Starting Nmap 7.31 ( https://nmap.org ) at 2017-02-16 17:13 RTZ 4 (ceia)
Nmap scan report for xxx.xxx.xxx.xxx

PORT STATE SERVICE
181/tcp open unify

RouterOS opened 181 tcp port? what is it? how to disable?

RouterOS is not using this port. Are you using nmap on the correct device? Maybe you have port forwarding.

i am block all incoming tcp packets with firewall rule, but this tcp 181 still OPENED!
(same as tcp port 2000 - service Btest server, if they enabled!)

firewall nat - is clean!

[root@MikroTik-Z] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=reject reject-with=icmp-network-unreachable protocol=tcp log=no log-prefix=“”

[root@MikroTik-Z] > /system routerboard print
routerboard: yes
model: 951Ui-2HnD
serial-number: 7175060DB1F2
firmware-type: ar9344
factory-firmware: 3.33
current-firmware: 3.33
upgrade-firmware: 3.33

[root@MikroTik-Z] > /system package print
Flags: X - disabled

NAME VERSION SCHEDULED

0 system 6.37.1
1 security 6.37.1
2 wireless 6.37.1
3 advanced-tools 6.37.1
4 dhcp 6.37.1
5 X ppp 6.37.1
6 routing 6.37.1

Set log=yes and check log if you are scanning the correct device
RouterOS does NOT use such port. Plus, you have firewall, as you demonstrated.

Yes! Device is correct - MikroTik! in log window - scan flood!
what is next?

Remove your reject rule and try this:

/ip firewall mangle
add action=log chain=output protocol=tcp src-port=181

And then connect to port 181 with something (e.g. telnet).

This is what you’ll see for closed port:

14:50:49 firewall,info output: in:(none) out:internal, proto TCP (ACK,RST), <server>:181-><client>:36382, len 40

And this would happen for open one:

14:50:52 firewall,info output: in:(none) out:internal, proto TCP (SYN,ACK), <server>:181-><client>:45958, len 60
14:50:52 firewall,info output: in:(none) out:internal, proto TCP (ACK,PSH), <server>:181-><client>:45958, len 68

dst-nated before this router, sorry! thx for help!