Skip to main content
Version: current

MAC server

The MAC server section allows you to configure MAC Telnet Server, MAC WinBox Server and MAC Ping Server on a RouterOS device.

MAC Telnet is used to provide access to a router that has no IP address set. It works just like IP telnet. MAC telnet is possible between two MikroTik RouterOS routers only.

MAC WinBox is used to provide WinBox access to the router via MAC address.

MAC Ping is used to allow MAC pings to the router's MAC address.

info

MAC-server settings are included in the "system" package.

MAC Telnet Server

It is possible to set MAC Telnet access to specific interfaces that are a part of the interface list:

[admin@device] /tool/mac-server/set allowed-interface-list=listBridge
[admin@device] /tool/mac-server/print
  allowed-interface-list: listBridge

In the example above, MAC Telnet is configured for the interface list "listBridge" and, as a result, MAC Telnet will only work via the interfaces that are members of the list (you can add multiple interfaces to the list).

To disable MAC Telnet access, issue the command (set "allowed-interface-list" to "none"):

[admin@device] /tool/mac-server/set allowed-interface-list=none
[admin@device] /tool/mac-server/print
  allowed-interface-list: none

You can check active MAC Telnet sessions (that the device accepted) with the command:

[admin@device] > /tool/mac-server/sessions/print
Columns: INTERFACE, SRC-ADDRESS, UPTIME
#  INTERFACE  SRC-ADDRESS        UPTIME
0  ether5     64:D1:54:FB:E3:E6  17s

MAC Telnet Client

When MAC Telnet Server is enabled, you can use another RouterOS device to connect to the server using the mac-telnet client:

[admin@device2] > tool mac-telnet B8:69:F4:7F:F2:E7    
Login: admin
Password: 
Trying B8:69:F4:7F:F2:E7...
Connected to B8:69:F4:7F:F2:E7




  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 7.1rc3 (c) 1999-2021       https://www.mikrotik.com/

Press F1 for help
  
[admin@device] >

Change the MAC address according to your setup and you should get into the server's CLI (as shown in the example above).

info

By default, a MAC Telnet client attempts to reach the destination through all active interfaces. This can generate unwanted traffic. To restrict a MAC Telnet client to a specific interface, use the interface property (available since RouterOS v7.22). For example: /tool/mac-telnet 00:11:22:33:44:55 interface=ether1

MAC Scan

The MAC scan feature discovers all devices that support MAC telnet protocol on the given network. The command requires you to select an interface that should be scanned:

[admin@Sw_Denissm] > /tool/mac-scan interface=all           
MAC-ADDRESS       ADDRESS                AGE
B8:69:F4:7F:F2:E7 192.168.69.1            26
2C:C8:1B:FD:F2:C3 192.168.69.3            56

In the example above, all interfaces are chosen, and the scan will run infinitely unless stopped (by pressing "q").

You can also add a "duration" parameter that will dictate how long the scan should go on:

[admin@Sw_Denissm] > /tool/mac-scan interface=all duration=1
MAC-ADDRESS       ADDRESS                AGE
B8:69:F4:7F:F2:E7 192.168.69.1            48
2C:C8:1B:FD:F2:C3 192.168.69.3            17

In the example above, we set the "duration" parameter to 1 second.

MAC WinBox Server

Same as with MAC Telnet, it is possible to set MAC WinBox access to specific interfaces that are a part of the interface list:

[admin@device] > /tool/mac-server/mac-winbox/set allowed-interface-list=listBridge 
[admin@device] > /tool/mac-server/mac-winbox/print                   
  allowed-interface-list: listBridge

In the example above, MAC WinBox access is configured for the interface list "listBridge" and, as a result, MAC WinBox will only work via the interfaces that are members of the list.

To disable MAC WinBox access, issue the command (set "allowed-interface-list" to "none"):

[admin@device] > /tool/mac-server/mac-winbox/set allowed-interface-list=none
[admin@device] > tool mac-server mac-winbox print                   
  allowed-interface-list: none

MAC Ping Server

MAC Ping Server can be set to either "disabled" or "enabled":

[admin@device] > /tool/mac-server/ping/print
  enabled: yes

You can enable or disable MAC ping with the help of the commands (enable=yes → to enable the feature; enable=no → to disable the feature):

[admin@device] > /tool/mac-server/ping/set enabled=yes
[admin@device] > /tool/mac-server/ping/set enabled=no

When MAC Ping is enabled, other hosts on the same broadcast domain can use the ping tool to ping the mac address. For example, you can issue the following command to check MAC ping results:

[admin@device] > /ping 00:0C:42:72:A1:B0
HOST                                    SIZE  TTL TIME  STATUS                                         
00:0C:42:72:A1:B0                       56        0ms  
00:0C:42:72:A1:B0                       56        0ms  
    sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms
warning

If you disable the MAC server ping feature, the host's ARP ping functionality will also be disabled.

info

By default, a MAC ping attempts to reach the destination through all active interfaces. This can generate unwanted traffic and duplicate replies if the destination is reachable via multiple interfaces. To restrict a MAC ping to a specific interface, use the interface selector (append % followed by the interface name to the MAC address). For example: /ping 00:11:22:33:44:55%ether1