2 questions My Config OK? and SFP as WAN port

RouterOS Beginner Basics
1

Hi all,
New to the forums here :slight_smile:

Q1.
I wanted my Mikrotik firewall config to have a sanity check and see if the experts and the likes see anything thats wrong with it.

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 2    chain=forward action=accept protocol=tcp src-address=192.168.25.101 dst-address=192.168.25.0/24 src-port=80,81,443,444,4443,8080,8081,3306,55000,1514,9200 log=no log-prefix=""

 3    chain=forward action=accept protocol=tcp src-address=192.168.25.102 dst-address=192.168.25.0/24 src-port=55000,443,1514,9200 log=no log-prefix=""

 4    chain=forward action=accept protocol=tcp src-address=192.168.25.103 dst-address=192.168.25.0/24 src-port=55000,443,1514,9200 log=no log-prefix=""

 5    chain=forward action=accept protocol=tcp src-address=192.168.25.106 dst-address=192.168.25.0/24 src-port=80,443,5001 log=no log-prefix=""

 6    chain=forward action=accept protocol=udp src-address=192.168.25.106 dst-address=192.168.25.0/24 src-port=80,443,5001 log=no log-prefix=""

 7    chain=forward action=accept protocol=tcp src-address=192.168.25.107 dst-address=192.168.25.0/24 src-port=80,443,5001 log=no log-prefix=""

 8    chain=forward action=accept protocol=udp src-address=192.168.25.107 dst-address=192.168.25.0/24 src-port=80,443,5001 log=no log-prefix=""

 9    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

10    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

11    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1

12    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

13    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

14    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

15    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related

16    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked

17    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid

18    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

19    ;;; Drop Invalid connections
      chain=input action=drop connection-state=invalid

20    ;;; Allow Established connections
      chain=input action=accept connection-state=established
21    ;;; Allow ICMP
      chain=input action=accept protocol=icmp

22    chain=input action=accept src-address=192.168.25.0/24 in-interface=!ether1

23    ;;; Drop everything else
      chain=input action=drop

24    ;;; default configuration
      chain=input action=accept connection-state=established,related

25    chain=input action=accept src-address-list=allowed_to_router

26    chain=input action=accept protocol=icmp

27    chain=input action=drop log=no log-prefix=""

28    chain=forward action=drop src-address=192.168.25.226 dst-address=0.0.0.0 connection-type="" src-mac-address=xx:xx:xx:xx:73:90 log=yes log-prefix=""

29 I  ;;; no interface
      chain=input action=accept connection-state=established,new src-address=10.10.10.0 in-interface=!*E log=no log-prefix=""

30    ;;; drop ftp brute forcers
      chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21

31    chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m

32    chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h content=530 Login incorrect

Q.2.
I received my SFP (https://www.aliexpress.com/item/1005007130620541.html) in the post today and wanted to set this interface as a WAN port so it connect to the ISP’s router.

[admin@MikroTik] > interface ethernet print
Flags: X - disabled, R - running, S - slave
 #    NAME                                                                                           MTU MAC-ADDRESS       ARP             SWITCH
 0 R  ether1                                                                                        1500 18:FD:74:34:B8:24 enabled         switch1
 1 RS ether2                                                                                        1500 18:FD:74:34:B8:25 enabled         switch1
 2 RS ether3                                                                                        1500 18:FD:74:34:B8:26 enabled         switch1
 3 RS ether4                                                                                        1500 18:FD:74:34:B8:27 enabled         switch1
 4  S ether5                                                                                        1500 18:FD:74:34:B8:28 enabled         switch1
 5  S sfp1                                                                                          1500 18:FD:74:34:B8:29 enabled

How do it in cli as I didn’t want to screw up with the setup?

2

It would be easier if you could post your full configuration, following this:
http://forum.mikrotik.com/t/forum-rules/173010/1
The output of /ip firewall print, and/or of /interface ethernet print besides being partial is less readable than the output of /export.

3

For a config review, as jaclaz stated, the complete config less router serial number any public wanip information or keys is required.

