Tue Aug 25, 2015 10:51 am
Multiple issues:
First of all input chain is only managing connections to the router not for other equipment. So forward chain is the way to go.
192.168.88.* is not a valid address or netmask. You probably want to use 192.168.88.0/24
dst-port must be numeric, no named protocols like rdp, smtp, ssh and so on. Microsofts default RDP port is 3389. Furthermore you need to specify the layer 4 protocol (TCP, UDP, ...)
So the correct rule for disabling all RDP access on default port (ingoing AND outgoing):
/ip firewall filter add chain=forward protocol=tcp dst-port=3389 action=reject reject-with=tcp-reset
To reject only access from WAN interface (assuming ether1) you should go like this:
/ip firewall filter add chain=forward in-interface=ether1 protocol=tcp dst-port=3389 action=reject reject-with=tcp-reset
Keep in mind that connections already established will keep open by the the common ESTABLISHED,RELATED rules.
But I think your way is not straightforward. Do not block the things you don´t want but allow the things you want and reject all the rest.