Hi All,
I got the metal 52 ac (CPE mode) and HAP AC (router) with WAN on Ether5 set up and working nicely together. Aside from a few resets due to some failed experiments, all is default settings. To get the system going I used a PC (and winbox) and the web browser address http://192.168.88.1/
My goal is to be able to select the WiFi provider to the metal 52 ac in the field either via the browser or the app.
Is there an easy way to access the metal 52 ac settings via browser in the default set up above? The address 192.168.88.1/ lands on the hAP setting page. Naively changing the metal 52 ac IP to say 192.168.88.2 won’t do the trick and all breaks down. Does the mobile app allow to select the WiFi provider to be boosted and routed?
How do you have the devices linked, physically and in terms of IP? For example it sounds as if you have 192.168.88.1 as an interface on the hAP AC. If the Metal 52 is on 192.168.88.2 then it needs to be on the same Layer 2 network as that interface.
The metal 52 ac (CPE mode) is connected physically with the hAP AC via ethernet cable on port 5 from which is also powered via PoE. As far as “If the Metal 52 is on 192.168.88.2 then it needs to be on the same Layer 2 network as that interface.” I do not know if they are linked, and or on the same or different layer as the install is default. I would appreciate a reference o pointer on how to check/set the Layer 2 network, as I am new to the RouterOS environment.
Thanks,
Steven
Layer 2 network means the devices can directly communicate by Ethernet without having to go through a router. Devices on the same subnet assume this.
How is the your hAP AC configured? Specifically ether5, is that set up with specific IP addressing or if it part of a bridge group?
Ideally could you post the configurations of the two devices?
To give an analogy I have a hAP AC as my main router here, and a Mikrotik SXT as the Internet router. From the desk I can access either with Winbox or a web browser.
@stvnm, as you were able to change the metal’s IP address I guess you are able to connect to it somehow. Therefore, I think the fastest way forward will be if you export the configuration of both the metal and the hAP ac, so that we knew what you have actually set up there and could give you a useful advice. Almost no one on the forum who is able to help uses QuickSet so if you say “CPE mode” we’d have to take a lab device and set it like that to know what that actually means.
@sindy, roger that and thanks for looking into this. My basic set up works fine. I need to be able to configure via web in he field and select the WiFi access point, and I can only access the hAC at the http://192.168.88.1/ address, but not the Meta 52 ac. Many thanks again, Steven
\
sep/29/2020 21:02:30 by RouterOS 6.47.4
software id = RYP6-C6X1
model = RBMetalG-52SHPacn
serial number = B7DA0B68CC0B
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g country="united states3"
frequency=auto installation=outdoor ssid=Mazz_net wireless-protocol=
nv2-nstreme-802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik
unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=0987654321
wpa2-pre-shared-key=0987654321
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether1 name=defconf
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=wlan1 list=WAN
add list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=wlan1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
\
sep/28/2020 13:41:14 by RouterOS 6.47.4
software id = YWVA-QMG7
model = RB962UiGS-5HacT2HnT
serial number = C5610C31ED52
/interface bridge
add admin-mac=48:8F:5A:03:F9:AB auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states3"
disabled=no frequency=auto mode=ap-bridge ssid=NinaWiFi
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX country="united states3" disabled=no distance=indoors
frequency=auto installation=indoor mode=ap-bridge ssid=NinaWiFi
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=0987654321
wpa2-pre-shared-key=0987654321
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
One remark to the use of the forum: it makes the posts more compact and thus better readable if you use the [code] and [/code] tags around the exports you post (there’s the [ ] button for that), see how the result looks like in my quote of your previous post above.
Regarding the issue, what surprises me most is that it worked at all until now. Both devices are set to route between their respective WAN and LAN, and since the hAP ac’s WAN gets its IP address from the metal’s LAN DHCP server, the hAP ac ends up with both LAN and WAN addresses being in the same subnet while routing between them is required, which is a no-no.
