Hallo,

I have noticed that sometimes i receive in logs:
Connection astablished from IP... port.. to...
ip Disconnected <peer disconected>

i assume someone is trying ports to connect to my router (RB4011)
I tryed in IP-Firewall to add rule (input, block, !8291 and (my port for VPN))

Some logs stopped but i see, that still some get loged.

Is there another way to stop/block it? a better way?

Depends on what you want. What ports should be open on your internal network and what port do you want open on your public interface?
In addition, please add your config:
Remove serial and any other private info, post between code tags by using the </> button.

i want to block all traffic/ports that come via OpenVPN from WAN that should not be. As i noticed if i disable OpenVPN server that the logs also stop..

/ip firewall filter
add action=drop chain=input comment="Drop ICMP" in-interface-list=WAN \
protocol=icmp
add action=drop chain=input dst-port=!xxx protocol=tcp
add action=accept chain=input comment="Splosni Pogoji" connection-state=\
established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input comment=OpenVPN dst-port= in-interface=\
Rok_VPN protocol=tcp
add action=accept chain=input dst-port= in-interface=protocol=tcp
add action=drop chain=input comment="Drop All Else"
add action=drop chain=input comment="Drop Vse Ostalo" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="Forward Pravila" \
connection-state=established,related,untracked hw-offload=yes
add action=accept chain=forward connection-state=\
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward dst-port=! in-interface-list=WAN \
protocol=tcp
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface=sfp-sfpplus1

i want to block all traffic/ports that come via OpenVPN from WAN that should not be. As i noticed if i disable OpenVPN server that the logs also stop..

So you are running an OpenVPN server and if you disable that, there are no more log entries.
What is your problem in the first place...having entries in the log? Or Internet attempting (and succeeding?) to connect to your OpenVPN server?

Either way, disabling OpenVPN works as good as blocking your OpenVPN service port from WAN.

From your statement, what do you mean with "that should not be"?

In addition: do you have port 8291 open?

I want to block any attempts to connect to my router/network via OpenVPN.
I presume that that's someone trying to connect and is testing ports:

Sometimes i could get more then few 100 per day...

I have open 8291 port and i have changed port 1194..
In my Firewall there is a rule:
add action=drop chain=input dst-port=!8291, xxx protocol=tcp and i see that packages get blocked, but still some don't.

That's my question now.. how to block others that don't get doped in this rule?

logs:
2025-03-24 15:16:17 ovpn,info connection established from 194.165.16.162, port: 37479 to xxx
2025-03-24 15:16:17 ovpn,info <194.165.16.162>: disconnected <peer disconnected>
2025-03-24 15:16:17 ovpn,info connection established from 194.165.16.162, port: 37725 to xxx
2025-03-24 15:16:17 ovpn,info <194.165.16.162>: disconnected <peer disconnected>
2025-03-24 15:16:17 ovpn,info connection established from 194.165.16.162, port: 38251 to xxx
2025-03-24 15:16:17 ovpn,info <194.165.16.162>: disconnected <peer disconnected>
2025-03-24 20:37:26 ovpn,info connection established from 51.178.236.241, port: 59595 to xxx
2025-03-24 20:37:26 ovpn,info <51.178.236.241>: disconnected <peer disconnected>
2025-03-24 20:37:26 ovpn,info connection established from 51.178.236.244, port: 35565 to xxx
2025-03-24 20:37:29 ovpn,info <51.178.236.244>: disconnected <peer disconnected>
2025-03-24 21:03:56 ovpn,info connection established from 167.94.146.53, port: 57878 to xxx
2025-03-24 21:04:08 ovpn,info <167.94.146.53>: disconnected <peer disconnected>
2025-03-24 21:04:12 ovpn,info connection established from 167.94.146.53, port: 58226 to xxx
2025-03-24 21:04:15 ovpn,info <167.94.146.53>: disconnected <peer disconnected>
2025-03-24 21:04:18 ovpn,info connection established from 167.94.146.53, port: 58228 to xxx
2025-03-24 21:04:28 ovpn,info <167.94.146.53>: disconnected <peer disconnected>

You might want to introduce something like:
https://help.mikrotik.com/docs/spaces/R ... prevention

This is for SSH, but can probably be used for OpenVPN as well.

Try a more useful set of firewall rules.

/ip firewall filter
{default rules to keep}
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
(admin rules)
add action=accept chain=input comment=OpenVPN dst-port=xxxxx protocol=tcp { change from any default port }
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop All Else"
+++++++++++++++++++++
{default rules to keep}
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
(admin rules)
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

Then review......
Yes winbox port should be set different from default as well and change ovpn from any default port as well.