I used :
/ip firewall filter add chain=input src-address=111.205.46.46 action=drop

and it keeps connecting i see in the log TCP connection establish from 111.205.46.46

Also tried nmap my router from another isp added in firewall to drop and it`s keep making connection why is not showing time out?

Thanks in advance for the help

Your rule blocks traffic to router itself (ping winbox, webfig....) but not traffic going through the router, like port forwards.

Or does another allow rule come before block rule?

Your rule blocks traffic to router itself (ping winbox, webfig....) but not traffic going through the router, like port forwards.

Or does another allow rule come before block rule?

Then how to block permanent an ip address or a class ? (cause most of them are same ip ore class)

And yes, i have pptp open cause i use vpn (and i`m tired of few ips that brute force pptp service) (and i can`t use a rule to have access only from a single/few ip cause i connect from different places that have dinamic ip)

Many thanks

If you want to block just any traffic with select remote address(es), the most router-friendly way is to use raw filters:
and fill /ip firewall address-list with banned addresses ...

If you want to block just any traffic with select remote address(es), the most router-friendly way is to use raw filters:

Code: Select all

/ip firewall raw
add chain=prerouting action=drop src-address-list=blocked_addresses

and fill /ip firewall address-list with banned addresses ...

Many many many thanks for the answer and the command to add ip to the blocked list ?

add address=213.108.134.0/24 comment="bf pptp" list=blocked_addresses (Is this corect ?)

Yup, you can also add subnets as in your example.

Code: Select all

/ip firewall address-list
add address=1.2.3.4 address-list=blocked_addresses
add address=2.3.4.5 address-list=blocked_addresses

Yup, you can also add subnets as in your example.

Many thanks again for the answer (this is working perfect blok all tested)