I have a firewall rule set to block unauthorized access to winbox other than the ones are set un our address list. But I am having a flood from a specific MAC address that is trying to connect to winbox using ghost IP's the MAC address attempts we are havings are tons in a minute. How can I prevent it or how can I block that IP MAC address here is my firewall rule for winbox:
Depending on your RB model and from where that flood comes physically, a rule in the switch (preferred if technically possible) or a rule in the bridge firewall is necessary. To make bridge rules work, you need to use
/interface bridge settings set use-ip-firewall=yes
This is a common setting for all bridges, so expect a throughput penalty.
The rule for a bridge would then look like
/interface bridge filter add action=drop chain=input src-mac-address=00:11:22:33:44:55/ff:ff:ff:ff:ff:ff mac-protocol=ip ip-protocol=tcp dst-port=8291
But it is well possible that there is actually a network full of infected devices behind a gateway element with that MAC address, so I'd recommend not to stop at just using that filter rule and to investigate further into the issue.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.