Disable fully `Mikrotik Neighbor Discovery` [solved]

JamesTUIAT · June 23, 2025, 1:52pm

Hi,

The page 23 of the latest manual cover the Mikrotik Neighbor Discovery

There is an example to disable it on public interface.

but how disable it globally ?
and how read it’s status ?

BTW is the WebFig → IP → Neighbor → Discovery Settings is the same thing ?

Thanks.

gigabyte091 · June 23, 2025, 2:20pm

In discovery settings did you tried to set discovery list to none ?

lurker888 · June 23, 2025, 2:24pm

Hi!

Yes, discovery is one you see the webfig/winbox ip>neighbor->discovery and the CLI /ip/neighbor/discovery-settings.

I saw your other question about MAC protocols, and let me answer a bit generally. This is the script I use for all of them:

# This is for discovery
/ip neighbor discovery-settings/set discover-interface-list=DISCOVERY \
	mode=tx-and-rx protocol=cdp,lldp,mndp

# This is for mac-ping
/tool mac-server ping set enabled=no
# This is for mac-telnet
/tool mac-server set allowed-interface-list=none
# This is for mac-winbox
/tool mac-server mac-winbox set allowed-interface-list=DISCOVERY

This obviously disables mac-ping and mac-telnet completely. It allows neighbor discovery and win-macbox only on DISOVERY ports.

Note that normal IP based management (be it ssh, winbox, webfig, etc.) are totally separate from the MAC ones.

JamesTUIAT · June 25, 2025, 7:46am

Thank you @lurker888 ,

So If I understand correctly

#This is the "output" ( to discover other devices )
/ip neighbor discovery-settings ...

#and this one to be discoverable ?
/tool mac-server ...

?

lurker888 · June 25, 2025, 7:56am

Nope. Discovery is handled entirely in the ip/neighbor… part. Whether to allow to be discovered is the tx-and-rx part, only rx means to just listen for other devices.

The mac-winbox is for mac winbox.

That I use the same interface list for both (coincidentally named DISCOVERY) just makes sense. (At least to me - I’d like to “see” the device on the interfaces from which I’ll be able to connect.)

Amm0 · June 25, 2025, 4:47pm

More specifically /tool mac-server is what lets WinBox connect via MAC address.

They’re related only since “MNDP” in /ip/neighbor is helpful / useful to know the MAC address of device on the subnet – but mac-server does not “depend” on neighbor discover. Now, you need to know a MAC address to use the mac-server from a WinBox “client”, is why their related.

But if your turning off discovery, in most case, you “locking down” things, why @lurker888 mentions it. So if you’re not using MAC address to connect, the mac-serve is another one to consider.

Now disabling these things may came back to haunt you in some future “oh shit” moment in your config, and then you may want these discovery/mac-server – something else to consider here

lurker888 · June 25, 2025, 5:41pm

Thanks, @Amm0. I just think it’s not useless to reiterate for anyone coming here as a result of a search. I include these together because

none of these can be filtered in the normal way in the ip firewall
if you’re disabling neighbor discovery (MNDP) for security/hardening on some/all interfaces, then you especially don’t want mac-telnet or mac-winbox available on them

The latter is especially important, because if you’re security conscious and run some sort of scanning tool (like nmap or Nessus) to verify your work, these have a hard time spotting either of these access methods being left open.

Also, to be clear the naming/menu structure is not really that intuitive:

for mac-telnet the setting is /tool mac-server set allowed-interface-list=XXX
for mac-winbox the setting is /tool mac-server mac-winbox set allowed-interface-list=XXX

These setting are detailed here: MAC server - RouterOS - MikroTik Documentation