Configuring a dedicated management port

Great news, glad its up and running!
Also not for winbox the first one is not needed and for better security should be set to none.
From:
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

TO:
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

These settings are found in winbox under TOOLS.

winmac.jpg

The Mac server just lets me connect via Mac address right? For now I definitely want to keep that one while developing my config.

Yup, and anyone else on the router …( at least its internal )

Anyone else on that interface - not internal. That interface will be in my office.

Anyway here is the full config since someone asked for it. Nothing special and only temporary - still working. Next step is to do separate NAT for different internal subnets. Actually next step is to connect the WAN and do some real testing. Then separate NAT

# jan/03/1970 23:48:03 by RouterOS 7.8
# software id = 4CAA-WNVT
#
# model = RB5009UPr+S+
# serial number = HF709ARMFCN
/interface bridge
add admin-mac=78:9A:18:8B:AD:EB auto-mac=no comment=defconf name=br-main
/interface ethernet
set [ find default-name=ether1 ] name=P1-WAN
set [ find default-name=ether2 ] name=P2-free
set [ find default-name=ether3 ] name=P3-Switch
set [ find default-name=ether4 ] name=P4-CAP03
set [ find default-name=ether5 ] name=P5-CAP02
set [ find default-name=ether6 ] name=P6-CAP01
set [ find default-name=ether7 ] name=P7-Router
set [ find default-name=ether8 ] name=P8-MGMT
/interface vlan
add interface=br-main name=vl-guest-wifi vlan-id=66
add interface=br-main name=vl-guest-wired vlan-id=77
add interface=br-main name=vl-iot vlan-id=55
add interface=br-main name=vl-kids-wifi vlan-id=33
add interface=br-main name=vl-kids-wired vlan-id=44
add interface=br-main name=vl-mgmt vlan-id=11
add interface=br-main name=vl-server vlan-id=22
add interface=br-main name=vl-tr-wifi vlan-id=99
add interface=br-main name=vl-tr-wired vlan-id=88
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-dhcp-temp ranges=172.30.99.22-172.30.99.222
add name=pool-dhcp-mgmt ranges=10.0.254.100-10.0.254.110
add name=pool-dhcp-br-wired ranges=10.1.88.22-10.1.88.33
add name=pool-dhcp-vl-mgmt ranges=10.2.11.100-10.2.11.110
add name=pool-dhcp-vl-srvr ranges=10.2.22.100-10.2.22.120
add name=pool-dhcp-vl-iot ranges=10.2.55.2-10.2.55.222
add name=pool-dhcp-vl-guest-wifi ranges=10.2.66.22-10.2.66.222
add name=pool-dhcp-vl-guest-wired ranges=10.2.77.22-10.2.77.222
add name=pool-dhcp-vl-tr-wired ranges=10.2.88.22-10.2.88.222
add name=pool-dhcp-vl-tr-wifi ranges=10.2.99.22-10.2.99.222
add name=pool-dhcp-vl-kids-wifi ranges=10.2.33.100-10.2.33.200
add name=pool-dhcp-vl-kids-wired ranges=10.2.44.100-10.2.44.200
/ip dhcp-server
add address-pool=default-dhcp interface=br-main name=dhcp-bridge
add address-pool=pool-dhcp-vl-mgmt interface=vl-mgmt name=dhcp-vl-mgmt
add address-pool=pool-dhcp-mgmt interface=P8-MGMT name=dhcp-mgmt
/interface bridge port
add bridge=br-main interface=P2-free
add bridge=br-main interface=P3-Switch
add bridge=br-main interface=P4-CAP03
add bridge=br-main interface=P5-CAP02
add bridge=br-main interface=P6-CAP01
add bridge=br-main interface=P7-Router
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=br-main list=LAN
add comment=defconf interface=P1-WAN list=WAN
add interface=P8-MGMT list=MGMT
/ip address
add address=192.168.88.1/24 comment=defconf interface=br-main network=192.168.88.0
add address=10.0.254.1/24 interface=P8-MGMT network=10.0.254.0
/ip dhcp-client
add comment=defconf interface=P1-WAN
/ip dhcp-server network
add address=10.0.254.0/24 dns-server=10.0.254.1,8.8.8.8 gateway=10.0.254.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.254.0/24 list=SN-MGMT
add address=10.2.254.0/24 list=SN-VL-MGMT
add address=10.2.22.0/24 list=SN-VL-SRVR
add address=10.2.33.0/24 list=SN-VL-KIDS-WIFI
add address=10.2.44.0/24 list=SN-VL-KIDS-WIRED
add address=10.2.55.0/24 list=SN-VL-IOT
add address=10.2.66.0/24 list=SN-VL-GST-WIFI
add address=10.2.77.0/24 list=SN-VL-GST-WIRED
add address=10.2.88.0/24 list=SN-VL-TR-WIRED
add address=10.2.99.0/24 list=SN-VL-TR-WIFI
add address=10.0.0.0/8 list=RFC1918-10
add address=172.16.0.0/12 list=RFC1918-172-16
add address=192.168.0.0/16 list=RFC1918-192-168
add address=10.0.0.0/8 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow ICMP on select Interfaces" in-interface=P8-MGMT protocol=icmp
add action=accept chain=input in-interface-list=LAN protocol=icmp
add action=accept chain=input comment="All input from MGMT and LAN" dst-address=127.0.0.1
add action=accept chain=input in-interface=P8-MGMT
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set winbox address=192.168.88.0/24,10.0.254.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

@OP. Could you use code tags ( < / > ) instead of pure quotes < " > to post your configs, please. It helps reading.

I googled looking for code tags but didn’t find anything. I don’t see a difference in what you are posting.

test code

I googled looking for code tags but didn’t find anything. I don’t see a difference in what you are posting.

test code