There is a number of ways how to fix this. The easiest one is probably to change 192.168.88.x everywhere in the configuration of either the metal or the hAP ac to 192.168.77.x (or anything else between 0 and 255 instead of the “88”). While connected using MAC address via Winbox, in order not to depend on the IP addresses as you’ll be changing them, you have to change the following items:
/ip pool set [find name=dhcp] ranges=192.168.77.10-192.168.77.254
/ip address set [find network=192.168.88.0] address=192.168.77.1/24 network=192.168.77.0
/ip dhcp-server network set [find gateway=192.168.88.1] address=192.168.77.0/24 gateway=192.168.77.1
Then, the machine whose configuration you’ll change will be accessible under 192.168.77.1, and the unchanged one under 192.168.88.1.
In any case, on the hAP ac, move the IP address from ether2 to the bridge one: /ip address set [find interface=ether2] interface=bridge
There was a bug in the upgrade procedure which converted the configuration from the pre-6.41 bridge setup (“master port”) to the currently used one. In most situations this is harmless but it can bring some unpredictable surprises.
Another way to make the metal accessible from a PC connected to the hAP ac would be to reconfigure the hAP ac into a bridge-only mode, so instead of acting as a router, it would just extend the LAN of the metal with four Ethernet ports and the WiFi APs. That would mean the following changes on the hAP ac:
remove/disable the DHCP server,
disable the DHCP client on ether1,
set the IP address of the hAP ac to, say, 192.168.88.2/24 (no need to modify the /ip pool and /ip dhcp-server network rows in this case as only the DHCP server uses them)
make ether1 another member port of the bridge.
So the metal would be accessible under 192.168.88.1 and the hAP ac under 192.168.88.2.
Feel free to choose whichever method seems simpler to you.
Thanks very much. I have used WinBox - hard connected to the hAP ac - and exported the working hAP ac config file. I replaced all the 88 with 77 as per @sindy suggestion. I have then reset the config with no defaults and loaded the config on boot. The new config is shown below. The Metal ac config is unchanged. Under this modified config the Metal 52 does not show internet activity. While I can se and connect to the hAP WiFi wirelessly, i cannot access it via browser at 192.168.77.1. It seems that somehow changing the 88 to 77 everywhere in the hAP prevents the Metal to connect to the internet. I am unsure as to what to try next. Thanks for any help.
# jan/02/1970 00:10:15 by RouterOS 6.47.4
# software id = YWVA-QMG7
#
# model = RB962UiGS-5HacT2HnT
# serial number = C5610C31ED52
/interface bridge
add admin-mac=48:8F:5A:03:F9:AB auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] country="united states3" disabled=no \
frequency=auto mode=ap-bridge ssid=NinaWiFI wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country="united states3" disabled=no distance=indoors \
frequency=auto installation=indoor mode=ap-bridge ssid=NinaWiFI \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=0987654321 \
wpa2-pre-shared-key=0987654321
/ip pool
add name=dhcp ranges=192.168.77.10-192.168.77.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.77.1/24 comment=defconf interface=ether2 network=\
192.168.77.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.77.0/24 comment=defconf gateway=192.168.77.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.77.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
If you are still using port 5 poe out as per your first post, I think your dhcp client needs to be on port 5. I just may have missed it but I didn’t see port 5 as your wan port.
Sorry, After reviewing your posted settings again, I see that you never had port 5 as your wan port so the information I suggested won’t work. Have you logged back in to the metal and disconnected from the internet and then reconnect ? Resetting your hap might prevent it from getting a ip address from the groove.
Just a quick question. Did you just have your ethernet cable plugged into port 5? I was just wondering because the other posts in the forum suggest that your need to make port 5 your wan port or to bridge port 1 and 5.
Is the config you’ve posted now the new (edited) config before you’ve loaded it to the hAP ac or is it the one exported from the hAP ac after you’ve applied the edited one on it?
If you connect your PC directly to the Metal using an Ethernet patchcord, does it get an IP address, gateway, DNS? If yes, can it access internet? Lack of “internet activity” of the metal may be caused merely by lack of any requirements coming from the LAN (i.e. from the hAP ac).
