Hello everyone,
I’m running RouterOS 7.19beta8 on an RB5008UPr+S+. I have an ONU plugged into the SFP port with management IP 192.168.1.100/24, and this network is bridged into my main LAN (192.168.88.0/24). Until recently I could point my PC at http://192.168.1.100 and reach the ONU’s web interface directly. Now the router itself responds on that IP (WebFig), even though I haven’t added or changed any firewall rules blocking it.
I’ve checked the input chain and it isn’t dropping the traffic – in fact the router “owns” 192.168.1.100 via a /32 alias and answers ARPs for it. What’s the cleanest way to restore ONU again, while keeping everything in the same network and without opening up additional VLANs or bridges?
My non-sensitive config is attached below. Any pointers would be greatly appreciated!
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 7.19beta8 (c) 1999-2025 https://www.mikrotik.com/
Press F1 for help
[admin@MikroTik] > /export hide-sensitive
# 2025-05-02 16:09:40 by RouterOS 7.19beta8
# software id = 82T1-PVIK
#
# model = RB5009UPr+S+
# serial number = HF509EYWVBE
/interface bridge
add admin-mac=78:9A:18:70:2B:08 auto-mac=no comment=defconf name=bridge-lan port-cost-mode=short
add name=ha
/interface ethernet
set [ find default-name=ether1 ] comment="ISP ComfortNet" poe-out=off
set [ find default-name=ether2 ] comment=CCTV/Intercom
set [ find default-name=ether3 ] comment="Under TV stand"
set [ find default-name=ether4 ] comment="Guest room" poe-priority=15
set [ find default-name=ether5 ] poe-out=off
set [ find default-name=ether8 ] comment="Router therasse room" poe-priority=5
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment="ISP Triolan" speed=2.5G-baseX
/interface veth
add address=192.168.88.5/24 comment="Home Assistant" gateway=192.168.88.1 gateway6="" name=veth1
/interface vlan
add interface=sfp-sfpplus1 name=Triolan-VLAN-1450 vlan-id=1450
/container mounts
add dst=/config name=homeassistant src=/usb1/containers/mounts/homeassistant
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=2G reselect-interval=30m..1h skip-dfs-channels=disabled width=20/40mhz
add band=5ghz-ax disabled=no name=5G reselect-interval=30m..1h skip-dfs-channels=disabled width=20/40/80mhz
/interface wifi datapath
add bridge=bridge-lan disabled=no name=Datapath
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=PrivateSecurity
add authentication-types=wpa2-psk disabled=no name=my_sec
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-lan lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes read-only=no
/routing table
add disabled=no fib name=Comfort-route
add disabled=no fib name=Triolan-route
/container
add cmd="python3 -m homeassistant --config /config" envlist=envha hostname=homeassistant interface=veth1 mounts=homeassistant name=\
ha root-dir=usb1/containers/homeassistant start-on-boot=yes workdir=/config
/container config
set ram-high=2048.0MiB registry-url=https://registry-1.docker.io tmpdir=usb1/pull
/container envs
add key=TZ name=envha value=Europe/Kyiv
add key=VERSION name=haversion value=latest
/ip smb
set enabled=yes
/interface bridge port
add bridge=bridge-lan comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge-lan comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge-lan comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge-lan comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge-lan comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge-lan comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge-lan comment=defconf interface=ether2
add bridge=*16 interface=*15
add bridge=bridge-lan interface=veth1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge-lan list=LAN
add comment="ISP ComforNet" interface=ether1 list=WAN
add comment="For Accessing SFP WEB UI" interface=sfp-sfpplus1 list=WAN
add comment="ISP Triolan" interface=Triolan-VLAN-1450 list=WAN
/interface ovpn-server server
add mac-address=FE:54:93:D9:9F:52 name=ovpn-server1
/interface wifi capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi configuration
add channel=5G country=Ukraine datapath=Datapath disabled=no mode=ap name=5GConfig security=PrivateSecurity ssid="AirPort Extreme" \
steering=*1
add channel=2G country=Ukraine datapath=Datapath disabled=no mode=ap name=2GConfig security=PrivateSecurity ssid=\
"AirPort Extreme Slow" steering=*1
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=2GConfig name-format=2GHz-%I-ax supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=5GConfig name-format=5GHz-%I-ax supported-bands=5ghz-ax
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-lan network=192.168.88.0
add address=172.23.160.167/24 comment="Triolan Static IP" interface=Triolan-VLAN-1450 network=172.23.160.0
add address=192.168.1.100 comment="SFP ONU WEB UI" interface=sfp-sfpplus1 network=192.168.1.1
add address=10.10.0.1/24 interface=ha network=10.10.0.0
/ip dhcp-client
add comment="ComfortNet DHCP" interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,1.1.1.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=forward dst-address=10.10.0.0/24 src-address=192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=10.10.0.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes \
hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="SFP Web UI" dst-address=192.168.1.1
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new in-interface=ether1 new-connection-mark=\
ComfortNet_connection
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new in-interface=sfp-sfpplus1 \
new-connection-mark=Triolan_connection
add action=mark-routing chain=output connection-mark=Triolan_connection new-routing-mark=Triolan-route
add action=mark-routing chain=output connection-mark=ComfortNet_connection new-routing-mark=Comfort-route
add action=mark-connection chain=prerouting comment="PCC Triolan" connection-mark=no-mark connection-state=new dst-address-type=\
!local in-interface=bridge-lan new-connection-mark=Triolan_connection per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting comment="PCC ComfortNet" connection-mark=no-mark connection-state=new dst-address-type=\
!local in-interface=bridge-lan new-connection-mark=ComfortNet_connection per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=Triolan_connection in-interface=bridge-lan new-routing-mark=Triolan-route
add action=mark-routing chain=prerouting connection-mark=ComfortNet_connection in-interface=bridge-lan new-routing-mark=\
Comfort-route
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="NAT Triolan" out-interface=sfp-sfpplus1
add action=masquerade chain=srcnat comment="NAT ComfortNet" out-interface=ether1
add action=masquerade chain=srcnat comment="NAT Triolan" out-interface=Triolan-VLAN-1450
add action=dst-nat chain=dstnat dst-address=192.168.88.1 dst-port=8123 protocol=tcp to-addresses=10.10.0.5 to-ports=8123
add action=masquerade chain=srcnat src-address=10.10.0.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add check-gateway=ping comment="Triolan PCC" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.23.160.254 pref-src="" \
routing-table=Triolan-route scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="ComfortNet PCC" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=185.237.74.1 pref-src="" \
routing-table=Comfort-route scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=Triolan disabled=no distance=2 dst-address=0.0.0.0/0 gateway=172.23.160.254 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add dst-address=10.10.0.0/24 gateway=bridge-lan
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=\
fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Kiev
/system logging
add topics=container
add topics=container,debug
/system package update
set channel=testing
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes
/tool bandwidth-server
set authenticate=no
/tool graphing interface
add interface=bridge-lan
add interface=*B
add interface=*C
add interface=ether1
add interface=sfp-sfpplus1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >