MAC Server Security

MAC Server Security

RouterOS provides Layer 2 management access through its MAC server subsystem. Three services expose management over MAC (without an IP address): MAC-Winbox, MAC-Telnet, and MAC-Ping. By default, all three run on all interfaces — including untrusted ones. On production routers this is rarely necessary and significantly widens the attack surface.

Sub-menus

/tool mac-server
/tool mac-server mac-winbox
/tool mac-server ping

How MAC Access Works

MAC-based management operates at Layer 2 — the management workstation must be in the same broadcast domain as the router interface. It bypasses the IP stack entirely, which means:

• No IP address is required on either side
• Standard IP-layer firewall rules (/ip firewall filter) do not apply
• Any device bridged into the same L2 segment can attempt MAC-level management

This makes MAC access useful for recovery on factory-fresh or misconfigured routers, but dangerous when left enabled on WAN, guest, or other untrusted segments.

Services

Service	Sub-menu	Default	Purpose
MAC-Telnet	/tool mac-server	all interfaces	CLI access over L2
MAC-Winbox	/tool mac-server mac-winbox	all interfaces	Winbox GUI over L2
MAC-Ping	/tool mac-server ping	enabled	Respond to MAC pings

Hardening: Restrict to Trusted Interfaces

The recommended approach is to restrict MAC services to a named interface list containing only your trusted management interfaces. This preserves MAC-level access for recovery scenarios while blocking it from untrusted segments.

Step 1 — Create a management interface list

/interface list add name=MGMT
/interface list member add list=MGMT interface=bridge-lan

Add any additional trusted management interfaces or VLANs:

/interface list member add list=MGMT interface=vlan99-mgmt

Step 2 — Restrict MAC-Winbox

/tool mac-server mac-winbox set allowed-interface-list=MGMT

Step 3 — Restrict MAC-Telnet

/tool mac-server set allowed-interface-list=MGMT

Step 4 — Disable MAC-Ping

MAC-Ping is rarely needed and allows host discovery. Disable it unless you have a specific operational requirement:

/tool mac-server ping set enabled=no

Hardening: Disable MAC Access Entirely

On routers managed exclusively over IP (SSH, Winbox via TCP, HTTPS), there is no operational need for MAC-level access. Disable all three services:

/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no

Setting allowed-interface-list=none removes all interfaces from the allowlist, effectively disabling the service without a separate disabled flag.

Disabling MAC access entirely means you cannot recover management access via Winbox neighbor discovery or MAC-Telnet if you lose IP connectivity. Ensure out-of-band access (serial console, physical access) is available before disabling.

Verification

/tool mac-server print
/tool mac-server mac-winbox print
/tool mac-server ping print

Expected output after hardening to MGMT list:

/tool mac-server> print
  allowed-interface-list: MGMT

/tool mac-server/mac-winbox> print
  allowed-interface-list: MGMT

/tool mac-server/ping> print
  enabled: no

Check the interface list membership:

/interface list member print where list=MGMT

Relationship to IP Services

MAC-level restrictions are a separate layer from /ip service address restrictions and firewall rules. A fully hardened router applies both:

Layer	Mechanism	Scope
Layer 2	/tool mac-server interface lists	Restricts MAC-based management by interface
Layer 3 (service)	/ip service set winbox address=...	Restricts IP-based Winbox by source IP
Layer 3 (firewall)	/ip firewall filter input chain	Drops packets before service processing

See IP Services Hardening for the full Layer 3 hardening workflow including SSH key authentication, port restrictions, and TLS configuration.

Recommended Production Baseline

# Disable MAC access from all interfaces (IP-managed router)
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no

# If MAC access is needed for local recovery, restrict to trusted L2 segment
# /interface list add name=MGMT
# /interface list member add list=MGMT interface=bridge-lan
# /tool mac-server set allowed-interface-list=MGMT
# /tool mac-server mac-winbox set allowed-interface-list=MGMT

Tip

When deploying new routers, restrict MAC access as part of the initial hardening script before the device is racked. This prevents a window where the router is reachable via MAC on all interfaces.