This is not a problem as such right now but a question of developing my understanding and potentially avoiding taking an action which will leave me un-bricking my router

I can put IP various IP addresses on my initial default bridge and I can access the Web Admin interface via any of these addresses. But when I put a second bridge on the router eg for wifi guest network, I can't access the Web Admin interface via an IP address on that bridge. It is clear to me that it is right that this should be so. What is not clear to me is WHY I can access the Web Admin interface on the initial default bridge.

Is this bridge a 'special' bridge, which is the only one able to access Web Admin?
Or is there a setting which enables and disables the Web Admin on a bridge?
Would it be possible to put a 'bridge' to a single ethernet port and enable the Web Admin to that bridge and ethernet alone?
Or does it not work like that at all?

Can someone explain please?

===========================================================================================
RESOLVED

If you add a bridge of your own, and put an IP address on it, Web Admin is available on that IP address by default. Access can be prevented by:

• firewall rules for !LAN for any bridge not on the LAN [despite routing not being required from a terminal connected and IP'd on that bridge, which surprises me]
• firewall rules preventing access from the bridge not on the LAN to addresses on the LAN
• Service rules preventing access to Web Admin from addresses in the range of the new bridge.
• Other similar

Thanks to all for the help

There are different possibile settings in different areas of a configuration that may allow (or prevent) connection.
These settings may be linked to the interface (self-standing) or to the bridge, to their belonging (or not belonging) to an interface list, to firewall nat or filters/rules (that can be both be applied to interfaces, interface lists and IP addresses or ranges)
If you post your test configuration it may be possibile to highlight which settings you are missing (typically needed to allow connection) or have in excess (typically preventing connection).
Without a practical example it would be next to impossible to list all the various settings (or lack of them) that may affect the connection via Winbox or Webfig.
Besides and before the above, unless really-really needed the general advice is to avoid having more than one bridge on a same device as in most cases such a configuration worsens the performance (speed) of the device.

Thanks for replying, jaclaz. To be really clear, I have a setup which is doing exactly what I want, even though I have 2 bridges on one device. There is nothing which needs changing. I don't want access to Web Admin on the bridge which does not have it. All I want is to understand WHY the 1st bridge gives access, but the 2nd does not. This is just to record in my setup notes.

Yep, but then it becomes a guessing game.
Without knowing what you have done, it is difficult to say what you missed or overdid.
Anyway, my money is on the second bridge not being in the LAN interface list and a firewall rule blocking interface-list=!LAN.
(but it is rare that I win this kind of bets)

Guessing is a waste of time, get facts!

Oww, come on, sometimes it is just fun, not productive, but also not wasted time.

Well, thanks for the help so far. I am assuming from your answer that the web admin SHOULD be available on any bridge and that I have done something to prevent it. If you can confirm that, it takes me some way towards my goal. I am not looking for a fix, because it is working as I want. I am looking to understand.

Guessing is a waste of time, get facts!

I am not asking anyone to fix anything. I am not wanting anyone to go through my config because this is not a bug hunt. It works as I want it to work. I just want to understand PRINCIPLES. The principles are from knowledge and understanding of RouterOS, surely? If the answer to this is that a second bridge does not have access to the web admin, that is problem solved. If the answer is that it should have access, then maybe we go looking into the config.

My guess here is the default firewall has !LAN rule (under /ip/firewall/filter). So if the 2nd bridge interface is not added to the list=LAN under /interface/list, the firewall will block traffic.

But if you do an "export file=myconfig" and post your config, it be clear. But "2nd bridge" should be able to access the default web interface, generally speaking. Only two things that stop it from working:
1. firewall rules are blocking (or misconfigured)
2. under /ip/service the "www" or "www-ssl" have some IP restrictions set

2nd bridge" should be able to access the default web interface, generally speaking. Only two things that stop it from working:
1. firewall rules are blocking (or misconfigured)
2. under /ip/service the "www" or "www-ssl" have some IP restrictions set

Thanks. That is an answer at the level I was hoping for. I found it not working at the outset and I have gone on to apply 1 and 2. I don't want to undo the config to post a 'clean' example and there is nothing I want fixing.

Well, thanks for the help so far. I am assuming from your answer that the web admin SHOULD be available on any bridge and that I have done something to prevent it. If you can confirm that, it takes me some way towards my goal. I am not looking for a fix, because it is working as I want. I am looking to understand.

Well, we now have a second bet on the same possible cause by a much more experienced member.
If these guesses are correct, strictly speaking it was not you doing something "wrong" it was you omitting to do something "right".
The general "default" configuration of a Mikrotik device as a router is with an interface (usually ether1) intended to be connected to a ISP router or to another router (WAN or "outside") and all the other interfaces joined in a bridge (LAN or "inside").
Then there are settings preventing access to the device administration from anything that is not part of the LAN interface list, this is a basic security setting, to prevent access to the settings from the internet.
What you probably did was to remove two or more interface from the first bridge (bridge1) and add them to a new bridge (bridge2), without adding the bridge2 to the interface-list "LAN".
This way a firewall rule with interface-list=!LAN will apply to anything but bridge1, i.e. to ether1 which is WAN and to bridge2 which is "undefined" and thus not LAN.
Still, only a guess.

If these guesses are correct, strictly speaking it was not you doing something "wrong" it was you omitting to do something "right".

We are not on a bug hunt. I have done nothing wrong nor have I omitted to do anything right. It is working as I want it to work. It is solely a question of understanding why.

For the record, interfaces ether1-4, wlan1-2 are LAN on LAN.Bridge, interfaces G.wlan1-2 and ether 5 are G.LAN on G.LAN.Bridge. The interfaces are assigned to their respective bridges. The bridges are assigned to their respective interfaces. There is no scope in interface lists to assign anything other than bridges or groupings such as 'static' or 'dynamic' to a list. There is no WAN interface because there is no WAN. The LAN bridge on this router is an extension of the LAN interface on another router which has the WAN interface. There is only basic routing between LAN and G.LAN.

Any way, now resolved, thanks. See edit to first post.

If there is routing, it is anyway - conceptually - a LAN and a WAN (you can think at them as left and right, up and down or north and south or before and after the device, instead of inside and outside), even if both are LAN's, and if there is routing, then the firewall rules will have effect.
The naming commonly used is - if not unfortunate - a bit deceiving.

To your first post --> https://help.mikrotik.com/docs/display/ROS/MAC+server

Since there is no problem or issue you need rectified but are seeking knowledge. Suggest start by reading the appropriate documentation applicable to your area of interest. - https://help.mikrotik.com/docs/display/ROS/RouterOS.
A good place to start - https://help.mikrotik.com/docs/display/ ... n+RouterOS
Although dated MUM conferences are still a valuable resource.
Also
https://www.amazon.ca/Theory-laboratori ... C91&sr=8-5
https://www.amazon.ca/MikroTik-Scriptin ... C91&sr=8-1
https://www.amazon.ca/Routeros-Example- ... 91&sr=8-24

etc...

If there is routing, it is anyway - conceptually - a LAN and a WAN (you can think at them as left and right, up and down or north and south or before and after the device, instead of inside and outside), even if both are LAN's, and if there is routing, then the firewall rules will have effect.
The naming commonly used is - if not unfortunate - a bit deceiving.

As the setup on this router is that the main bridge is connected at layer 2 into the LAN of the main router, it doesn't sit right to call anything on the router in question "the WAN", although I can see where you are coming from

A good place to start - https://help.mikrotik.com/docs/display/ ... n+RouterOS

Thanks, that one looks very interesting. I have had a general trawl around but not found it.