Good time, colleagues.
Found login attempts in the logs: despite the fact that 172.20.10.1 is the local address of the router.
At first I thought NAT, but even when all NAT rules are disabled, attempts continue.
Tried to search through torch but found only packages from CAPsMAN.
Confused a) that attempts from the local address of the device, b) through winbox
account disabled, temporarily solved the case with a firewall, but I would like to understand the reasons.
Any ideas on how to identify the source of the problem?

It's easy .. I do have such reports every day. Someone has router leaking private addresses to WAN or configured router to use such addresses on it's WAN side.
When it's a leak you could be attacked ba accidend however you should check if your router is resistent to such connections.
When the router uses private addresses intentionaly on WAN side then attacker checks intentionally if you allow connections from private addresses on WAN interface.

It's easy .. I do have such reports every day. Someone has router leaking private addresses to WAN or configured router to use such addresses on it's WAN side.
When it's a leak you could be attacked ba accidend however you should check if your router is resistent to such connections.
When the router uses private addresses intentionaly on WAN side then attacker checks intentionally if you allow connections from private addresses on WAN interface.

Perhaps I misunderstand you, you mean my local addresses 172.20.10.x are visible from the outside, behind the router? But no, they are all for NAT.
Are you saying that someone has a device on the same ISP subnet that uses the address 172.20.10.1?

I found a solution! This is the Dude package, which is installed on the device, but I still did not understand how it works - why it tries to log in to the device and why exactly under the admin account, where it gets the password from, etc.