Thank you, again, for the suggestion.
I'll continue to read different thread and check out mangling method.
(I may have to use it for Dual Wan failover, too.)
----
I have tried another setup because I was pretty sure I was doing something not quit right in the previous setup.
This time, I updated from 6.36.1 to 6.40.4 thinking that the new feature may make thing easier. (I'm not sure if there is any difference, yet)
Also, I wanted to see the default firewall configuration to compare against the previous setup (to see what I was doing wrong).
So,I started in "Quick set", checked on "Bridge All LAN Ports" and NAT options, to see what Quick set would do. (And I left the Quick set, there)
After that, I removed ether4 from slave and added it in bridge1, And I added an IP address for ether1 (Wan)
Once I added a bridge filter for INPUT chain like this, no more access to management (by IP) other than ether4.
/interface bridge filter
add action=drop chain=input dst-address=192.168.88.1/32 in-interface=!ether4 \
log=yes mac-protocol=ip
Also, modified MAC-server and MAC-Winbox to be used only via ether4 as before.
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether4
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether4
So, it is pretty simple if this kind of setup is really correct.
Also, the default security configuration, Fast-track, masquarade and others are already there and I don't have to worry too much if I've put basic things right..
The entire /export result:
# oct/16/2017 14:55:07 by RouterOS 6.40.4
# software id = AYF2-EAEN
#
# model = RouterBOARD 750G r3
# serial number = 6F390765XXXX
#
# Needs delay to import after reset ... (Known bug/issue?)
:delay 15s
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
set ether5 discover=no
/interface bridge filter
add action=drop chain=input dst-address=192.168.88.1/32 in-interface=!ether4 \
log=yes mac-protocol=ip
/interface bridge port
add bridge=bridge1 interface=ether2-master
add bridge=bridge1 interface=ether4
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=\
192.168.88.0
add address=192.168.11.2/24 interface=ether1 network=192.168.11.0
add address=192.169.33.1 interface=ether5 network=192.169.33.1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether5
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
add action=drop chain=input in-interface=ether5
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1
/ip route
add distance=1 gateway=192.168.11.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=192.168.88.1 disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=America/Toronto
/system identity
set name=MBox2
/system routerboard mode-button
set enabled=no on-event=""
/tool mac-server
add interface=ether4
set [ find default=yes ] disabled=yes
/tool mac-server mac-winbox
add interface=ether4
set [ find default=yes ] disabled=yes
Edit: I changed the order of commands for mac-server and mac-winbox becuse we can't disable the default (all) before to add another interface.
Also, I guess we can use the waiting loop for the interfaces to come up instead of :delay 15s at the beginning.
It may take less time, and it works if the required delay is a bit longer (up to 30sec)
(But :dealy is easier, shorter, and probably enough for many of us.)
:local count 0;
:while ([/interface ethernet find] = "") do={
:if ($count = 30) do={
:log warning "DefConf: Unable to find ethernet interfaces";
/quit;
}
:delay 1s;
:set count ($count +1);
};