Dear forum members!

I am a bit lost and I'd like to ask for your help.
So I've been using Mikrotik for years now - happily.

I have a few deployed remote devices (wAP LTE and wAP R LTE kits, some with mANT LTE). They work great.
A few days ago I remembered to update my IPs in the firewall Address List.
My basic rules looked like this:
- IF the IP is in address list, protocol is TCP, ACCEPT.
- IF the IP is NOT in address list AND it's a TCP connection AND the port is between 1-9999 then DROP.
The port range is because I have services that people use above that range. I juts wanted to safeguard Mikrotik Services basically.

And it worked well!
But oh boy, was I trying to be smart.

So I changed the rules...
I added a new rule as #2, right after the default fast track one.
#2 IF the SRC IP is mine, ACCEPT (protocol not specified)
#3 IF the SRC IP is in Address List, ACCEPT (protocol not specified)
#4 IF the SRC IP is not in Address List, DROP (protocol not specified) -> this was not even correct because it breaks the remote too

To me, this looks super safe. Because if my IP is coming in, I am good.
And the rules are accepted in a sequential order.

However!

At first, the firewall screen showed an increase of packets on this new #2 rule. Hallelujah, I said.
I even started doing my other stuff, just to MAKE SURE it works perfect.
But oh boy, the Mikrotik devil doesn't sleep.

After doing this to a bunch of devices to better safeguard them, they started kicking me out. Oh no.
And this is where I am. I managed to restore a few because I have computers on them and the remote desktop allowed me to access the router from LAN.
But the rest? They are inaccessible. I can't SSH into them, I can't Winbox them, nothing.

Question A:
Could you explain why my firewall rule is wrong?
Because I plan on putting back the TCP and also limit port range.
But I'd like to know where I went wrong with my rule.

Question B:
Do you have any ideas how I could somehow bypass this situation? Any crazy, wild idea?
(I tried to access + nmap from both my static IP and my address list IP machines.)

Maybe there is some UDP service? Maybe.. maybe something? I don't know.
Thank you.

/export file=anynameyouwish ( minus router serial # and any public WANIP information )

probably a more accurate title.
I kicked myself out of the router after 30mins - The admin has no clue!

I hired a company to fix the stuck device and it seems a "DENY ALL" will murder the DDNS update. So it seems like I disconnected due to low 4G signal or something and then I could not reconnect because the IP was not correct anymore.

Because as I stated, original rules were:
- allow TCP, from Address List
- DENY ALL but only TCP proto, only port 1-9000

I suspect Mikrotik is doing some kind of incoming connection, or its some other protocol that gets blocked.
There is really nothing else in the firewall lists. As soon as I put back TCP and the port range for DENY, it worked perfectly again.
And of course they had to do a Force Update in ip/cloud first.

Ps.: This "dumb rule" is only to protect Mikrotik device itself with default Services enabled.

Default rules work great, even with some minor tweaking. A deviation without knowing the consequences is ill advised.

The reason that it breaks is that the rules you made do not accept input that is a reply to outgoing connects, like the update of DDNS.
But also other things would go wrong, like query of DNS or download of upgrades.

Default rules work great, even with some minor tweaking. A deviation without knowing the consequences is ill advised.

Yeah but default rules simply allow all access to SSH, telnet, Winbox, etc. Which results in just constant brute force attempts.

The reason that it breaks is that the rules you made do not accept input that is a reply to outgoing connects, like the update of DDNS.
But also other things would go wrong, like query of DNS or download of upgrades.

Hmm and what rule would you add for that?
I am legit curious, I'd like to understand where I went wrong and how I could fix it.
Thank you.

No they dont, that is controlled under other places and these services should be mostly disabled.

Hmm and what rule would you add for that?
I am legit curious, I'd like to understand where I went wrong and how I could fix it.
Thank you.

You have not shown us your full firewall configuration yet, so how should we know???
Show the result of a /ip firewall export