4

Ok thanks @anav & @jaclaz.
Below is my backup config ([admin@MikroTik] > export hide-sensitive file=05.05.2025)
05.05.2025.rsc

# may/05/2025 21:36:10 by RouterOS 6.49.15
# software id = JD9Z-6C3V
#
# model = RB962UiGS-5HacT2HnT
# serial number = HCQxxx
/interface bridge
add admin-mac=18:FD:xx:xx:xx:xx:xx arp-timeout=30s auto-mac=no comment=defconf \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] arp-timeout=30s
set [ find default-name=ether5 ] poe-out=off
set [ find default-name=sfp1 ] auto-negotiation=no sfp-rate-select=low speed=\
    10Gbps
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=slovenia disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=ssid-wifi wireless-protocol=\
    802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=slovenia distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=ssid2-wifi \
    wireless-protocol=802.11
/interface vlan
add interface=wlan1 name=vlan1 vlan-id=1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    radius-mac-authentication=yes supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no lease-time=23h59m59s name=TP-Link-dhcp
/ip pool
add name=dhcp ranges=192.168.1.180-192.168.25.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=23h59m59s name=\
    defconf
add address-pool=dhcp interface=bridge lease-time=23h59m59s name=Untrust
/system logging action
set 3 remote=192.168.25.7
add name=SynolgySysLog remote=192.168.25.7 target=remote
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add comment="Wifi LAN trunk route to TP-LINK ROUTER" disabled=yes vlan-ids=10
add comment="WIFI Trunk for TP-Link AC Router" vlan-ids=20
add bridge=bridge vlan-ids=99
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless access-list
add interface=wlan1 mac-address=C6:0E:xx:xx:xx:xx:xx
add interface=wlan1 mac-address=A0:80:xx:xx:xx:xx:xx
add interface=wlan1 mac-address=CC:4B:xx:xx:xx:xx:xx
add interface=wlan1 mac-address=B8:27:xx:xx:xx:xx:xx
add interface=wlan1 mac-address=B8:27:xx:xx:xx:xx:xx
add interface=wlan1 mac-address=B8:27:xx:xx:xx:xx:xx
add interface=wlan1 mac-address=B8:27:xx:xx:xx:xx:xx
add interface=wlan1 mac-address=D2:20:xx:xx:xx:xx:xx
add interface=wlan1 mac-address=F0:03:xx:xx:xx:xx:xx
add interface=wlan1 mac-address=D2:20:xx:xx:xx:xx:xx
add interface=wlan1 mac-address=C6:0E:xx:xx:xx:xx:xx
add interface=wlan1 mac-address=D2:20:xx:xx:xx:xx:xx
add interface=wlan1 mac-address=1A:D3:xx:xx:xx:xx:xx
add interface=wlan1 mac-address=1A:0A:xx:xx:xx:xx:xx
/interface wireless connect-list
add interface=wlan1 mac-address=B8:27:xx:xx:xx:xx:xx security-profile=default
add interface=wlan1 mac-address=C6:0E:xx:xx:xx:xx:xx security-profile=default
add interface=wlan1 mac-address=B8:27:xx:xx:xx:xx:xx security-profile=default
add interface=wlan1 mac-address=B8:27:xx:xx:xx:xx:xx security-profile=default
add interface=wlan1 mac-address=B8:27:xx:xx:xx:xx:xx security-profile=default
add interface=wlan1 mac-address=D2:20:xx:xx:xx:xx:xx security-profile=default
add interface=wlan1 mac-address=F0:03:xx:xx:xx:xx:xx security-profile=default
add interface=wlan1 mac-address=D2:20:xx:xx:xx:xx:xx security-profile=default
add interface=wlan1 mac-address=D2:20:xx:xx:xx:xx:xx security-profile=default
add interface=wlan1 mac-address=1A:D3:xx:xx:xx:xx:xx security-profile=default
add interface=wlan1 mac-address=1A:0A:xx:xx:xx:xx:xx security-profile=default
/ip address
add address=192.168.25.1/24 comment=defconf interface=bridge network=\
    192.168.25.0
add address=192.168.80.106/24 comment="Telemach Router" interface=ether1 \
    network=192.168.80.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.25.254 client-id=1:d8:cb:xx:xx:xx:xx:xx mac-address=\
    D8:CB:xx:xx:xx:xx:xx server=defconf
add address=192.168.25.253 client-id=1:72:xx:xx:xx:xx:xx mac-address=\
    72:0C:xx:xx:xx:xx:xx server=defconf
add address=192.168.25.124 mac-address=DC:A6:xx:xx:xx:xx:xx server=defconf
add address=192.168.25.6 mac-address=00:11:xx:xx:xx:xx:xx server=defconf
add address=192.168.25.7 mac-address=00:11:xx:xx:xx:xx:xx server=defconf
add address=192.168.25.101 mac-address=E4:5F:xx:xx:xx:xx:xx server=defconf
add address=192.168.25.138 mac-address=DC:A6:xx:xx:xx:xx:xx server=defconf
add address=192.168.25.117 mac-address=CC:6E:xx:xx:xx:xx:xx server=defconf
add address=192.168.25.118 mac-address=9C:8C:xx:xx:xx:xx:xx server=defconf
add address=192.168.25.103 mac-address=B8:27:xx:xx:xx:xx:xx server=defconf
add address=192.168.25.250 client-id=1:d2:af:xx:xx:xx:xx:xx mac-address=\
    D2:AF:xx:xx:xx:xx:xx server=defconf
/ip dhcp-server network
add address=192.168.25.0/24 comment=defconf dns-server=192.168.25.124 gateway=\
