Fixing routing for GPON on sfp-sfpplus1

abraxas · January 23, 2026, 6:44pm

How can I access the GPON’s web interface on 10.10.1.1?

192.168.88.0/24 # main local network
192.168.216.0/24 # wireguard
10.10.1.1 # Zyxel PMG3000-D20B GPON on sfp-sfpplus1

WAN is supplied through ONT plugged in to ether1. I am not onsite, so connected through Wireguard and preparing the switchover. Switchover would be changing the cable from ONT to GPON.

The interface sfp-sfpplus1 is shown as running and link ok, including values like vendor serial, temperature, tx power. Although a fibre cable is plugged into the GPON, there is no signal on the cable as it is currently supplying the ONT.

I want to access the GPON’s web interface on 10.10.1.1. Currently, this is not possible.

Here is my preliminary diagnosis:

ping arp-ping=yes 10.10.1.1%sfp-sfpplus1
...
sent=8 received=8 packet-loss=0% min-rtt=1ms57us avg-rtt=2ms509us max-rtt=4ms181us

ping 10.10.1.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                                                       
    0 10.10.1.1                                                    timeout                                                                                                                                                                      
    1 10.10.1.1                                                    timeout                                                                                                                                                                      
    2 10.10.1.1                                                    timeout                                                                                                                                                                      
    3 10.10.1.1                                                    timeout                                                                                                                                                                      
    4 10.10.1.1                                                    timeout                                                                                                                                                                      
    5 10.10.1.1                                                    timeout                                                                                                                                                                      
    sent=6 received=0 packet-loss=100%

…so, this must be a routing issue, if the arp ping works but the common ping not. Here is the NAT table:

/ip/firewall/nat> print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; back-to-home-vpn
      chain=srcnat action=masquerade in-interface=back-to-home-vpn 

 1    chain=srcnat action=masquerade src-address=192.168.88.0/24 out-interface=pppoe-out1 log=no log-prefix="" 

 2 I  ;;; gpon
      ;;; pppoe-out2 not ready
      chain=srcnat action=masquerade src-address=192.168.88.0/24 out-interface=pppoe-out2 log=no log-prefix="" 

 3    ;;; HAIRPIN NAT
      chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24 log=no log-prefix="" 

 4    ;;; home-assistant
      chain=dstnat action=dst-nat to-addresses=192.168.88.35 to-ports=80 protocol=tcp in-interface-list=WAN dst-port=80 log=no log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=192.168.88.35 to-ports=443 protocol=tcp in-interface-list=WAN dst-port=443 log=no log-prefix="" 

 6 X  chain=srcnat action=src-nat to-addresses=10.10.1.1 src-address=192.168.88.0/24 dst-address=10.10.1.1 dst-address-list="" out-interface=sfp-sfpplus1 log=no log-prefix="" 

 7    chain=srcnat action=masquerade to-addresses=192.168.100.0/24 src-address=192.168.88.0/24 out-interface=ether1 log=no log-prefix="" 

 8    chain=srcnat action=src-nat to-addresses=10.10.1.1 src-address=192.168.88.0/24 dst-address=10.10.1.0/24 out-interface=sfp-sfpplus1

/ip/route> print
Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, v - VPN; + - ECMP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
#      DST-ADDRESS        GATEWAY             ROUTING-TABLE  DISTANCE
0  Xs  0.0.0.0/0          vlan7-telekom-gpon  main                  1
1  As+ 0.0.0.0/0          pppoe-out1          main                  1
2  Is  0.0.0.0/0          0.0.0.0             main                  1
3  Is  0.0.0.0/0          pppoe-out2          main                  1
  DAv+ 0.0.0.0/0          pppoe-out1          main                  1
4  As  10.10.1.0/24       sfp-sfpplus1        main                  1
  DAc  10.10.1.0/32       sfp-sfpplus1        main                  0
  DAc  10.10.10.0/24      bridge-guest        main                  0
  DAc  XX.XXX.XXX.XXX/32  pppoe-out1          main                  0
  DAc  192.168.88.0/24    bridge              main                  0
  DAc  192.168.100.0/24   ether1              main                  0
  DAc  192.168.216.0/24   back-to-home-vpn    main                  0

sfp-sfpplus1 is not part of bridge.

