Winbox mac access on one bridged port

zuku · February 4, 2019, 9:42am

Hi,
I have RB2011 and would use it as switch so my ETH2 to ETH10 ports are bridged with uplink port ETH1.
But now I need to have Winbox Mac address access only on ETH1 - how to do that?
I have in IP–>Neighbors–>Duscovery Inerface: “WAN” (ETH1)
and in Tools–>Mac Server–>Mac Winbox Server: “WAN” ETH1
But until ETH1 is in bridge mac discovery feature is not working on Winbox, if I exclude ETH1 from bridge then is working. So is any wy to have ETH1 in this bridge with only winbox mac access on that one port?

vecernik87 · February 5, 2019, 12:56am

It works for me (hAP ac^2, 6.44beta61 but I am certain it worked in earlier versions as well). No special config, just usual stuff:

/interface bridge
   add admin-mac=CC:2D:E0:F5:1A:0E auto-mac=no fast-forward=no name=bridge-jac
/interface bridge port
   add bridge=bridge-jac interface=ether1-uplink
   add bridge=bridge-jac interface=ether2-pc
   add bridge=bridge-jac interface=ether3-ntb
   add bridge=bridge-jac interface=ether4
/interface list
   add name=mac-access
/interface list member
   add interface=ether1-uplink list=mac-access
   add interface=ether3-ntb list=mac-access
/ip neighbor discovery-settings
   set discover-interface-list=mac-access
/tool mac-server mac-winbox
   set allowed-interface-list=mac-access

with this, I can see (and access) winbox only from Ether1 and Ether3 . I have HW offload active (which is often reason for some port-related setting not working). I tested the config without admin-mac and it worked as well so I assume it is not necessary (even though strongly recommended)

I assume your situation is caused by interface list “WAN” which is most likely remain of defconf function “detect internet” and if you changed your config, it might contain unexpected entries. I assume the “bridge” is now member of “WAN” list because “detect internet” can reach internet from “bridge” interface… Keep in mind that function “detect internet” can be very dangerous and if enabled, it must be considered with every single change of config, which is somehow related to interface lists.
I would strongly recommend to use manually assigned and reasonably named interface list (for example “mac-access”). Manually add your Ether1 into that list and use the interface list for both neighbor discovery and mac-server same as I did.

****Try that please and let us know. If it works, great. If it does not work, please paste your config:

/export hide-sensitive

. Without reading your config, it is really just wild guessing. If you are worried about security, replace every personal info with something meaningful.

zuku · February 7, 2019, 9:25am

OK, I excluded ETH10 from bridge, (bridge had ports from ETH1 to ETH10)
-created in “Interface list” new list ‘winbox’ and added ETH10 to that list.
-assigned in Neighbors–>Discovery Inerface: “winbox”
-assigned in Tools–>Mac Server–>Mac Winbox Server: “winbox”

results: until eth10 is excluded from bridge I can connect to mikrotik using Winbox mac address feature, if I add eth10 to “bridge” then mac winbox feature is not working.

my config:

# feb/07/2019 10:17:06 by RouterOS 6.43.8
# software id = 6MMR-U2X1
# model = 2011UiAS-2HnD
/interface bridge
add admin-mac=B8:69:F4:F4:02:38 auto-mac=no comment=defconf name=bridge
add fast-forward=no name=bridge_wlan
/interface vlan
add interface=ether1 name=vlan16 vlan-id=16
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=WiFi \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors \
    frequency=auto mode=ap-bridge security-profile=WiFi ssid=WiFi wireless-protocol=802.11
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge_wlan comment=defconf interface=wlan1
add bridge=bridge_wlan interface=vlan16
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=winbox
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether10 list=winbox
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge network=192.168.88.0
add address=172.16.0.3/24 interface=vlan16 network=172.16.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept ICMP" dst-port=8291 protocol=tcp src-address=\
    !172.16.0.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=172.16.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set default-screen=informative-slideshow read-only-mode=yes
/lcd interface pages
set 0 interfaces=sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=WiFi
/system ntp client
set enabled=yes primary-ntp=213.199.255.40 secondary-ntp=192.86.14.67 server-dns-names=\
    1.pl.pool.ntp.org,2.pl.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=winbox