I have a netmetal 5 radio and i want access it through telenet but after first attempt my mac address get blocked…
I have the right user and pass, should i access it with specific mac address?
I’m a newbie consider that please.
You are on the public internet, and then try to access a device on the inside of your net using Telnet?
Post your config and we can have a look at it:
/export hide-sensitive
I’m in a private network and it’s my ap, my laptop is connected to same switch that my station radio is connected
How can i export config without connecting to it?
My ap is installed in a office that is closed due to cornavirus temperorly and i cant access it localy.
Obviously i’m not the installer, thats why i don’t know what’s going on.
I should remind that i can access to my station without any problem.
Slow down, man 
You haven’t provided the complete information in your OP - it wasn’t clear from there at all that you don’t have a wired connection to the device you can’t connect to. Next, are you talking about plain telnet or mac-telnet? Next, are you sure that access to the AP via its wireless interface is possible at all?
Normally, allowing management access using a plaintext protocol (such as plain telnet or plain http) on a publicly accessible interface (such as the wireless one) is not a good idea (even if WPA/WPA2 is used). So maybe the other installer has simply blocked it for everyone, not just for you, or maybe SSH access is permitted but Telnet is not.
You may try to log in to your station Tik and try /tool mac-telnet to the AP from the commandline if the AP is shown under /ip neighbor print. Just bear in mind that mac-telnet collects the login and password before attempting to connect to the destination, so the fact that you are asked for credentials does not mean that the connection was successful.
I’m sorry I didn’t mean to be rude!
If i use mac-telent on my station is there any chance that my station’s mac address get blocked just like my laptop’s nic?
Afterward is it possible to change my station’s mac address if it get blocked by ap?
I don’t know about any embedded mechanism in RouterOS which would automatically blacklist a source MAC address upon exhaustion of some number of unsuccessful login attempts, but I can’t exclude that the admin of the AP has implemented something like that using scripting.
Also, is your PC in the same L2 segment and subnet like the AP, or is the station routing? I.e. does the PC get its IP address from the AP or from the station? Why do you assume that the blocking went on MAC address in particular?
With most contemporary drivers, you can even change the MAC address of the PC’s network card.
Maybe its the IP that is blocked not mac?
I have a rule on my Router like this. Try one non open port, get blocked for 24 hour.
My pc is connected to same switch as station and ap is connected to same switch as server.
I use this setup to access to server.
There is no dhcp on the network so i have to set ip manualy.
Ap and station are in the same ip range and server and client(pc) are in the another ip range.
When i trace server ip i don’t see any router in the path even ap or st.
When i tried to access ap using telent, my connection to server get droped.
After changing my pc mac address i was able to connect to server again.
That really sounds like some security policy made at the AP. Can you see at least the configuration of the station? If yes, what is the wireless interface mode, station-bridge or something else?
Is the installer of the AP unreachable or why can’t you talk to him?
Station bridge
A company did the job that is not available right now.
OK. So post the complete configuration of the station, following the anonymisation hints in my automatic signature right below - I want to double-check that there is really transparent bridging between the AP’s Ethernet side and the STA’s Ethernet side. It is not a typical setup to have two distinct subnets in a common L2 space; also, since you say the server’s IP address is in a different subnet than the AP, what is the default gateway of your client PC set to? I mean, you either need two IPs on the PC, one from each subnet, to be able to access both the server and the AP, or there must be a router somewhere which can route between the subnets, or the subnets must actually not be distinct ones.
In any case, as there is bridging between the client PC and the server, an attempt to connect to the AP from the STA should not put the MAC of the client PC to the blacklist, so you should not lose the client-server connection even if the STA’s address gets blacklisted, but depending on how the blacklist is done, the STA might lose connection to the AP completely (you don’t know what kind of trap the other gents have configured there). So I would start from changing the STA’s MAC address to check that the wireless connection is not limited to whitelisted MACs. If it is, you cannot risk even with mac-telnet from the STA itself, and you will need to use another Mikrotik (a virtual one, CHR) as a mac-telnet client.
But there is a chance that the management access to the AP is locked to a dedicated Ethernet port of it, or to a particular combination of source MAC and IP addresses, or even to access via a VPN connection. I.e. there may be no way in without clearing the configuration if you don’t know more than just the username and password.
Does the AP have a USB or serial port, and is there no one at all allowed to access the company premises? The restrictions in various countries differ, that’s why I ask.
The virtual mikrotik hint was brilliant!
So the guy securing the AP was not that careful after all and has left the mac-telnet access from the AP side open? Good for your goal but bad for the overall security (relying only on user credentials on a publicly accessible interface is never a good idea).
So were you able to read the config of the AP and find out how the MAC address blocking has been implemented?
I don’t see anything special inside ap’s config but there is a router and a firewall in the network i don’t have access to them
Could be implemented inside them?
What is my option for more security due to its remote access?
If, when you tried to telnet to the AP from your client PC, the IP address on the PC was in the subnet which the client shares with the server, i.e. the other one than where the IP addresses of your STAtion and the AP are, then it may be the router which routes between these two subnets, and indeed there can be some security mechanism implemented; however, to cut you off the server, this security mechanism would have to block the MAC address on L2, as no routing is necessary between the client and the server.
A VPN connection (but a real one, i.e. OpenVPN, SSTP or (something over) IPsec, not PPTP) would add one more layer of security - if you use certificate-based authentication, it should be much harder to crack in. But unless you’d build an L2 tunnel from your STA Mikrotik, you can only connect to the AP’s IP address, so the choice of management interfaces is Winbox, SSH, HTTPS (WebFig). Just be extremely careful not to lock yourself out - first triple-check that the management connection via VPN works, and only then disable mac-winbox and mac-telnet on the wireless interface of the AP.