Remarkably, I can access the ONT’s web interface through 192.168.100.1 directly. And yes, I’ve tried the exact masquerade rule with the 10.10.1.1 and also get timeouts for the GPON.

=> What’s different between the ONT and the GPON so that same configuration works for the ONT yet not for the GPON?

What do I need to change to make 10.10.1.1 respond to common ping and access 10.10.1.1’s web interface?

I assume once this works, I’d just need to change the interface of the pppoe-out1 to sfp-sfpplus1 and I should be back online (provided I registered the new modem ID with my ISP OR cloned the old one). Is this correct?

Side note: How do I extract the PLOAM from the GPON?

Let me know which other configuration prints you need.

I’d appreciate it, if you could tell me how I could diagnose it further, so I can familiarise myself more with the richness of Mikrotik’s tools.

jaclaz · January 24, 2026, 12:11am

You should post your full configuration, instructions here:

You have two routes for 10.10.1.0, a static /24 and a Dynamic /32.
The /32 one could come from a (misconfigured) ip address, so post also the output of:
/ ip address print

abraxas · January 24, 2026, 8:08am

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.10.1/24 interface=bridge-guest network=10.10.10.0
add address=192.168.100.10/24 comment="ONT Glasfasermodem 192.168.100.1" interface=ether1 network=192.168.100.0
add address=10.10.1.10 interface=sfp-sfpplus1 network=10.10.1.0

Here is the full config:

