I can see a serious hole in your firewall. The rule
/ip firewall filter add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1 src-address-list=!ISP_Provider
is effective on packets coming through ****
ether1
tagless, but doesn’t affect packets coming via
ether1
tagged with VLAN ID 1 because the IP firewall sees these packets as coming in via interface
vlan1
and doesn’t know that it is physically also
ether1
. The default policy of all firewall chains is
accept
so all packets coming in via
vlan1
are accepted.
I can also see that you haven’t restricted access to http (www) management interface using any other means than the firewall filter.
Together with software version 6.34.1, I would be afraid that your machine has been infected by malware exploiting the vulnerability of http server as described here and that the load could be coming from the activity of this malware. So the first thing to do would be to upgrade to 6.40.7 if you want to avoid 6.41.x for the moment. Then I would check the
/system profile
results again; if the management load is low but SPI load is still high, and if some other “little plastic boxes” exist in your network, I’d check these boxes whether they are not infected as well - you would see traffic departing from them to destinations like tcp/80, tcp/8291 (the Winbox port) using
/tool torch
or
/tool sniffer
.