Router log shows lots of attempts to log in that fail, “via web.” Would like to confirm that this means the attack is on the port 80 (or 8080?) remote access feature of my hpLite. If so, would a good firewall rule drop packets on TCP 80 that are new when they arrive on the WAN port (Eth1)?
Thanks
Good firewall (e.g. contemporary default) blocks almost everything targeting router itself coming from internet (i.e. chain=input in-interface-list=WAN action=drop).
If you see public IP in the web gui, then you should as mkx hava a look at your firewall.
See this thread: https://forum.mikrotik.com/viewtopic.php?t=180838
PS you should not have any open management possibility from internet. Use VPN