# 2026-01-24 08:46:32 by RouterOS 7.21
# software id = SKRK-C80B
#
# model = RB5009UPr+S+
/interface bridge
add admin-mac=D4:01:C3:E5:30:0F auto-mac=no comment=defconf name=bridge
add name=bridge-guest
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1514
set [ find default-name=ether2 ] l2mtu=1514
set [ find default-name=ether3 ] l2mtu=1514
set [ find default-name=ether4 ] l2mtu=1514
set [ find default-name=ether5 ] l2mtu=1514
set [ find default-name=ether6 ] l2mtu=1514
set [ find default-name=ether7 ] l2mtu=1514
set [ find default-name=ether8 ] l2mtu=1514
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no l2mtu=1514 sfp-ignore-rx-los=yes speed=1G-baseT-full
/interface wireguard
add comment=back-to-home-vpn listen-port=18353 mtu=1420 name=back-to-home-vpn
/interface vlan
add comment=Telekom interface=ether1 name=vlan7-telekom vlan-id=7
add comment=Telekom interface=sfp-sfpplus1 name=vlan7-telekom-gpon vlan-id=7
/interface pppoe-client
add add-default-route=yes comment=Telekom disabled=no interface=vlan7-telekom max-mtu=1492 name=pppoe-out1 use-peer-dns=yes user=###
add add-default-route=yes comment="Telekom GPON" interface=vlan7-telekom-gpon max-mtu=1492 name=pppoe-out2 use-peer-dns=yes user=###
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=5ghz-ax deprioritize-unii-3-4=no disabled=no frequency=5600,5490-5730 name=ch-5ghz reselect-interval=1m skip-dfs-channels=disabled width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2402-2482 name=ch-2ghz width=20mhz
/interface wifi datapath
add bridge=bridge disabled=no name=datapath1
add bridge=bridge-guest disabled=no name=datapath-guest
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec1
add authentication-types=wpa2-psk,wpa3-psk disabled=yes name=guest
/interface wifi configuration
add channel=ch-2ghz channel.band=2ghz-ax .skip-dfs-channels=10min-cac country=Germany datapath=datapath1 disabled=no mode=ap name="FRITZ!Box 5590 EH" security=sec1 security.authentication-types=wpa2-psk,wpa3-psk ssid="FRITZ!Box 5590 EH"
add country=Germany disabled=yes name="FRITZ!Box 5590 EH Gast" security=guest ssid="FRITZ!Box 5590 EH Gast"
add channel=ch-5ghz channel.band=5ghz-ax .secondary-frequency=disabled country=Germany datapath=datapath1 disabled=no mode=ap name="FRITZ!Box 5590 EH 5 GHz" security=sec1 security.authentication-types=wpa2-psk,wpa3-psk ssid=\
    "FRITZ!Box 5590 EH 5 GHz"
/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.150
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf server-address=192.168.88.1
add address-pool=dhcp_pool1 interface=bridge-guest name=dhcp1
/user group
add name=homeassistant policy=reboot,read,write,policy,test,api,rest-api,!local,!telnet,!ssh,!ftp,!winbox,!password,!web,!sniff,!sensitive,!romon
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge nat
add action=accept chain=srcnat
add action=accept chain=srcnat
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
/ip firewall connection tracking
set generic-timeout=1m
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=dynamic internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out1 list=WAN
add interface=sfp-sfpplus1 list=WAN
add disabled=yes interface=vlan7-telekom-gpon list=WAN
add interface=pppoe-out2 list=WAN
add interface=ether1 list=WAN
/interface wifi cap
set enabled=yes
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=all package-path=updates require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration="FRITZ!Box 5590 EH" supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration="FRITZ!Box 5590 EH 5 GHz" supported-bands=5ghz-ax
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.10.1/24 interface=bridge-guest network=10.10.10.0
add address=192.168.100.10/24 comment="ONT Glasfasermodem 192.168.100.1" interface=ether1 network=192.168.100.0
add address=10.10.1.10 interface=sfp-sfpplus1 network=10.10.1.0
/ip arp
add address=10.10.1.1 interface=sfp-sfpplus1 mac-address=####
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-client
add interface=vlan7-telekom
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1 ntp-server=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB servers=9.9.9.9,149.112.112.112,2620:fe::fe,2620:fe::9 verify-doh-cert=yes
/ip dns adlist
add disabled=yes url=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
add address=149.112.112.112 name=dns.quad9.net type=A
add address=9.9.9.9 name=dns.quad9.net type=A
add address=2620:fe::fe name=dns.quad9.net type=AAAA
add address=2620:fe::9 name=dns.quad9.net type=AAAA
/ip firewall address-list
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment=API dst-port=8728 log=yes protocol=tcp
add action=accept chain=input comment="API SSL" dst-port=8729 log=yes protocol=tcp
add action=drop chain=forward dst-address=192.168.88.0/24 src-address=10.10.10.0/24
add action=drop chain=forward dst-address=192.168.216.0/24 src-address=10.10.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=192.168.88.0/24
# pppoe-out2 not ready
add action=masquerade chain=srcnat comment=gpon out-interface=pppoe-out2 src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment=home-assistant dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.35 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.35 to-ports=443
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.1.1 dst-address-list="" out-interface=sfp-sfpplus1 src-address=192.168.88.0/24 to-addresses=10.10.1.1
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.88.0/24 to-addresses=192.168.100.0/24
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.1.0/24 out-interface=sfp-sfpplus1 src-address=192.168.88.0/24 to-addresses=10.10.1.1
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1 src-address=192.168.88.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=main scope=30 target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway="" routing-table=main
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-table=main
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=vlan7-telekom-gpon routing-table=main scope=30 target-scope=10
add disabled=no distance=1 dst-address=10.10.1.0/24 gateway=sfp-sfpplus1 routing-table=main scope=30 target-scope=10
/ip service
set ftp disabled=yes
set ssh address=192.168.88.0/32,192.168.216.0/32
set telnet disabled=yes
set www address=192.168.88.0/32,192.168.216.0/32
set api address=192.168.88.0/32,192.168.216.0/32,192.168.88.35/32
set api-ssl address=192.168.88.0/32,192.168.216.0/32,192.168.88.35/32 certificate="Self signed demo certificate for API"
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=yes
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=0.de.pool.ntp.org
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

So, what is leading to the /32 route?

