Periodically, I see high activity of the Outbound connection, it is about 8-10 Mbps, and I can’t understand who initiated this traffic. On the Connections tab (Firewall section), I see a huge list of connections from the different Internet hosts to my WAN IP address. I checked a couple of them as a “destination” address in the same table and didn’t find any matches. After rebooting the Router, this activity disappears for some time, btw my WAN IP is not static.
How can I determine the reason of this traffic and prevent/block it in the future?
Try to use Tools → Torch to identify the source of the traffic. It can be anything, from torrent client inside of LAN to …
Correct me if I wrong, but Torch tool shows the same information as on the Connections tab. (IP - Firewall - Connections). I see the source IP there, but the destination IP is not a private IP from my network, it is the IP of Mikrotik, so I can’t understand who initiated this traffic.
From your post it’s impossible to understand real situation, so it is very hard to advice for you.
Do not mix connections with traffic. Torch shows little bit different info
You have to analyze unwanted connections:
f.e. to what port goes that connection, what program listening on that port, which one local IP are sending packets to IP from where connections bothers you and etc…
This is quite a creative task
If I remember right, 6.42 had some vulnerabilities exploitable from remote. So you have to carefully examine all of configuration (including scripts or proxy config or socks, etc.). Or, if this is beyond your ROS skills, either get some ROS expert to do it. The other safe option is to netinstall device with modern ROS version and configure stuff needed … and base your new configuration on the new factory default config - using old config only as a reminder what needs to work and not how exactly it should be done.