    192.168.25.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.25.124
/ip dns static
add address=192.168.25.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.25.2-192.168.25.254 list=allowed_to_router
add address=10.10.10.200-10.10.10.253 disabled=yes list=\
    10.10-allowed_to_router
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward dst-address=192.168.25.0/24 protocol=tcp \
    src-address=192.168.25.240 src-port=\
    80,81,443,444,4443,8080,8081,3306,55000,1514,9200
add action=accept chain=forward dst-address=192.168.25.0/24 protocol=tcp \
    src-address=192.168.25.4 src-port=55000,443,1514,9200
add action=accept chain=forward dst-address=192.168.25.0/24 protocol=tcp \
    src-address=192.168.25.5 src-port=55000,443,1514,9200
add action=accept chain=forward dst-address=192.168.25.0/24 protocol=tcp \
    src-address=192.168.25.7 src-port=80,443,5001
add action=accept chain=forward dst-address=192.168.25.0/24 protocol=udp \
    src-address=192.168.25.7 src-port=80,443,5001
add action=accept chain=forward dst-address=192.168.25.0/24 protocol=tcp \
    src-address=192.168.25.6 src-port=80,443,5001
add action=accept chain=forward dst-address=192.168.25.0/24 protocol=udp \
    src-address=192.168.25.6 src-port=80,443,5001
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
add action=accept chain=input comment="Allow Established connections" \
    connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input in-interface=!ether1 src-address=192.168.25.0/24
add action=drop chain=input comment="Drop everything else"
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=drop chain=forward connection-type="" dst-address=0.0.0.0 log=yes \
    src-address=192.168.25.226 src-mac-address=84:D6:D0:2B:73:90
# no interface
add action=accept chain=input connection-state=established,new in-interface=\
    !*E src-address=10.10.10.0
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=\
    "rp5 omv for nextcloud certbot letsencript https certificates" dst-port=\
    81 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.25.4 \
    to-ports=8080
add action=dst-nat chain=dstnat dst-port=444 in-interface-list=WAN log=yes \
    protocol=tcp to-addresses=192.168.25.4 to-ports=4443
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN log=yes \
    protocol=tcp to-addresses=192.168.25.8 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN log=yes \
    protocol=tcp to-addresses=192.168.25.8 to-ports=443
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip route
add distance=1 gateway=192.168.0.1
add comment="192.168.25.9/24 Archer_D2 TP LINK AC750" distance=1 \
    dst-address=10.10.10.1/32 gateway=10.10.10.1 scope=62
/ip service
set telnet disabled=yes
set www-ssl disabled=no
/ip traffic-flow target
add dst-address=192.168.25.11 port=443 src-address=192.168.25.11
/system clock
set time-zone-name=Europe/Ljubljana
/system logging
add action=SynolgySysLog topics=pppoe,ppp,info
add action=SynolgySysLog topics=system,info
/system scheduler
add comment="script from https://goyoambrosio.com/2017/05/how-to-turn-off-wifi\
    -at-night-in-mikrotik-routeros/" interval=1d name=CronDisableWLAN1 \
    on-event=DisableWLAN1 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/20/2022 start-time=01:05:00
add interval=1d name=CronEnableWLAN1 on-event=EnableWLAN1 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/20/2022 start-time=07:30:00
/system script
add dont-require-permissions=no name=DisableWLAN1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "interface wireless disable wlan1"
add dont-require-permissions=no name=EnableWLAN1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "interface wireless enable wlan1"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add disabled=yes interface=ether1 name=tmon1
5

A.2
Right now you have your SFP added to bridge.
If you want to set it as WAN you have first to remove it from bridge (thus making it self-standing).

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether5

Then you need to categorize it as WAN:

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=myconf interface=sfp1 list=WAN

Side note:
by pasting the configuration on the board, the parser highlioghted that you have a wrong setting (red, prepended by #):

# no interface
add action=accept chain=input connection-state=established,new in-interface=\
    !*E src-address=10.10.10.0

The rule of the thumb is that whenever there is an * (asterisk) in a configuration it means that there is a reference to something that doesn’t exist anymore (deleted or renamed), see point #21 here:
. http://forum.mikrotik.com/t/gp-csa-for-mikrotik-devices/182176/1