Goodmorning.
I am experiencing bruteforce attacks, i tried to block ip, but there is still connection attempts from it… What do i do wrong?
If possible, please POST the Config of your Device
(/export hide-sensitive file=anynameyouwish)
Try to move the drop rule higher in the rule stack.
Firewall rules are always tested from top to bottom, so if it hits a rule higher up, your block rule will not hit anything.
Tried that command, but it does not hide sensitive information… so scrambled a little 
, hope this helps 
# dec/16/2021 14:51:22 by RouterOS 6.49.2
# software id = weeee
#
# model = RB2011UiAS
# serial number = kokoroko
/interface bridge
add admin-mac=xxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_Lan_2
set [ find default-name=ether5 ] name=ether5_WiFi
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=xxx-xxx
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE dns-server=xxx
/interface bridge port
add bridge=bridge comment=defconf interface=ether2_Lan_2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5_WiFi
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge disabled=yes interface=ether1_WAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1_WAN list=WAN
/interface pptp-server server
set enabled=yes
/ip address
add address=xxx comment=defconf interface=ether2_Lan_2 network=\
xxx
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=sfp1
/ip dhcp-server lease
add address=xxx client-id=xx mac-address=\
xxx server=defconf
add address=xxx client-id=xxx4 mac-address=\
xxx server=defconf
/ip dhcp-server network
add address=xxx comment=defconf gateway=xxx
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=xxx comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=popo dst-port=e9eee protocol=tcp \
src-port=""
add action=accept chain=input comment=pipo dst-port=drgbvxbr protocol=tcp
add action=accept chain=input comment=swerr protocol=grgrggm,m,,m
add action=accept chain=input disabled=yes dst-port=grdszgrd protocol=tcp src-port=\
""
add action=accept chain=input dst-port=drgfdbrd protocol=tcp src-port=drgdfgbvrdet
add action=accept chain=forward dst-address=dgrrfxbfrd dst-port=drgdrzxbvrf \
protocol=udp src-port=drgdfvbfrdg
add action=accept chain=forward dst-address=drg dst-port=drghr \
protocol=tcp src-port=drgdrg
add action=accept chain=input dst-port=drtgr protocol=udp src-port=dfgvn
add action=accept chain=forward dst-address=dgfrd dst-port=kiik \
protocol=tcp src-address=0.0.0.0 src-port=tyty
add action=accept chain=forward dst-address=hhh dst-port=tyyy \
protocol=tcp src-address=0.0.0.0 src-port=qwe
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input src-address=45.129.136.46
add action=reject chain=input reject-with=icmp-network-unreachable \
src-address=45.129.136.46
add action=reject chain=input log=yes log-prefix=kaka reject-with=\
icmp-network-unreachable src-address=78.128.113.66
add action=reject chain=input log=yes log-prefix=kaka2 reject-with=\
icmp-network-unreachable src-address=78.128.113.67
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set www disabled=yes
/ip upnp
set enabled=yes
/ppp secret
add local-address=qwe name=ttt profile=default-encryption \
remote-address=rtrr
/system clock
set time-zone-name=Planet/Mars
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Good point, i’ll try…
OVERALL by hiding data that is not sensitive its very difficult to assess what is going on.
The main things to protect are any WANIPs or WAN gateway IPs.
Using
/export hide-sensitive file=anynameyouwish gets rid of everything else.
Suggest repost your config…
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
If not required set this to none… (known to cause issues in the past)
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=LAN
This should be set to the BRIDGE and not an etherport!!
/ip address
add address=xxx comment=defconf interface=ether2_Lan_2 network=
xxx
This tells me you have some sort of error regarding your WAN setup
/ip dhcp-client
DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=sfp1
I note you have sfp1 on the bridge so wondering what is going on for sure!!
What happened to ether1_WAN ??
YOUR INPUT RULES seem to be a problem area.
Way too many rules and probably not done correctly.
In fact the whole firewall ruleset is questionable, out of order and overly complex.
How is the wetter on Mars ?
like @anav already sayed, Firewall isn`t optimal.
The Quick solution to solve your Problem, would be to use an Address-List
to Block known Attackers.
Something like this :
Step 1: Create and populate Address-List
/ip firewall address-list
add address=78.128.113.66 list=WAN-Blacklisted
add address=78.128.113.67 list=WAN-Blacklisted
add address=45.129.136.46 list=WAN-Blacklisted
Step 2: Add Firewall-Rule
/ip firewall filter
add action=drop chain=input src-address-list=WAN-Blacklisted place-before=0 in-interface-list=WAN comment="Drop: Blacklisted IP's (WAN --> Router)"
Playing whackamole against bots is a waste of time.
Simply drop all else at the end of both chains and enjoy life.
Also recommend, for the cost of a couple of coffees per month, get this excellent service
(google MOAB mikrotik)
Well… everything except those blocked ip’s and few forwarded ports is factory default. I didn’t change anything nor i saw any reason to change anything as everything worked to fit the needs, and still works. . I know, probably i should have configured firewall in first place, but not all of us are natural born firewall experts
I know, those bots anyway will not achieve anything…
Also, if i pay someone for a coffee, then i will not learn anything.
Have you figured out the ISP stuff yet?