Hello.
When I open a terminal in Winbox, the “active user” will show I opened another login through telnet. So does that mean it opened a unencrypted connection even if I checked “secure mode”?
I saw this long time ago but didn’t think much until today, can any one explain?
Thanks.
I see that as well. Here is what I see my syslog when open a Terminal window in WinBox.
system,info,account MikroTik: user secret logged in from fe80::b128:12e6:5d45:b250 via telnet
Even more strange is that I have disabled telnet services to my MikroTik:
/ip service> print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 XI telnet 23
1 XI ftp 21
2 XI www 80
3 ssh 22
4 www-ssl 443 my-rtr
5 XI api 8728
6 winbox 8291
7 XI api-ssl 8729 none
So how can it use Telnet when its disabled and is this a secure way to communicate to the MikroTik?
This connection is inside the encrypted Winbox connection, so it is pretty secure. More specifically, the telnet connection actually works locally to 127.0.0.1
That is good to know.
Only one note about this.
I am working to create different Splunk view for the MikroTik logs.
One panel I have makes a graph of what user has connect to what system over time.
I can see PPTP, L2TP users as well as Winbox, web, ssh and telnet to the admin console.
Using Telnet with Winbox, makes it look like an external user connects to the box.
Not a problem in my small environment, but makes it little harder to see who is doing what from where.
But since Telnet is blocked, I know it have to come from the Winbox 
Thank you Normis and everyone!