I did test on a CHR router running 7.2rc3.
This has a set of default rules with NAT setup and ether1 as Wan IP.
Only rules that are added are those from this post +
This is disabled add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
And som filter rule to ignore lan spam filling logs UDP/17500 5678 67 138 5634
I have no problem reaching router with Winbox on outside interface with and without Tarpit filter rules.
Only difference I see when Tarpit is used is that telnet to a port seems to open and just hangs (the point of using tarpit)
I can see Tarpit counter increase while I do the test.
.
.
Here is the complete router config
/export hide-sensitive
# aug/08/2022 08:05:10 by RouterOS 7.2rc3
# software id =
#
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.22.10-192.168.22.100
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.22.1/24 interface=bridge1 network=192.168.22.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.22.0/24 gateway=192.168.22.1 netmask=24
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp src-port=""
add action=jump chain=input comment="Drop user that has tried ports that are not open and has bin added to block list. Lim\
it TARPIT to prevent DDOS CPU problems" in-interface=ether1 jump-target=TARPIT protocol=tcp src-address-list=\
FW_Block_unkown_port
add action=tarpit chain=TARPIT limit=10,5:packet protocol=tcp
add action=drop chain=TARPIT protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="For test to not clog logs" dst-port=17500 protocol=udp
add action=accept chain=input comment="For test to not clog logs" dst-port=5678 protocol=udp
add action=accept chain=input comment="For test to not clog logs" dst-port=67 protocol=udp
add action=accept chain=input comment="For test to not clog logs" dst-port=138 protocol=udp
add action=accept chain=input comment="For test to not clog logs" dst-port=5684 protocol=udp
add action=add-src-to-address-list address-list=FW_Block_unkown_port address-list-timeout=1d chain=input comment=\
"Add IP of user to access list if they have tried port that is not open." in-interface=ether1 log-prefix=\
FI_AS_port-test
add action=drop chain=input comment="Drop packets that has not been allowed or dropped before." in-interface=ether1 log=\
yes log-prefix=FI_D_port-test
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1 protocol=!tcp src-address-list=FW_Block_unkown_port
/system identity
set name=v7.2rc3
Here is a screenshot of Tarpit on a production router. 60 millions packet entered Tarpit in 69 days:
.
Use Splunk> to log/monitor your MikroTik Router(s). See link below. 