Networking newbie and first time Mikrotik user here (CCR1009 7G).

During the initial firewall setup I created the following rule so only specific hosts are allowed to access the router:
Later, I changed the IP address of the computer from which I was running Winbox and forgot to update the "allowed_to_router" address list with the new IP. So I thought I locked myself out. Trying to access the router via the router IP indeed stopped working. However, I was surprised to find out that I could still connect to the router via its MAC address.

So can someone please kindly explain to me why the firewall rule above did not prevent me from connecting to the router by MAC address from an unauthorized host IP? Thanks!

I sincerely believe my post was approved at a timing where it was instantly pushed to the bottom of the list and thus getting no page views.
Your advice on this would be greatly appreciated!

When you connect by MAC address you are connecting via layer 2.
Your firewall works on layer 3.

When you connect by MAC address you are connecting via layer 2.
Your firewall works on layer 3.

Thanks. Just found that there is a separate Tools -> Mac Server setup where the Mac Winbox server can be controlled.

Out of curiosity: Is the RouterOS "router" operation system itself sitting at Layer 3 or Layer 2? Are there somehow two instances of them, one sitting behind Layer 3 and protected by firewall's INPUT chain, and another instance sitting on Layer 2 (the "MAC Winbox") just so that users can reach it via MAC?

Thanks.

As far as I am aware it is 1 operation which has multiple points of entry.

MAC Winbox has been a bit of a lifesaver when I've made a schoolboy error without using safe mode.

how to i change the below script to work with my wireless interface and not my enternet interface