CRS112-8P-4S-IN cannot block MAC Winbox

We’re testing the CRS112-8P-4S-IN. We suddenly found we can’t block MAC winbox access even block everything in IP firewall and allow nothing in mac-winbox-server. We can still access Winbox through MAC address via ether1 with config below. Mostly are done from Quick Set(router mode) with some unnecessary lines removed. The OS version is 6.44.3.

/interface bridge
add admin-mac=XX:XX:AC:03:XX:XX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=sfp9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp11 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp12 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles set [ find default=yes ]
/ip pool
add name=dhcp ranges=192.168.18.100-192.168.18.220
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp9
add bridge=bridge comment=defconf interface=sfp10
add bridge=bridge comment=defconf interface=sfp11
add bridge=bridge comment=defconf interface=sfp12
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.18.1/24 interface=ether2 network=192.168.18.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.18.0/24 gateway=192.168.18.1 netmask=24
/ip firewall filter
#!!!!!!!!!!!!!!!!!!!!!!!!!Block everything!!!!!!!!!!!!!!!!!!!!!!!!!
add action=drop chain=forward
add action=drop chain=output
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Any update?

Your IP address should be on the bridge, not on ether2.
You didn’t even specify what version of RouterOS you’re running.
What response do you expect?

It’s 6.44.3.
You’re right IP on slave interface isn’t correct. FYI the IP in ether2 was generated by quick set(which seems another bug?), just a fast and lazy config for testing. But we don’t use ether2 anyway. We’re now having no way to block MAC server from ether1. We did also tried simply disable anything but ether1 with same result.

You can’t block MAC WinBox with IP firewall, that’s expected.
Would you still be able to connect from ether1 with allowed-interface-list set to LAN ?

It is truth until this still doesn’t block MAC server…(remember I blocked everything)

/interface bridge settings set use-ip-firewall=yes

And the

allowed-interface-list=none

suddenly works now(after we focused on something for days), and keep working after changing back and forth. I’m 100% certain I did try disconnect/soft-reboot/power cycle along with my colleague(since we found the

allowed-interface-list

parameter won’t affect active sessions) with no luck. But it works now however. I can’t tell why. We can only keep an eye on that…