Access List

January 22nd 2018 | RouterOS

Sub-menu: /interface wireless access-list

Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.


  • Access list rules are checked sequentially.
  • Disabled rules are always ignored.
  • Only the first matching rule is applied.
  • If there are no matching rules for the remote connection, then the default values from the wireless interface configuration are used.
  • If remote device is matched by rule that has authentication=no value, the connection from that remote device is rejected.

Warning: If there is no entry in ACL about client which connects to AP (wireless,debug wlan2: A0:0B:BA:D7:4D:B2 not in local ACL, by default accept), then ACL for this client is ignored during all connection time.


Change MSS

December 25th 2017 | RouterOS

It is a well known fact that VPN links have smaller packet size due to encapsulation overhead. A large packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending it via that kind of connection. However, if the packet has DF flag set, it cannot be fragmented and should be discarded. On links that have broken path MTU discovery (PMTUD) it may lead to a number of problems, including problems with FTP and HTTP data transfer and e-mail services.

In case of link with broken PMTUD, a decrease of the MSS of the packets coming through the VPN link solves the problem. The following example demonstrates how to decrease the MSS value via mangle:

/ip firewall mangle 
add out-interface=pppoe-out protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 chain=forward tcp-mss=1301-65535