Hi, network security analysts, what do you make up of this? :
I've activated logging for the default firewall rule that says in its comment field "defconf: drop all from WAN not DSTNATed".
And in the log I find the following very suspicious entries.
For orientation: the WAN router is an AVM router with LAN IP 192.168.254.254. I have a second router (MikroTik hAP ac^2 with LAN IP 192.168.127.254) attached to this so that my LANs are behind this 2nd router.
The IPs 192.168.200.9 and 192.168.30.1 are hosts in my LANs. They have NO web-server running nor is port 80 open on these hosts!
There is also no port-forwarding for port 80 on the WANrouter.
I wonder how this is possible at all. Because, if someone from the Internet wanted to connect then the source address would be his public address,
but here it is the IP of the WANrouter itself. How is that possible? 
I think there is maybe a backdoor on the AVM router, and someone has logged onto the AVM router, and from there tries to login onto hosts in the LAN via webserver port 80 (but as said no webserver is running on these hosts). But OTOH it seems to be done automated since a human would not work like this (ie. the attempt it is repeating, ie. is automated, and it continues even at that moment ).
Any other plausible explanations?
What can you recommend to do in such a situation?
Unfortunately I can't replace that WANrouter as this is a Gigabit Internet cable router and I don't have any other cable router.
Access to the 2nd router (hAP) is protected (ie. allowed only from specific LAN IP).
Here are the firewall rules: I've enabled logging to analyze primarily the outbound traffic, but to my surprise this suspect inbound anomaly has been detected.
[admin@AP1] /ip firewall filter export
jul/03/2020 21:35:51 by RouterOS 7.0beta8
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=DROP_INV
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=
DROP_WAN_NOT_DNAT
...
>
The log (rsyslog, filtered & MAC-sanitized):
> ```text
Jul 3 20:30:33 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether1, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:33337->192.168.200.9:80, len 60
Jul 3 20:30:34 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether1, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:33337->192.168.200.9:80, len 60
Jul 3 20:30:36 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether1, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:33337->192.168.200.9:80, len 60
Jul 3 20:30:40 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether1, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:33337->192.168.200.9:80, len 60
Jul 3 20:30:42 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether2, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:52975->192.168.30.1:80, len 60
Jul 3 20:30:43 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether2, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:52975->192.168.30.1:80, len 60
Jul 3 20:30:45 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether2, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:52975->192.168.30.1:80, len 60
Jul 3 20:30:49 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether2, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:52975->192.168.30.1:80, len 60
Jul 3 20:35:51 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether1, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:52085->192.168.200.9:80, len 60
Jul 3 20:35:52 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether1, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:52085->192.168.200.9:80, len 60
Jul 3 20:35:54 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether1, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:52085->192.168.200.9:80, len 60
Jul 3 20:35:58 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether1, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:52085->192.168.200.9:80, len 60
Jul 3 20:36:00 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether2, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:60694->192.168.30.1:80, len 60
Jul 3 20:36:01 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether2, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:60694->192.168.30.1:80, len 60
Jul 3 20:36:03 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether2, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:60694->192.168.30.1:80, len 60
Jul 3 20:36:07 192.168.127.254 firewall,info AP1: DROP_WAN_NOT_DNAT forward: in:ether1 out:ether2, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.254.254:60694->192.168.30.1:80, len 60
)