There is some type of script that keeps installing a firewall allow rule for port 32688 on my customer's router.
It happens every 5 minutes or so.
I keep deleting it and it shows back up while I watch it happen.
Lots of connections to that port when I opened it up this morning.
I recently wiped it and did a factory reset.
Can anyone tell me what I should do?

see pic

check "system scheduler" menu and remove any rules
check "system scripts" menu and also clean it

change password and upgrade RouterOS
fix your firewall, so that winbox is not available to internet

if this still happens after you 'wiped' the router you maybe weren't thorough enough.

step 1 get the tools:
- download WinBox, NetInstall and the newest RouterOS.

step 2 privacy:
- unplug your pc from all networks, including wlan.
- remove everything from the router, including power cable, usb drive, sd card, etc.
- connect the router and your pc with a normal ethernet cable.

step 3 wiping the system drive:
- follow https://wiki.mikrotik.com/wiki/Manual:Netinstall and reinstall the newest RouterOS
- if the router doesn't appear even after five minutes, switch to another port on the router, and restart the procedure. some models use port 1 for etherboot, some use port 2.
- make sure you have checked 'Apply default config'. (if unchecked NetInstall keeps the old reset script, you don't want that)

step 4 wiping the BIOS:
- log into the router, default name is 'admin' and empty password.
- if you prefer to configure everything yourself hit Remove, otherwise you can keep the config.
- click on 'System -> Routerboard -> Upgrade -> Yes' and wait a few seconds.
- then restart the router 'System -> Reboot -> Yes'.

step 5 paranoia:
- now is a good time to check the firewall rule again, it might be there again (not problematic at this point), but if it keeps getting created you probably need an entirely new firmware (can't help you there, never done that before), because BIOS is compromised and it spreads into ROS.
- if it doesn't get created again, restart from step 3 to remove the last remnants of the virus.

step 6 security:
- make sure you have set a password for the router 'System -> Password' or 'System -> Users -> Right click on "admin" -> Password...'. this time use a password you have never used before.
- reboot the router again to be on the safe side.

step 7 connect:
- after setting up the basics (bridge, route, ip, dns, etc.) your 'factory fresh' router can now return to his normal place.

i hope this helps cleansing the router.

Thank you very much for all the info!

It was a script running on the customer's router causing the open port.
I replaced the router with a new one and reconfigured everything from scratch.
I have the old router in my office now and will attempt the net install procedure.

Thanks for replying

fix your firewall, so that winbox is not available to internet

Whats the firewall rule look like to accomplish this?
Will it still allow access from the internet via L2TP VPN connection?

Read this supercharged introduction to the RouterOS firewall. To permit only L2TP access encrypted using IPsec, you need to permit incoming UDP connections to ports 500 and 4500 from WAN and incoming UDP connections to port 1701 inside the tunnel, i.e. with an ipsec-policy=in,ipsec condition in the accept rule. All lthe rest from WAN should be dropped in chain=input (maybe except icmp). Of course with action=accept connection-state=established,related as the first rule in the input chain.

Unfortunately, LAN cannot be considered secure either as some malware infects the PCs on the LAN and attacks the uplink routers from there, so you should restrict access to the management interfaces (ssh, https,...) also from LAN side. If the router is yours, you may limit access to the management services only to the L2TP clients (or another kind of VPN).

L2TP without underlying IPsec provides no security at all.