The order of rules matters, and if there is an "action=accept connection-state=established,..." rule in the input chain of the filter before (above) your new permissive rule for the Winbox access, that new rule will only count for a newly established connection, not for an already existing one. Also, if there is no "drop the rest" rule at the end of the input chain of the filter, all packets which did not match any of the existing rules will be accepted.
The only way to determine which rule is responsible for accepting a particular packet is to set log=yes log-prefix=rule-<number-or-name> on all the rules and looking into the log which one has logged a packet with the IP addresses and ports you look for. /log print follow-only where topics~"firewall" message~"8291" will show you only the relevant log rows as they are being generated - if there is a lot of traffic, the log buffer will start being overwritten very soon.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.