MAC Server Configuration
MAC Server Configuration
Section titled âMAC Server ConfigurationâTL;DR (Quick Start)
Section titled âTL;DR (Quick Start)âFor the impatient: restrict MAC access to LAN interfaces only for security.
/tool mac-server set allowed-interface-list=LAN/tool mac-server mac-winbox set allowed-interface-list=LAN/tool mac-server ping set enabled=noVerify with:
/tool mac-server print/tool mac-server mac-winbox printOverview
Section titled âOverviewâWhat this does: MAC Server provides Layer 2 management access to RouterOS without requiring IP configuration. It includes MAC-Telnet (CLI), MAC-Winbox (GUI), and MAC Ping services. This is essential for initial router setup or recovery when IP connectivity is unavailable.
When to use this:
- Initial router configuration before IP is set
- Recovery when IP configuration is broken
- Accessing routers in unknown network state
- Emergency management access on trusted networks
Prerequisites:
- Direct Layer 2 connectivity (same broadcast domain)
- Winbox application (for MAC-Winbox)
- Another MikroTik router (for MAC-Telnet between routers)
MAC Server Services
Section titled âMAC Server Servicesâ| Service | Purpose | Access Method |
|---|---|---|
| MAC-Telnet | Command-line access | Another MikroTik or Linux client |
| MAC-Winbox | Graphical Winbox access | Winbox application |
| MAC Ping | Respond to MAC-level pings | MAC ping utility |
Configuration Steps
Section titled âConfiguration StepsâStep 1: Check Current Configuration
Section titled âStep 1: Check Current ConfigurationâView current MAC server settings.
/tool mac-server print/tool mac-server mac-winbox print/tool mac-server ping printDefault output:
allowed-interface-list: allBy default, MAC access is enabled on all interfaces, including WAN.
Step 2: Create Management Interface List
Section titled âStep 2: Create Management Interface ListâCreate an interface list for trusted management interfaces.
/interface list add name=MGMT/interface list member add list=MGMT interface=bridgeStep 3: Restrict MAC-Telnet
Section titled âStep 3: Restrict MAC-TelnetâLimit MAC-Telnet to management interfaces only.
/tool mac-server set allowed-interface-list=MGMTStep 4: Restrict MAC-Winbox
Section titled âStep 4: Restrict MAC-WinboxâLimit MAC-Winbox to management interfaces only.
/tool mac-server mac-winbox set allowed-interface-list=MGMTStep 5: Disable MAC Ping (Optional)
Section titled âStep 5: Disable MAC Ping (Optional)âDisable MAC ping responses for additional security.
/tool mac-server ping set enabled=noStep 6: Verify Configuration
Section titled âStep 6: Verify ConfigurationâConfirm settings are applied.
/tool mac-server print/tool mac-server mac-winbox printExpected output:
allowed-interface-list: MGMTCommon Scenarios
Section titled âCommon ScenariosâScenario: Use Default LAN List
Section titled âScenario: Use Default LAN ListâMost default configurations include a âLANâ interface list:
/tool mac-server set allowed-interface-list=LAN/tool mac-server mac-winbox set allowed-interface-list=LANScenario: Disable MAC Access Completely
Section titled âScenario: Disable MAC Access CompletelyâFor maximum security in production environments:
/tool mac-server set allowed-interface-list=none/tool mac-server mac-winbox set allowed-interface-list=none/tool mac-server ping set enabled=noScenario: Allow on Specific Interfaces
Section titled âScenario: Allow on Specific InterfacesâEnable MAC access only on specific physical ports:
/interface list add name=mac-access/interface list member add list=mac-access interface=ether1/interface list member add list=mac-access interface=ether2
/tool mac-server set allowed-interface-list=mac-access/tool mac-server mac-winbox set allowed-interface-list=mac-accessScenario: Connect via MAC-Telnet
Section titled âScenario: Connect via MAC-TelnetâFrom another MikroTik router, connect using MAC address:
/tool mac-telnet B8:69:F4:7F:F2:E7Specify interface (v7.22+):
/tool mac-telnet B8:69:F4:7F:F2:E7 interface=ether1Scenario: Scan for MAC-Accessible Devices
Section titled âScenario: Scan for MAC-Accessible DevicesâDiscover routers on the network:
/tool mac-scan ether1Expected output:
MAC-ADDRESS ADDRESS AGEB8:69:F4:7F:F2:E7 0.0.0.0 34C:5E:0C:12:34:56 0.0.0.0 5Scenario: Connect via Winbox (MAC)
Section titled âScenario: Connect via Winbox (MAC)â- Open Winbox
- Click âNeighborsâ tab
- Select router by MAC address
- Enter credentials and click âConnectâ
Verification
Section titled âVerificationâCheck 1: Verify MAC-Telnet Settings
Section titled âCheck 1: Verify MAC-Telnet Settingsâ/tool mac-server printExpected: Shows restricted allowed-interface-list.
