I got a new managed switch recently and wanted to test its VLAN function against a hAP ac lite. So, I figured Winbox should be able to connect to it across the managed switch (via MAC address) as long as they’re configured to be in the same VLAN/L2 domain.
So I set up a management VLAN (VLAN 88) on the hAP ac lite, its ETH1 as trunk port carrying VLAN 88 and another VLAN 87, then linking ETH1 to a trunk port on managed switch with same VLAN memberships. To be able to tap onto VLAN 88, an access port for VLAN 88 was created on the managed switch. However, Winbox is unable to connect to the hAP ac lite (via MAC address) using a laptop connected to said access port. Simple ASCII illustration below:
Laptop <----> (access port/VLAN 88) Managed Switch (trunk port/VLAN 87+88) <----> (trunk port/VLAN87+88) hAP ac lite
Is this expected? i.e. is MAC Winbox supposed to be able to connect over multiple L2 “hops”? Both neighbor discovery and MAC Winbox server allowed interface are set to “all”. The VLAN function of the managed switch appears to be working properly when using a different testing method such as DHCP.
MAC connections are allowed according to interface list. In CLI that’s /tool mac-server mac-winbox, by default it’s allowed from LAN interface list. Interface lists are under /interface list.
Hello mkx, I did take special care with these settings like as follows:
/ip neighbor discovery-settings
set discover-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
Basically, does “all” mean “directly connected to Mikrotik box” only? Or should it be able to work even if the connection was made from many switches away?
“all” means all interfaces. Any interface (physical, virtual, dynamic, etc…) will accept MAC-based connections.
MAC-based connection should be possible across whole L2 domain unless there are some L2 filters. That means it is NOT LIMITED to only directly connected devices.
also, keep in mind that except /tool mac-server mac-winbox which is related to MAC winbox, you need to also set up /tool mac-server which is related to MAC telnet. If you dont, you may block winbox but telnet might be still available via MAC
OK, so I finally “solved” my problem. Turns out that “all” doesn’t include tagged frames. Since the Winbox connection comes in through a trunk port of the hAP ac lite, it sees the connection as coming from VLAN 88. I just had to explicitly create an interface list for the management VLAN (VLAN 88) and allow it in /ip neighbor discovery-settings, /tools mac-server and /tools mac-server mac-winbox.