This too indicates that the issue is in the hAP ac. When you connect to it wirelessly, does the PC get IP address, gateway, DNS? Which ones? If you connect to any of the LAN ports (ether2…ether5)
No way the change alone could do that. Something else must have gone wrong.
It actually didn’t come to my mind you might download/edit/upload the config, it was sufficient to enter those four commands I gave, or do a “clicking equivalent” of them using the Winbox GUI.
By setting the hAP ac to defaults, you’ll get back where you’ve started from, as the configuration you had before was a default one with some minor changes.
After checking that it works as before, by applying just the three changes on a running machine, rather than removing the existing configuration and loading a new one (which is tricky), you should be good.
@all, many thanks for the help. I was able to set it the way I wanted. @sindy, your comments and questions were most helpful to direct my efforts. @vron you pointer about a WAN most appropriate. Thank you!
Important steps - for the record and future reference. There sure are many ways to skin this cat, but the following worked for me.
Make sure that the Metal52ac connects to the internet by connecting to the PC via ethernet with no router.
hAP ac set up
Use the GUI in Winbox to Reset with No Defaults Configuration
Use Quick set, AP Dual. Address acquisition automatic.
IP address 192.168.77.1
Check Bridge all LAN ports
Check DHCP Server, and set Range to 192.168.77.10-192.168.77.254
Pick Network names, Frequency = Auto, Band = the most inclusive, Select country, WiFi password (do same for guest)
Enter password for hAP.
Apply, close the QuickSet up and DO NOT OPEN AGAIN OR IT WILL RESET ANY CHANGE DONE AT A LATER STAGE.
Move WAN over from ether1 to ether5 - Winbox GUI
Interfaces → Interface List → WAN change from ether1 to ether5
Bridge → Ports remove ether5 and add ether 1
IP → DHCP Client - change to ether5
Here are the exported config files from both devices.
I now have the WAN (and PoE) of ether5 and can access wirelessly the hAP ac on 192.168.77.1. And, importantly I can and select the external WiFi provider for the Metal 52 ac at 192.168.88.1. which is what I wished to accomplish.
hAP ac
# oct/02/2020 11:33:50 by RouterOS 6.47.4
# software id = YWVA-QMG7
#
# model = RB962UiGS-5HacT2HnT
# serial number = C5610C31ED52
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" \
disabled=no frequency=auto mode=ap-bridge ssid=Nina2G wireless-protocol=\
802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country="united states" \
disabled=no frequency=auto mode=ap-bridge ssid=Nina5G wireless-protocol=\
802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=0987654321 \
wpa2-pre-shared-key=0987654321
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
supplicant-identity=MikroTik wpa-pre-shared-key=ninaguest \
wpa2-pre-shared-key=ninaguest
/interface wireless
add disabled=no mac-address=4A:8F:5A:03:F9:B0 master-interface=wlan2 name=\
wlan3 security-profile=profile ssid=NinaGuests
add disabled=no mac-address=4A:8F:5A:03:F9:B1 master-interface=wlan1 name=\
wlan4 security-profile=profile ssid=NinaGuests
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.77.10-192.168.77.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge filter
add action=drop chain=forward in-interface=wlan3
add action=drop chain=forward out-interface=wlan3
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge1 list=LAN
add interface=ether5 list=WAN
/ip address
add address=192.168.77.1/24 interface=ether2 network=192.168.77.0
/ip dhcp-client
add disabled=no interface=ether5
/ip dhcp-server network
add address=192.168.77.0/24 gateway=192.168.77.1 netmask=24
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[code]# oct/01/2020 21:04:15 by RouterOS 6.47.4
# software id = RYP6-C6X1
#
# model = RBMetalG-52SHPacn
# serial number = B7DA0B68CC0B
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=6 band=5ghz-a/n country=\
"united states" disabled=no frequency=auto installation=outdoor ssid=\
Mazz_net wireless-protocol=nv2-nstreme-802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=0987654321 \
wpa2-pre-shared-key=0987654321
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether1 name=defconf
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=wlan1 list=WAN
add list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=wlan1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=NinaBooster
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN