Yes, these connection attempts take place regularly every night! In my case L2tp ipsec is used. Special logging is not turned on but red notifications are displayed. This IP address has been displayed for a very long time on some 30 mikrotik machines that use ipsec vpn. If tunnel mode is used and explicitly allowed IPs are displayed, then these red messages will not show. They appear when not in tunnel mode and use L2tp ipsec with connection from any address.
Watched web ip location - Presented by United States of America, Calofornia, Fremont, ISP - Hurricane Electric LLC
There's probably someone doing bad things ...
If there is a rule input chain where this subnet is blocked, maybe it doesn't make sense to worry?
.
If you are seeing the IP in the IPSEC LOG then it is making it through your firewall. If the firewall rule was working you would not see that IP in the IPSEC log
Try this
#Create Block List
/ip firewall address-list
add address=216.218.206.0/24 list=Block-address-list
# Add firewall rule,
/ip firewall filter
add action=drop chain=input src-address-list=Block-address-list comment="BlockList (Secured with address list)"
# Make sure you move it above any rules that allow IPSEC traffic, otherwise it wont do anything. This will move it to rule 1 in your firewall list (or use winbox to drag it up the list)
move [/ip fire filter find comment~"BlockList"] 1