Trying to remove it from routes doesn’t work (it hangs on and on with no effect).

mkx · January 24, 2026, 10:11am

Do you have IP address set on sfp-sfpplus1 interface? Something lije 10.10.1.X/24 (where X is anything between 2 and 254, both included) should work.

And route towards 10.10.1.0/32 seems weird to me.

pe1chl · January 24, 2026, 10:16am

Yes he forgot the subnet mask when setting that IP address on the SFP… has to add something like /24.

mkx · January 24, 2026, 11:01am

This:

Setting address without specifying subnet mask is same as setting subbet mask /32 . And every address brings appropriate route towards connected subbet, in this case /32 subnet.

abraxas · January 24, 2026, 2:11pm

corrected IP address for sfp-sfpplus1 to /24 subnet mask
route shows no more /32, now 10.10.1.0/24; but there are now two entries for 10.10.1.0/24 – what does the entry “4 s” mean?
translated the working 192.168.100.0 nat masquerade rule to 10.10.1.0 network, removed other rules relating to 10.10.1.0 network
ping 10.10.1.1 from MT terminal times out (no network unreachable longer)
arp-ping 10.10.1.1%sfp-sfpplus1 gets response
btw I can ping both MT (192.168.100.10) and ONT (192.168.100.1) from 192.168.216.XX wireguard connection, yet can’t ping MT (10.10.1.10) and of course not GPON (10.10.1.1) — what’s causing this (there is no other rule that includes the 192.168.100.0/24 network or 10.10.1.0/24 network)?

/ip/address/print
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.10.1/24 interface=bridge-guest network=10.10.10.0
add address=192.168.100.10/24 comment="ONT Glasfasermodem 192.168.100.1" interface=ether1 network=192.168.100.0
add address=10.10.1.10/24 interface=sfp-sfpplus1 network=10.10.1.0

/ip/route/print
Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, v - VPN; + - ECMP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
#      DST-ADDRESS        GATEWAY             ROUTING-TABLE  DISTANCE
0  Xs  0.0.0.0/0          vlan7-telekom-gpon  main                  1
1  As+ 0.0.0.0/0          pppoe-out1          main                  1
2  Is  0.0.0.0/0          0.0.0.0             main                  1
3  Is  0.0.0.0/0          pppoe-out2          main                  1
  DAv+ 0.0.0.0/0          pppoe-out1          main                  1
4   s  10.10.1.0/24       sfp-sfpplus1        main                  1
  DAc  10.10.1.0/24       sfp-sfpplus1        main                  0
  DAc  10.10.10.0/24      bridge-guest        main                  0
  DAc  ##############/32  pppoe-out1          main                  0
  DAc  192.168.88.0/24    bridge              main                  0
  DAc  192.168.100.0/24   ether1              main                  0
  DAc  192.168.216.0/24   back-to-home-vpn    main                  0

/ip/firewall/nat/print
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=192.168.88.0/24
# pppoe-out2 not ready
add action=masquerade chain=srcnat comment=gpon out-interface=pppoe-out2 src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment=home-assistant dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.35 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.35 to-ports=443
add action=masquerade chain=srcnat dst-address=192.168.100.0/24 out-interface=ether1 src-address=192.168.88.0/24 to-addresses=192.168.100.0/24
add action=masquerade chain=srcnat dst-address=10.10.1.0/24 out-interface=sfp-sfpplus1 src-address=192.168.88.0/24 to-addresses=10.10.1.0/24

jaclaz · January 24, 2026, 2:51pm

Yep, you need to learn how things are represented in ROS.
The /32 route you have is DAc (Dynamic Active Connect) AND Dynamic routes get the shortest distance possible, 0.
The D essentially means that you didn't configure it, but it was created automatically by ROS.
The c means that the reason it was created was from a (expected) connection, i.e. it means that the route covers the whole network of the IP address assigned to that interface.

