I have a problem to disable visibility of Mac Server. I have restricted firewall and disabled PING on Mac Server also tried disable Mac Server and let it open fo IP address only but I can not rid of visibility of internal Mac Server doing above things - I have this issues with the cheaper devices only. Is there any way to disable visibility or availability of Mac Server over my internal networks??? I’m on VLANs and each VLAN can see Mac Server. If restricted you can not connect but still visible - why the firewall which deny inputs does not work ? I’m begging so I probably do some stupid mistake - please help.
Roman
MAC addresses are layer 2 so your firewall will not help you there. If you want to hide visibility, you can use the following commands:
/tool mac-server set [find] disabled=yes
/tool mac-server mac-winbox set [find] disabled=yes
/tool mac-server ping set enabled=no
You can also go into IP > Neighbors and remove all interfaces under discovery to prevent the router from participating in any of the discovery protocols.
All MAC layer processes are Layer 2 so your firewall is not going to help you with anything. If you want to “secure” the router you can use the following:
# Disable MAC Telnet server on all interfaces
/tool mac-server set allowed-interface-list=none
# Disable MAC Winbox on all interfaces
/tool mac-server mac-winbox set allowed-interface-list=none
# Disable MAC ping
/tool mac-server ping set enabled=no
# Disable discovery protocols on all ports
/ip neighbor discovery-settings set discover-interface-list=none
After the above configuration, the MikroTik will not participate in neighbor discovery or show up under any of the mac-server tools. It would be advised depending on severity to have a management vlan where these services are turned on just in case you lose access to the router and you can’t get console access.