RouterOS has included a tool to allow Layer 2 logins for well over a decade now. Its an absolutely invaluable set of tools that allows a Layer 2 connection from a PC to the router via Winbox or a Layer 2 connection from one MikroTik router to another MikroTik router via a type of Telnet session called MAC-Winbox and MAC-Telnet respectively. By default, this feature is turned on with all interfaces able to accept the connections. There are times, when in the interest of security, this feature should either have some restrictions set (by limiting the interfaces that it is available on) or should be turned off all together. Turning the MAC server off does not turn off the MNDP (MikroTik Network Discovery Packets). That should be done under IP -> Neighbors or by using the firewall to block UDP port 5678. See the MAC Server setting below:
MAC_Telent – Packet Capture File in .zip
MAC_Winbox – Packet Capture File in .zip
Hope you enjoyed this tutorial! If you have any questions or insights, please add a comment below.
Hi,
“That should be done under IP -> Neighbors or by using the firewall to block UDP port 5678.”
Could you share a rule that would allow MNDP to only certain IPs or address lists? I only want my mgmt PC to see the traffic.
Should this be in the output chain since the broadcasts are generated by the router?