Local link connection on ROS 7.1.5 bypasses restrictions

kakana · May 26, 2022, 8:53pm

I noticed that I am able to connect to Mikrotik hAP AC2 via winbox when using local link connection on Linux despite setting user address, winbox address and mac-winbox for a specific interface. In particular, I set:
/user set [/user find where name=“username”] address=192.168.0.0/24
/ip service set winbox address=192.168.0.0/24
/ip neighbor discovery-settings set discover-interface-list=MGMT
/tool mac-server set allowed-interface-list=MGMT
/tool mac-server mac-winbox set allowed-interface-list=MGMT

I thought that with these settings I will be able to access the server only when I am connected to MGMT network. This is also how it used to work in ROS 7.1.3. However, to my surprise, using local connection on ROS 7.1.5 I can discover neighbour MAC address on Mikrotik as well as access the server using winbox. Is this a bug or has something changed in the meantime? How can I prevent local link connections from accessing the device?

rextended · May 26, 2022, 8:57pm

Layer 3 Winbox service settings do not apply to Layer 2 MAC-winbox service, and vice-versa.
(And also if the interface on MGMT group is also on bridge, all the interfaces on that bridge can access the device)

kakana · May 26, 2022, 9:16pm

Thanks for the information. I think that I will need to test my configuration a bit more as it seems to work a bit different than what I thought it does.
Apologies if your answer already covered it, but as I use Mikrotik only for few months, I want to make sure that I understand you correctly.
So restricting a user and winbox to specific IP range as in the above example does not apply when I connect using MAC address?

rextended · May 26, 2022, 9:18pm

Yes.
Is like but not exactly
Layer 1: physical interface
Layer 2: MAC address
Layer 3: IP Protocol
Layer 4: TCP

kakana · May 26, 2022, 9:34pm

I see. Thank you for the clarification. At least now I know what is going on.