Dynamic hotspot rules in wrong order?

Hi,

Normally when the hotspot functionality is enabled, the firewall input rules look somewhat like this:

/ip firewall filter> pri chain=input         
Flags: X - disabled, I - invalid, D - dynamic 
 0  D chain=input action=jump jump-target=hs-input hotspot=from-client log=no log-prefix="" 

 1  D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875 log=yes log-prefix="" 

 2    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix=""

But, I have noticed on another router, when the hotspot is enabled, the rules look somewhat like this:

 6    ;;; default configuration
      chain=input action=drop in-interface=ether5 log=no log-prefix="" 

 7  D chain=input action=jump jump-target=hs-input hotspot=from-client log=no log-prefix="" 

 8  D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875 log=no log-prefix=""

You see, the two dynamic hotspot rules are put at the end of the input chain instead of the beginning.
All my routers look like the first picture, but I have one router that looks like the second picture. Any idea what could cause this?

Quinn

Someone manually moving the rules above the dynamic ones at some point. Depending on the rules it may or many not effect functionality since rules are processed in order within it’s chain.