So you need to change the IP in /ip address, from
add address=10.10.1.10 interface=sfp-sfpplus1 network=10.10.1.0
to (I presume):
add address=10.10.1.10/24 interface=sfp-sfpplus1 network=10.10.1.0

This will automagically create a route (Dynamic, so with distance 0) like:

DAc  10.10.1.0/24       sfp-sfpplus1        main                  0

BUT you have already a static route for 10.10.1.0/24 on interface bridge, that has distance 1 , this will never be used and you can remove it.

BartoszP · January 24, 2026, 4:29pm

Merged two identical topics to that one.

abraxas · January 24, 2026, 4:43pm

(Thanks for the merge!)

Thanks for the explanation of the terminology.

I’ve removed the static route, my routes now:

Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, v - VPN; + - ECMP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
#      DST-ADDRESS        GATEWAY             ROUTING-TABLE  DISTANCE
0  Xs  0.0.0.0/0          vlan7-telekom-gpon  main                  1
1  As+ 0.0.0.0/0          pppoe-out1          main                  1
2  Is  0.0.0.0/0          0.0.0.0             main                  1
3  Is  0.0.0.0/0          pppoe-out2          main                  1
  DAv+ 0.0.0.0/0          pppoe-out1          main                  1
  DAc  10.10.1.0/24       sfp-sfpplus1        main                  0
  DAc  10.10.10.0/24      bridge-guest        main                  0
  DAc  ##############/32  pppoe-out1          main                  0
  DAc  192.168.88.0/24    bridge              main                  0
  DAc  192.168.100.0/24   ether1              main                  0
  DAc  192.168.216.0/24   back-to-home-vpn    main                  0

ping from wireguard connection to 10.10.1.10 (MT RB5009) is working now (missing network in wg peer config on client side)
ping to 10.10.1.1 is not working, showing a timeout (while ping to 192.168.100.1, the ONT, works, same NAT configuration)

Here, again my NAT configuration:

Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; back-to-home-vpn
      chain=srcnat action=masquerade in-interface=back-to-home-vpn 

 1    chain=srcnat action=masquerade src-address=192.168.88.0/24 out-interface=pppoe-out1 log=no log-prefix="" 

 2 I  ;;; gpon
      ;;; pppoe-out2 not ready
      chain=srcnat action=masquerade src-address=192.168.88.0/24 out-interface=pppoe-out2 log=no log-prefix="" 

 3    ;;; HAIRPIN NAT
      chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24 log=no log-prefix="" 

 4    ;;; home-assistant
      chain=dstnat action=dst-nat to-addresses=192.168.88.35 to-ports=80 protocol=tcp in-interface-list=WAN dst-port=80 log=no log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=192.168.88.35 to-ports=443 protocol=tcp in-interface-list=WAN dst-port=443 log=no log-prefix="" 

 6    chain=srcnat action=masquerade to-addresses=192.168.100.0/24 src-address=192.168.88.0/24 dst-address=192.168.100.0/24 out-interface=ether1 log=no log-prefix="" 

 7    chain=srcnat action=masquerade to-addresses=10.10.1.0/24 src-address=192.168.88.0/24 dst-address=10.10.1.0/24 out-interface=sfp-sfpplus1

What else is preventing the connection to 10.10.1.1? If ping is giving me a timeout, am I rightfully assuming that routing is fine now?

abraxas · January 24, 2026, 5:02pm

Also: I’ve just deactivated the srcnat masquerade nat rule for 192.168.100.0.

Ping on ONT 192.168.100.1 is successfully.

It appears that all it needs is 192.168.100.10/24 to be configured on the ether1 interface in ip/address.

I’ve removed the ARP entry mapping the GPON’s MAC address to the IP 10.10.1.1.

From now on both the ping to 10.10.1.1 succeeds and the web ui of the GPON is accessible through wg connection.

mkx · January 25, 2026, 9:49am

Some of your src-nat rules have erroneous values of to-addresses set. E.g. rule #7 in your latest export/print. In general you don't have to set to-addresses on src-nat rules, if not set router will automatically select correct new src-address depending on egress interface.