MAC Server & MAC Ping

     RouterOS has included a tool to allow Layer 2 logins for well over a decade now. Its an absolutely invaluable set of tools that allows a Layer 2 connection from a PC to the router via Winbox or a Layer 2 connection from one MikroTik router to another MikroTik router via a type of Telnet session called MAC-Winbox and MAC-Telnet respectively. By default, this feature is turned on with all interfaces able to accept the connections. There are times, when in the interest of security, this feature should either have some restrictions set (by limiting the interfaces that it is available on) or should be turned off all together. Turning the MAC server off does not turn off the MNDP (MikroTik Network Discovery Packets). That should be done under IP -> Neighbors or by using the firewall to block UDP port 5678. See the MAC Server setting below:


MAC Server_1

MAC Server_2

MAC Server_3

MAC Server_4

MAC Server_5


MAC Server_6




MAC_Telent – Packet Capture File in .zip

MAC_Winbox – Packet Capture File in .zip

Hope you enjoyed this tutorial! If you have any questions or insights, please add a comment below.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

One thought on “MAC Server & MAC Ping

  • Tom

    “That should be done under IP -> Neighbors or by using the firewall to block UDP port 5678.”

    Could you share a rule that would allow MNDP to only certain IPs or address lists? I only want my mgmt PC to see the traffic.

    Should this be in the output chain since the broadcasts are generated by the router?