There have been constant attempts to login on my router by the generic user "admin" (which doesn't exist).

My router is nowhere near the edge of the network, but it is accessible from every subnet and currently has no firewall rules. In turn, access to the network is guarded by RADIUS, DHCP is static only, ARPWATCH notifies through IM so you actually hear when devices connect. So, the router may be unsecured but it's not exactly not secure, and it's not like you can login without credentials anyway, which is why when I saw it came from winbox and from that specific user (i.e; the preset user in winbox) I was just going to ignore it.

Then I realized a couple of things, 1. the source of the login attempts are the interfaces of the router itself. I have not setup any tunneling or anything like that, but I haven't set up a lot of stuff so perhaps I'm missing something; and 2, the persistence of it is quite high, 38K attempts in a day or two. Those log entries have to be stored somewhere, don't they? I checked the main disk of my system, it's just .3GB, while the other is a little over 1GB. I don't remember moving the logs' storage, I don't even know if it can be done—so I took it as good news for now.
Any idea where do the log in attempts come from?

Different/all interfaces or always from the same *.253 interface ?
Offcourse this is very interesting & 200% not normal, but without any config or schematic what can we say...
Who know this router has once been compromised or something? I see you run 6.49.6 but was it upgraded recently? Was it ever connected on Internet with a lower release having some serious vulnerabilities etc.

Perhaps you should NETINSTALL again ? You have running scripts on this unit ??
etc,etc

Is there a question in all of that??
Unless you provide a network diagram showing what connected devices are at play
and the config of the MT,
there is nothing really more to do................

the source of the login attempts are the interfaces of the router itself

You're saying this .253 address is assigned to the router itself?

If so, I'd use Torch to grab some frames and analyze them in Wireshark, to see if I could get some more detail down in the packets.

38K attempts in a day or two

Time for a fail2ban setup. That scheme handles SSH login failures, but it's easily extended to handle WinBox login failures.

The big trick is finding a way to block the actual source of the attack without causing the router to lock out all remote access.

Your next biggest difficulties in implementing this are addressed by the "Can I Run This on Windows?" section down at the bottom of the article.

Those log entries have to be stored somewhere, don't they?

RouterOS logs to memory by default for $REASONS, even with CHR. (Dunno about bare-metal x86 RouterOS.)

My fail2ban scheme redirects those logs to a remote system, which won't have these problems.