Check 2: Verify MAC-Winbox Settings
Section titled âCheck 2: Verify MAC-Winbox Settingsâ/tool mac-server mac-winbox printExpected: Shows restricted allowed-interface-list.
Check 3: Test MAC Connection
Section titled âCheck 3: Test MAC ConnectionâFrom Winbox Neighbors tab, verify router appears only when connected to allowed interface.
Troubleshooting
Section titled âTroubleshootingâ| Symptom | Cause | Solution |
|---|---|---|
| Cannot connect via MAC-Winbox | MAC-Winbox restricted | Check allowed-interface-list includes your interface |
| Router not in Winbox Neighbors | Different broadcast domain | Ensure Layer 2 connectivity (same VLAN/switch) |
| âCould not connectâ error | Service disabled | Set allowed-interface-list to include interface |
| Windows canât find router | File and Print Sharing disabled | Enable in Windows network settings |
| MAC-Telnet works, Winbox doesnât | Different services | Configure both MAC-Telnet AND MAC-Winbox |
| Connection drops immediately | Version mismatch | Update Winbox and RouterOS |
| Multiple NICs cause issues | Wrong adapter used | Disable unused network adapters |
Security Considerations
- MAC access bypasses IP firewall - Layer 2 traffic is not filtered by
/ip firewall - Default enables on ALL interfaces - Including WAN, which is dangerous
- No IP-based access control - Any device on same L2 segment can attempt connection
- Always restrict to trusted interfaces - Never allow MAC access on public/WAN interfaces
- Consider disabling in production - Use IP-based access (SSH, Winbox over IP) instead
Related Topics
Section titled âRelated TopicsâManagement Access
Section titled âManagement Accessâ- IP Services - IP-based management (SSH, WinBox, API)
- User Management - authentication for all access
- SSH - secure shell access
Network Discovery
Section titled âNetwork Discoveryâ- IP Neighbors - neighbor discovery protocols
- RoMON - remote management overlay network
Security
Section titled âSecurityâ- Firewall Basics - protect management access
- Firewall Address Lists - restrict access by IP
Reference
Section titled âReferenceâProperties Reference
Section titled âProperties Referenceâ| Property | Type | Default | Description |
|---|---|---|---|
allowed-interface-list | string | all | Interface list where service is enabled |
Special values:
all- Service on all interfaces (insecure default)none- Service completely disabledlistname- Service only on interfaces in specified list
MAC Ping Properties
Section titled âMAC Ping Propertiesâ| Property | Type | Default | Description |
|---|---|---|---|
enabled | yes/no | yes | Enable MAC ping responses |
Command Reference
Section titled âCommand Referenceâ| Command | Description |
|---|---|
/tool mac-server set | Configure MAC-Telnet server |
/tool mac-server print | Show MAC-Telnet settings |
/tool mac-server mac-winbox set | Configure MAC-Winbox server |
/tool mac-server mac-winbox print | Show MAC-Winbox settings |
/tool mac-server ping set | Configure MAC Ping |
/tool mac-server ping print | Show MAC Ping settings |
/tool mac-telnet <MAC> | Connect to remote router via MAC |
/tool mac-scan <interface> | Scan for MAC-accessible devices |