Community discussions

MikroTik App
 
kakana
just joined
Topic Author
Posts: 9
Joined: Fri Mar 04, 2022 1:12 pm

Local link connection on ROS 7.1.5 bypasses restrictions

Thu May 26, 2022 11:53 pm

I noticed that I am able to connect to Mikrotik hAP AC2 via winbox when using local link connection on Linux despite setting user address, winbox address and mac-winbox for a specific interface. In particular, I set:
/user set [/user find where name="username"] address=192.168.0.0/24
/ip service set winbox address=192.168.0.0/24
/ip neighbor discovery-settings set discover-interface-list=MGMT
/tool mac-server set allowed-interface-list=MGMT
/tool mac-server mac-winbox set allowed-interface-list=MGMT

I thought that with these settings I will be able to access the server only when I am connected to MGMT network. This is also how it used to work in ROS 7.1.3. However, to my surprise, using local connection on ROS 7.1.5 I can discover neighbour MAC address on Mikrotik as well as access the server using winbox. Is this a bug or has something changed in the meantime? How can I prevent local link connections from accessing the device?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Local link connection on ROS 7.1.5 bypasses restrictions  [SOLVED]

Thu May 26, 2022 11:57 pm

Layer 3 Winbox service settings do not apply to Layer 2 MAC-winbox service, and vice-versa.
(And also if the interface on MGMT group is also on bridge, all the interfaces on that bridge can access the device)
 
kakana
just joined
Topic Author
Posts: 9
Joined: Fri Mar 04, 2022 1:12 pm

Re: Local link connection on ROS 7.1.5 bypasses restrictions

Fri May 27, 2022 12:16 am

Thanks for the information. I think that I will need to test my configuration a bit more as it seems to work a bit different than what I thought it does.
Apologies if your answer already covered it, but as I use Mikrotik only for few months, I want to make sure that I understand you correctly.
So restricting a user and winbox to specific IP range as in the above example does not apply when I connect using MAC address?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Local link connection on ROS 7.1.5 bypasses restrictions

Fri May 27, 2022 12:18 am

Yes.
Is like but not exactly
Layer 1: physical interface
Layer 2: MAC address
Layer 3: IP Protocol
Layer 4: TCP
 
kakana
just joined
Topic Author
Posts: 9
Joined: Fri Mar 04, 2022 1:12 pm

Re: Local link connection on ROS 7.1.5 bypasses restrictions

Fri May 27, 2022 12:34 am

I see. Thank you for the clarification. At least now I know what is going on.

Who is online

Users browsing this forum: anav, Bing [Bot], ernieball17, ret411, wsantos and 72 guests