I have 4 network interfaces
wlan1
wlan2
eth1
eth2
They are bridged.
On wlan interface i have option to allow/dissalow clients based on mac adress. I want to do that on complete bridge, not only part of it.
This is good also but when I need to choose mac address I have only wlan1 and wlan2 not eth1 and eth2.
Is this possible?
so, how to do mac filtering on whole mikrotik, not only wlan.
The access lists are only meant for wireless interfaces. That’s why you cannot select your ether1/2 there.
You could set the ARP mode on the bridge interface to “reply-only” and create static ARP entries under “/ip arp”.
I’m not quite sure right now if you would need to set each interfaces’ arp mode to reply-only, too. I couldn’t hurt in any case 
.
Best regards,
Christian Meis
Thanks for reply. I cannot use static arp on wireless because clients behind AP in client mode make me problems in that setup. I dont have Apclient mac adrress at all in arp entries only computer mac. And when I do “make static” with them and then choose “reply-only” on bridge interface clijent dont have network anymore. If I return ARP from “reply-only” to “enabled” in arp entries show new entry mac address from ap and ip from computer behind it. This is problem that happens only with Ovislink 5460 v2 and Ovislink 5450AP in client mode and I have few of them. (so i have something like this in arp compmac+compIP, APmac+APip and APmac+computerIP, this third one is random, somethimes happens somethimes not, I dont know why happens anyway)Problem is that network works for minute, half hour, hour and client calls that network is down. I just return arp from “reply-only” to “enabled” and everything is good again. That shouldnt happen but its happening so I cannot use static arp because of that. Is it possible to use static arp only on ethernet, and on wireless not? and how would that work?
Anyway I like mac filtering like on wireless 
If there is only option to change type of interface so that eth card can be chosen for filtering…
For now i see like only solution to unplug ethernet card, plug in wireless card and 10 cm far from that put ap in client mode with ethernet cable pluged in it. 
This is stupid but its only way i found to do mac filtering like I have on wireless.
And how dhcp works with “reply-only”?? I think that you need static entries to do that.
You can do MAC filtering on the bridge via the bridge firewall. Just add in the src-mac-addresses you want to allow as well as other traffic you might need to allow, followed by a drop all rule. You will probably have to tune this some before everything will work right.
This is good idea, but I dont know how to do it 
I believe it should go like this
1: if mac 1 - jump to rule 50
2: if mac 2 - jump to rule 50
3: if mac 3 - jump to rule 50
4: drop all
50: other rules in firewall
How to do something like this
Well, first off you should read the firewall and bridging manuals. Then, add you rules in the /interface bridge firewall section with the desired mac addresses to allow. Note I only suggested this as it sounds like what you are after…but in the long run, this isn’t a very good solution and will be a pain to maintain. You could just as easily add static dhcp leases to known clients and block/allow IP addresses instead. A better solution might be to use ppp or hotspot.