Hello ,
need some guidance
I have a router and I want to block connection to him , not to the network he connected (I have many NAT rules behind him)

is what I did is good to avoid \ block unwanted connection to him?

Here is where you should start!!!!!!!

Default rules.........

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 (if not using capsman this rule can be removed)
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN

Now you want to add own rules.
1. admin access to the router
2. users access to services if required (DNS,NTP)
3. drop all other traffic (and remove not all coming from LAN rule above as it will be covered by the drop rule),

Ex.
Default rules........
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow admin access" \
in-interface-list=LAN src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
{ ADD back your VPN rules here }
add action=drop chain=input comment="Drop All Else"

NOTES:
You do not need to detail the ports in the input chain for winbox access.
Also why would you want FTP (21) to have anything to do with external access to the router it is not a secure protocol, not winbox direct (only from within the LAN).
Add back in whatever you need for IPSEC (VPN).

But hold on!!
What is the purpose of this rule........ ????? What does it accomplish??? Are you allowing anyone trying to connect on a certain port access to the router???
add action=add-src-to-address-list address-list=Connection address-list-timeout=none-dynamic chain=input comment=OpenVPN dst-port=1194 protocol=tcp
This seems inherently wrong and dangerous. Typically VPN connection allows one to connect to an internal network and then and only then do you allow that connection access to the router (From behind the router) what you are doing may be a huge security risk.

When I disable this rule my VPN connection from remote computer was disconnect ,
when I enable it - the connection was up again

so how could it be ?

Thanks,

You will have to ask someone who is familiar with VPN.
I only use vpn to access the router from my smartphone when away from the house. IKEv2.
I do not connect to the router. I connect to the LAN and from the LAN IP then ensure I have admin permission to access the router.

From the export you provided, I cant see any reason why disabling that rule will drop VPN connections, unless the export is not all info