My network is set up such that you can connect to other routers only via Gateway Router, either via SSH-forwarding or via RoMON. On routers only the SSH IP service is enabled, and the /user is only allowed from the Gateway Router IP that belongs to a dedicated VLAN subnet.
Despite the Winbox IP service being disabled and user being disallowed by source address, you can still use the app and pretty much everything: /user/active report that the connection is "by-romon". But when you press the Terminal button, the login will be refused unless the /user record is modified to allow PC's address.
What confuses me is that while both Winbox and in-Winbox Terminal session appear to be carried by RoMON, i.e. complete IP firewall bypass, the latter attempts to enforce IP address restriction while simultaneously disregarding IP services restriction.
I did not use RoMON before, was it always like this?