1. Do you mean mac discovery like what you see in winbox when going to neighbors?
2. Blocking ping/trace route
/ip firewall filter add chain=forward src-address=![your allowed IP] protocol=icmp action=drop
This should drop all ICMP packets except ones from the allowed address, this will only work if a client tries and ping a ip in a different subnet. If you want to drop it on layer2 you will need bridge
3. Web fig goto ip --> services and only set the allowed ip next to port 80 and 443
4. If you mean the adsl page like in your default gateway add a firewall rule that drops port 80 with the lan subnet as src and default gateway as dst
There you go then you touched something
: it only takes a change in wind direction to screw with your nat