wlan3 is the only interface because I wanted to make a virtual hidden interface to the router as a fail safe. So, that I can access the router, regardless of firewall rules.
The alternative is to add wlan3 to LAN interface and forget about interface Manage altogether.
I liked the line
. But, the question that still remains, if I add wlan3 to the LAN interface, how do I gain access if locked myself out of the router? For my home network, LAN is trusted.
Sorry, for the delay. Getting old means too little time for my router
You are overthinking it and adding noise I never stated. There is nothing HIDDEN about it.
Only you will have the SSID password to access the vWLAN plus, you are the only one with the correct IP address and port for winbox when using winbox, PLUS you are the only authorized user LOL.
(1) On the managed interface list, you should have the subnet you are on ALL the time as admin to be able to reach the router, lets say its Home
Then your interface list members would include
add interface=Home list=Manage
add interface=wlan3 list=Manage
If you as admin are on ether5 all the time and access winbox from there normally then your list would have
add interface=ether5 list=Manage
add interface=wlan3 list=Manage
(2) You need to add the specific IP addresses here if relevant.
MISSING
set winbox address=192.168.88.0/24,192.168.40.0/24,
192.168.50.0/24
(3) This needs to be set to
Managed
/tool mac-server mac-winbox
set allowed-interface-list=
LAN
(4) YOur source list allowed to router is not needed. That is what you have the interface list "Managed" for!!!
From
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=
LAN src-address-list=allowed_to_routershould be:
add action=accept chain=input comment="Allow ADMIN to Router" in-interface-list=Manage
[ src-address-list=IP , SHOULD BE FOR SPECIFIC IPs if necessary, if you want to narrow it down to Admin PC, Laptop, IPAD, Smartphone, Laptop IP for accessing wlan3 ]