Firewall not working when accessing router via MAC address?

networknoob88 · July 15, 2018, 3:16pm

Networking newbie and first time Mikrotik user here (CCR1009 7G).

During the initial firewall setup I created the following rule so only specific hosts are allowed to access the router:

chain=input action=accept src-address-list=allowed_to_router in-interface=ether2 log=no log-prefix=""

Later, I changed the IP address of the computer from which I was running Winbox and forgot to update the “allowed_to_router” address list with the new IP. So I thought I locked myself out. Trying to access the router via the router IP indeed stopped working. However, I was surprised to find out that I could still connect to the router via its MAC address.

So can someone please kindly explain to me why the firewall rule above did not prevent me from connecting to the router by MAC address from an unauthorized host IP? Thanks!

networknoob88 · July 16, 2018, 7:25pm

I sincerely believe my post was approved at a timing where it was instantly pushed to the bottom of the list and thus getting no page views.
Your advice on this would be greatly appreciated!

Steveocee · July 16, 2018, 8:00pm

When you connect by MAC address you are connecting via layer 2.
Your firewall works on layer 3.

networknoob88 · July 16, 2018, 9:38pm

Thanks. Just found that there is a separate Tools → Mac Server setup where the Mac Winbox server can be controlled.

Out of curiosity: Is the RouterOS “router” operation system itself sitting at Layer 3 or Layer 2? Are there somehow two instances of them, one sitting behind Layer 3 and protected by firewall’s INPUT chain, and another instance sitting on Layer 2 (the “MAC Winbox”) just so that users can reach it via MAC?

Thanks.

Steveocee · July 17, 2018, 7:39am

As far as I am aware it is 1 operation which has multiple points of entry.

MAC Winbox has been a bit of a lifesaver when I’ve made a schoolboy error without using safe mode.

lano · July 17, 2018, 9:23am

how to i change the below script to work with my wireless interface and not my enternet interface

define char table

:global chArray 0abcdef0123456789abcdef012345abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345
:local strPass "";

#get counters
#:local chz1num [/system clock get time ];
#:local chz2num [/system clock get time ];
:local chz3num [/system clock get time ];
:local chz4num [/system clock get time ];
:local chz5num [/system clock get time ];
:local chz6num [/system clock get time ];
:local chz7num [/system resource get cpu-load ];
:local chz8num [/system resource get cpu-load ];
:local chz9num [/system resource get uptime ];
:local chz10num [/system resource get uptime ];
:local chz11num [/system resource get uptime ];
:local chz12num [/system resource get cpu-load ];

:local ch1num 0;
:local ch2num 0;
:local ch3num [:pick $chz3num 6 8];
:local ch4num [:pick $chz4num 6 8];
:local ch5num [:pick $chz5num 6 8];
:local ch6num [:pick $chz6num 6 8];
:local ch7num [:pick $chz7num];
:local ch8num [:pick $chz8num];
:local ch9num [:pick $chz9num 5 7];
:local ch10num [:pick $chz10num 2 4];
:local ch11num [:pick $chz11num 8 10];
:local ch12num [:pick $chz12num];

generate password

:set strPass ( [:tostr [ :pick $chArray $ch1num ]] . [:tostr [:pick $chArray $ch2num ]] . [:tostr [:pick $chArray ($ch3num+$chz12num) ]] . [:tostr [:pick $chArray ($ch4num*2) ]] . [:tostr [:pick $chArray ($ch5num+16) ]] . [:tostr [:pick $chArray ($ch6num+4) ]] . [:tostr [:pick $chArray ($ch7num+12) ]] . [:tostr [:pick $chArray $ch8num ]] . [:tostr [:pick $chArray $ch9num ]] . [:tostr [:pick $chArray $ch10num ]] . [:tostr [:pick $chArray $ch11num ]] . [:tostr [:pick $chArray $ch12num ]] );

/interface wireless set wlan1 mac-address=$strPass;
:log warning $strPass;
#the end