Can't Reach ISP After IP Assignment on SFP Interface

RouterOS General
1

Hello all,

I'm facing an issue with routing on my MikroTik router and need assistance. Here’s the setup:

MikroTik Router is connected to MikroTik switches via SFP interface (sfp-sfpplus1).

ISP link is connected to ether1 interface with an IP 172.xx.x.1.

SFP interface has an IP 172.xx.x.27., which is the gateway for my internal network

The Problem:

When I assign the IP 172.xx.x.27 to the SFP interface (connected directly to the switches), I can ping the switches from the router, but I lose connectivity to the ISP.

When the IP 172.xx.x.27 is not on the SFP interface, the router cannot ping the switches, but it can ping the ISP gateway 172.xx.x.1. without issues.

The router is supposed to act as a gateway for the MikroTik switches and also route traffic to the ISP, but I can't have both functionalities working simultaneously.

What I've Tried:

Checked routing tables and confirmed that the default route points to 172.xx.x.1..

Tried configuring NAT rules for masquerading outbound traffic, but still unable to route to the ISP when the IP 172.xx.x.27 is assigned to the SFP interface.


I know this really shouldn't be an issue, but somehow MikroTik always finds a way to surprise me. Any help would be greatly appreciated!

Also, I know, I've been posting about my persistent issues with these MikroTik devices for about a month now, but I still haven't found a solution.

=========================================================================
Mikrotik Cloud Router Config:

feb/12/2025 09:54:04 by RouterOS 6.49.10

software id =

model = CCR1036-8G-2S+

serial number =

/interface ethernet
set [ find default-name=ether1 ] name=ISP-LINK
set [ find default-name=ether7 ] auto-negotiation=no loop-protect=off
set [ find default-name=sfp-sfpplus1 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
auto-negotiation=no loop-protect=off
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=xxxxx
add name=dhcp_pool2 ranges=xxxxx
add name=dhcp_pool ranges=xxxxx
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool2 disabled=no interface=sfp-sfpplus1
lease-time=1d6h10m name=dhcp1 relay=xxxxx
/interface bridge port
add disabled=yes interface=ISP-LINK
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6
add interface=ether7
add interface=ether8
add interface=sfp-sfpplus1
add interface=sfp-sfpplus2
/interface list member
add interface=ISP-LINK list=WAN
add list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add list=LAN
/ip address
add address=xxxxx interface=sfp-sfpplus1 network=xxxxx
/ip arp
add address=xxxxx interface=sfp-sfpplus1 mac-address=xxxxx
/ip dhcp-client
add interface=ISP-LINK
/ip dhcp-server network
add address=xxxxx gateway=xxxxx netmask=xxxxx
/ip dns
set allow-remote-requests=yes servers=xxxxx
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ISP-LINK
add action=masquerade chain=srcnat out-interface=ISP-LINK
/ip route
add distance=1 gateway=xxxxx
/ip service
set www-ssl disabled=no
/lcd
set time-interval=hour
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=xxxxx
/system identity
set name=2

\

Mikrotik Switch Config:

