I use RBmAPL-2nD as AP bridge. Wifi 192.168.88.0 and Ethernet 192.168.1.0 networks. Only access to Routerboard admin is through Wifi on 192.168.88.1 and no access through ethernet on 192.168.1.6.
I want to disable admin access to wifi and enable to ethernet. How can I switch it?
It might be as simple as allowing input to Winbox port coming from ether1 but be careful there … because if that device ether1 is actually connected to the Big Wide Web, then you open Winbox access for anyone having fun with password cracking tools.
And they WILL get in, the only question is “when”.
In that case, apply VPN and only allow access through that VPN.
If your mAP is completely within your own network, then you can open that gate with little problems.
But if that device is a true AP, why the different subnets ?
So, you are saying that the only way to change admin access from wifi to ethernet is using VPN? How exactly can this be done? Is there any tutorial available?
I simply want to access admin from my internal local network 192.168.1.0 (internal access only) and not through wifi (where anyone around can try hacking password, for example).
You missed this sentence:
And you did not answer this one.
The answer is simple: I am rookie at Mikrotik and do not know how to set it up this way (was looking for tutorial but did not find). This would be an ultimate solution - all at one network, one DHCP server, everything transparent.
My previous AP was set up at one network but the only working set up with Mikrotik was two networks. It is not ideal but I can live with that. I just do not like admin through wifi.
mAP was my very first Mikrotik, some years ago already. I still use it for quick setups left or right.
I don’t like spoon-feeding so I’ll give you the raw steps to complete out of the top of my head (I didn’t test this).
Up to you to see if you can see why they are needed and how you are going to implement them.
(Tip: SAFE mode is your friend when using Winbox … just saying).
Connect PC to ether 2, use Winbox - MAC access
1- remove ether ports from WAN interface list
2 - check LAN interface list, both ether1 and ether2 should be there
3 - add all interfaces to bridge (ether1/2 and wifi itf)
4- move DHCP client to bridge
5- remove DHCP server (and IP pool, not needed anymore)
7- add firewall rule
accept, input chain, dst-port=8291, in-interface-list=LAN, protocol=tcp <what this does it to only allow Winbox access via LAN list, which previously was set to ether1 and ether2>
Move it before drop rule on input chain.
I think that should be it …
Actually … bridge interface should be member of interface list. Individual ports (ether1 and ether2), members of bridge, don’t have to be members of any interface list.
Hmmm … not if you want to use that same interface list later on to filter in a firewall rule ?
The aim is to drop wifi access but allow ethernet access.
It boils down to this: interface lists work for interfaces … and interfaces are the L3 entities (anything with IP address set). In case when one creates a bridge, adds a few L2 entities (ethernet ports, wifi interfaces, etc.), those L2 entities should never be used directly as L3 stuff (this is the point of moving DHCP server to bridge interface as well). So router (the L3 layer inside ROS device) will always see bridge interface as ingress (or egress) interface, never bridge’s constituent ports. As to ether-ether traffic: unless one enables IP firewall on bridge (it’s disabled by default), firewall (and its interface lists) won’t affect it at all.
BTW (for completeness sake): when there are VLANs in the play, VLAN interfaces have to listed in interface lists. Adding bridge in interface list is only relevant for the VLAN where bridge CPU-facing port is untagged (pvid set, by default that’s pvid=1) and if bridge CPU-facing port is set as “frame-types=admit-only-vlan-tagged”, then appropriate VLAN interfaces have to be created for all relevant VLANs, and finally bridge interface doesn’t have to be member of any of interface lists … because it’s irrelevant (vlan interfaces will be seen as ingress or egress interface by L3 functions, such as DHCP server or firewall … or mac-server for that matter).
Now, default firewall is more or less constructed in “allow what’s needed, block the rest” manner, so if one breaks bridge apart and starts to use (ex bridge) ports as interfaces directly, firewall will generally block traffic until those interfaces are made members of appropriate interface list. If one makes them members of certain interface list, then depending on which interface list they are made in advance, traffic may flow but won’t be filtered appropriately … but it’s all too easy to forget things if fixing them is not required to make things work.
Sure your name isn’t Sindy as well. I started reading and didnt realize it was an MKX post, LOL Maybe its that close proximity to Czechia that is making you sound smarter. 
Thank you! It works for me. 