ok ok i found
your firewall now just allow the established connection from the world this means bidirectional connection will start when request just started from your lan
enter this codes in terminal:
/ip firewall filter
add action=accept chain=input disabled=no dst-port=22 protocol=tcp place-before=3
add action=accept chain=input disabled=no dst-port=80 protocol=tcp place-before=3
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp place-before=3
This rules will open only http and ssh and winbox ports of your router to the world.