2025-02-12 10:58:34 by RouterOS 7.11.3

software id =

model = CRS354-48G-4S+2Q+

serial number =

/interface bridge
add name=bridge1
add name=bridge2
add name=bridge3
add name=bridge4
add name=bridge5
add name=bridge6
add name=bridge7
add name=bridge8
add name=bridge9
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge9 interface=ether49
add bridge=bridge9 interface=ether1
add bridge=bridge9 interface=ether2
add bridge=bridge9 interface=ether3
add bridge=bridge9 interface=ether4
add bridge=bridge9 interface=ether5
add bridge=bridge9 interface=ether6
add bridge=bridge9 interface=ether7
add bridge=bridge9 interface=ether8
add bridge=bridge9 interface=ether9
add bridge=bridge9 interface=ether10
add bridge=bridge9 interface=ether11
add bridge=bridge9 interface=ether12
add bridge=bridge9 interface=ether13
add bridge=bridge9 interface=ether14
add bridge=bridge9 interface=ether15
add bridge=bridge9 interface=ether16
add bridge=bridge9 interface=ether17
add bridge=bridge9 interface=ether18
add bridge=bridge9 interface=ether19
add bridge=bridge9 interface=ether20
add bridge=bridge9 interface=ether21
add bridge=bridge9 interface=ether22
add bridge=bridge9 interface=ether23
add bridge=bridge9 interface=ether24
add bridge=bridge9 interface=ether25
add bridge=bridge9 interface=ether26
add bridge=bridge9 interface=ether27
add bridge=bridge9 interface=ether28
add bridge=bridge9 interface=ether29
add bridge=bridge9 interface=ether30
add bridge=bridge9 interface=ether31
add bridge=bridge9 interface=ether32
add bridge=bridge9 interface=ether33
add bridge=bridge9 interface=ether34
add bridge=bridge9 interface=ether35
add bridge=bridge9 interface=ether36
add bridge=bridge9 interface=ether37
add bridge=bridge9 interface=ether38
add bridge=bridge9 interface=ether39
add bridge=bridge9 interface=ether40
add bridge=bridge9 interface=ether41
add bridge=bridge9 interface=ether42
add bridge=bridge9 interface=ether43
add bridge=bridge9 interface=ether44
add bridge=bridge9 interface=ether45
add bridge=bridge9 interface=ether46
add bridge=bridge9 interface=ether47
add bridge=bridge9 interface=ether48
add bridge=bridge9 interface=qsfpplus1-1
add bridge=bridge9 interface=qsfpplus1-2
add bridge=bridge9 interface=qsfpplus1-3
add bridge=bridge9 interface=qsfpplus1-4
add bridge=bridge9 interface=qsfpplus2-1
add bridge=bridge9 interface=qsfpplus2-2
add bridge=bridge9 interface=qsfpplus2-3
add bridge=bridge9 interface=qsfpplus2-4
add bridge=bridge9 interface=sfp-sfpplus1
add bridge=bridge9 interface=sfp-sfpplus2
add bridge=bridge9 interface=sfp-sfpplus3
add bridge=bridge9 interface=sfp-sfpplus4
/interface list member
add interface=ether49 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=ether25 list=LAN
add interface=ether26 list=LAN
add interface=ether27 list=LAN
add interface=ether28 list=LAN
add interface=ether29 list=LAN
add interface=ether30 list=LAN
add interface=ether31 list=LAN
add interface=ether32 list=LAN
add interface=ether33 list=LAN
add interface=ether34 list=LAN
add interface=ether35 list=LAN
add interface=ether36 list=LAN
add interface=ether37 list=LAN
add interface=ether38 list=LAN
add interface=ether39 list=LAN
add interface=ether40 list=LAN
add interface=ether41 list=LAN
add interface=ether42 list=LAN
add interface=ether43 list=LAN
add interface=ether44 list=LAN
add interface=ether45 list=LAN
add interface=ether46 list=LAN
add interface=ether47 list=LAN
add interface=ether48 list=LAN
add interface=qsfpplus1-1 list=LAN
add interface=qsfpplus1-2 list=LAN
add interface=qsfpplus1-3 list=LAN
add interface=qsfpplus1-4 list=LAN
add interface=qsfpplus2-1 list=LAN
add interface=qsfpplus2-2 list=LAN
add interface=qsfpplus2-3 list=LAN
add interface=qsfpplus2-4 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/ip address
add address=xxxxxx interface=sfp-sfpplus1 network=xxxxxx
/ip route
add dst-address=xxxxxx gateway=xxxxxx
/system clock
set time-zone-autodetect=no time-zone-name=Europe/xxxxxx
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os enter-setup-on=delete-key

2

Looking at your setup, it looks like you should probably do some training…

Router:
create bridge interface LAN
add local interfaces to bridge
assign LAN ip address to bridge
dhcp-server assign to bridge
1x nat is enough

??? /ip arp add address=xxxxx interface=sfp-sfpplus1 mac-address=xxxxx - what is that for?

Switch:
remove unnecessary bridge
assign LAN ip address to bridge

3

Since the issue likely revolves around IP addresses and networks, even if your privacy needs to be respected, replacing everything with xxxx doesn’t really help in troubleshooting the problem.

Idea:
replace 1:1 your real IP’s and network in use (LAN) with arbitrary addresses in the 10.0.0.0/8.

As an example, let’s say your real addresses (that you don’t want to make public) and that you indicated as 172.xx.x.1, is in reality 172.30.8.1, replace:
172=10
30=42
8=42
1=1
and use 10.42.42.1 or, if you prefer, replace all 1st octets with 10, all 2nd octets with 42 (or whatever other number you choose), all third octets with 42 (or whatever other number you choose), leave last octet as is.

For WAN address, do the same but use instead another range, such as TEST-NET-3 203.0.113.0/24.

4

They are all being too nice I am just going to say it

Why the hell are you putting a LAN IP on the ISP interface and whats with 3 masquerades???

The routter gets an IP from the ISP we know that because you have this

/ip dhcp-client
add interface=ISP-LINK

You told the router where the ISP is with this which you could have done by telling the DHCP client to add default route but whatever

/ip route
add distance=1 gateway=xxxxx

That’s all the router needs to get to internet and a big warning you have listed no firewall rules I hope you have it secured :slight_smile:

Beyond the firewall everything else is LAN

This doesn’t make sense why are you connecting the ISP WAN to the bridge

/interface bridge port
add disabled=yes interface=ISP-LINK

It’s a router you don’t have to have things physically connecting to each other keep the WAN and LAN apart.
The LAN goes on the bridge because you need to add multiple interfaces to it.
Add you interfaces to the bridge
LAN gateway goes into the bridge
DCHP server goes into the bridge so clients get an IP

Finally you need a NAT to translate the LAN IPs to the WAN IP … NOT 3 of them :slight_smile:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP-LINK

Finished .., done running other than you have no firewall :slight_smile:

5

Well, that depends on which side of the wall you are :wink:, I like to think that “this side” is LAN (safe) and the other one is WAN (hic sunt leones :open_mouth: ) .
:laughing: