MAC Server Configuration
MAC Server Configuration
Section titled “MAC Server Configuration”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”For the impatient: restrict MAC access to LAN interfaces only for security.
/tool mac-server set allowed-interface-list=LAN/tool mac-server mac-winbox set allowed-interface-list=LAN/tool mac-server ping set enabled=noVerify with:
/tool mac-server print/tool mac-server mac-winbox printOverview
Section titled “Overview”What this does: MAC Server provides Layer 2 management access to RouterOS without requiring IP configuration. It includes MAC-Telnet (CLI), MAC-Winbox (GUI), and MAC Ping services. This is essential for initial router setup or recovery when IP connectivity is unavailable.
When to use this:
- Initial router configuration before IP is set
- Recovery when IP configuration is broken
- Accessing routers in unknown network state
- Emergency management access on trusted networks
Prerequisites:
- Direct Layer 2 connectivity (same broadcast domain)
- Winbox application (for MAC-Winbox)
- Another MikroTik router (for MAC-Telnet between routers)
MAC Server Services
Section titled “MAC Server Services”| Service | Purpose | Access Method |
|---|---|---|
| MAC-Telnet | Command-line access | Another MikroTik or Linux client |
| MAC-Winbox | Graphical Winbox access | Winbox application |
| MAC Ping | Respond to MAC-level pings | MAC ping utility |
Configuration Steps
Section titled “Configuration Steps”Step 1: Check Current Configuration
Section titled “Step 1: Check Current Configuration”View current MAC server settings.
/tool mac-server print/tool mac-server mac-winbox print/tool mac-server ping printDefault output:
allowed-interface-list: allBy default, MAC access is enabled on all interfaces, including WAN.
Step 2: Create Management Interface List
Section titled “Step 2: Create Management Interface List”Create an interface list for trusted management interfaces.
/interface list add name=MGMT/interface list member add list=MGMT interface=bridgeStep 3: Restrict MAC-Telnet
Section titled “Step 3: Restrict MAC-Telnet”Limit MAC-Telnet to management interfaces only.
/tool mac-server set allowed-interface-list=MGMTStep 4: Restrict MAC-Winbox
Section titled “Step 4: Restrict MAC-Winbox”Limit MAC-Winbox to management interfaces only.
/tool mac-server mac-winbox set allowed-interface-list=MGMTStep 5: Disable MAC Ping (Optional)
Section titled “Step 5: Disable MAC Ping (Optional)”Disable MAC ping responses for additional security.
/tool mac-server ping set enabled=noStep 6: Verify Configuration
Section titled “Step 6: Verify Configuration”Confirm settings are applied.
/tool mac-server print/tool mac-server mac-winbox printExpected output:
allowed-interface-list: MGMTCommon Scenarios
Section titled “Common Scenarios”Scenario: Use Default LAN List
Section titled “Scenario: Use Default LAN List”Most default configurations include a “LAN” interface list:
/tool mac-server set allowed-interface-list=LAN/tool mac-server mac-winbox set allowed-interface-list=LANScenario: Disable MAC Access Completely
Section titled “Scenario: Disable MAC Access Completely”For maximum security in production environments:
/tool mac-server set allowed-interface-list=none/tool mac-server mac-winbox set allowed-interface-list=none/tool mac-server ping set enabled=noScenario: Allow on Specific Interfaces
Section titled “Scenario: Allow on Specific Interfaces”Enable MAC access only on specific physical ports:
/interface list add name=mac-access/interface list member add list=mac-access interface=ether1/interface list member add list=mac-access interface=ether2
/tool mac-server set allowed-interface-list=mac-access/tool mac-server mac-winbox set allowed-interface-list=mac-accessScenario: Connect via MAC-Telnet
Section titled “Scenario: Connect via MAC-Telnet”From another MikroTik router, connect using MAC address:
/tool mac-telnet B8:69:F4:7F:F2:E7Specify interface (v7.22+):
/tool mac-telnet B8:69:F4:7F:F2:E7 interface=ether1Scenario: Scan for MAC-Accessible Devices
Section titled “Scenario: Scan for MAC-Accessible Devices”
Discover routers on the network:
/tool mac-scan ether1Expected output:
MAC-ADDRESS ADDRESS AGEB8:69:F4:7F:F2:E7 0.0.0.0 34C:5E:0C:12:34:56 0.0.0.0 5Scenario: Connect via Winbox (MAC)
Section titled “Scenario: Connect via Winbox (MAC)”- Open Winbox
- Click “Neighbors” tab
- Select router by MAC address
- Enter credentials and click “Connect”
Verification
Section titled “Verification”Check 1: Verify MAC-Telnet Settings
Section titled “Check 1: Verify MAC-Telnet Settings”/tool mac-server printExpected: Shows restricted allowed-interface-list.
Check 2: Verify MAC-Winbox Settings
Section titled “Check 2: Verify MAC-Winbox Settings”/tool mac-server mac-winbox printExpected: Shows restricted allowed-interface-list.
Check 3: Test MAC Connection
Section titled “Check 3: Test MAC Connection”From Winbox Neighbors tab, verify router appears only when connected to allowed interface.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Cause | Solution |
|---|---|---|
| Cannot connect via MAC-Winbox | MAC-Winbox restricted | Check allowed-interface-list includes your interface |
| Router not in Winbox Neighbors | Different broadcast domain | Ensure Layer 2 connectivity (same VLAN/switch) |
| “Could not connect” error | Service disabled | Set allowed-interface-list to include interface |
| Windows can’t find router | File and Print Sharing disabled | Enable in Windows network settings |
| MAC-Telnet works, Winbox doesn’t | Different services | Configure both MAC-Telnet AND MAC-Winbox |
| Connection drops immediately | Version mismatch | Update Winbox and RouterOS |
| Multiple NICs cause issues | Wrong adapter used | Disable unused network adapters |
Security Considerations
- MAC access bypasses IP firewall - Layer 2 traffic is not filtered by
/ip firewall - Default enables on ALL interfaces - Including WAN, which is dangerous
- No IP-based access control - Any device on same L2 segment can attempt connection
- Always restrict to trusted interfaces - Never allow MAC access on public/WAN interfaces
- Consider disabling in production - Use IP-based access (SSH, Winbox over IP) instead
Related Topics
Section titled “Related Topics”Management Access
Section titled “Management Access”- IP Services - IP-based management (SSH, WinBox, API)
- User Management - authentication for all access
- SSH - secure shell access
Network Discovery
Section titled “Network Discovery”- IP Neighbors - neighbor discovery protocols
- RoMON - remote management overlay network
Security
Section titled “Security”- Firewall Basics - protect management access
- Firewall Address Lists - restrict access by IP
Reference
Section titled “Reference”Properties Reference
Section titled “Properties Reference”| Property | Type | Default | Description |
|---|---|---|---|
allowed-interface-list | string | all | Interface list where service is enabled |
Special values:
all- Service on all interfaces (insecure default)none- Service completely disabledlistname- Service only on interfaces in specified list
MAC Ping Properties
Section titled “MAC Ping Properties”| Property | Type | Default | Description |
|---|---|---|---|
enabled | yes/no | yes | Enable MAC ping responses |
Command Reference
Section titled “Command Reference”| Command | Description |
|---|---|
/tool mac-server set | Configure MAC-Telnet server |
/tool mac-server print | Show MAC-Telnet settings |
/tool mac-server mac-winbox set | Configure MAC-Winbox server |
/tool mac-server mac-winbox print | Show MAC-Winbox settings |
/tool mac-server ping set | Configure MAC Ping |
/tool mac-server ping print | Show MAC Ping settings |
/tool mac-telnet <MAC> | Connect to remote router via MAC |
/tool mac-scan <interface> | Scan for MAC-accessible devices |