the filter on bridge. Only good news is, you can use it while hw-offload is active, because it is on “input” chain.
During my test, following setting disabled winbox from detecting neighbor on the network: