RB5009 with SFP GPON fiber, issues with dhcp

moray · February 28, 2026, 6:28pm

Hello,

I am trying to configure my mikrotik RB5009 with an FS.com SFP GPON module (FS ONU-34-20BI) with my ISP. I already have a configuration working using the ISP ONT connected on one of the ethernet ports.

I managed to configure the SFP module with the help of a local community forum that specialises with setting up custom router/ont setups with this particular ISP. The GPON I am using is known to work with this ISP and in fact I used to use it with another OpenWRT based router.

Now, everything seems to be up (fiber connection, ISP vlans etc) but the DHCP client can’t get an IP address and stays on “Searching…”. I can see in the logs (interface sniff below) DHCP traffic between the ISP server and the RB5009 but the packets seems to be tagged.

After some research it seems to be a CoS tag but it seems I can’t set up vlan-priority tagging directly on the SFP interface because the hardware doesn’t support it.

Anybody can give me some hints on what I could do in my case?


[admin@MikroTik] > /tool sniffer quick interface=sfp-sfpplus1 
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, VLAN, SRC-ADDRESS, DST-ADDRESS
INTERFACE     TIME   NUM  DIR  SRC-MAC            DST-MAC            VLAN  SRC-ADDRESS              DST-ADDRESS                
sfp-sfpplus1  1.103    1  ->   6C:61:F4:0B:76:28  FF:FF:FF:FF:FF:FF        0.0.0.0:68 (bootpc)      255.255.255.255:67 (bootps)
sfp-sfpplus1  1.175    2  <-   68:AB:09:76:40:01  FF:FF:FF:FF:FF:FF  0:6   93.31.207.1:67 (bootps)  255.255.255.255:68 (bootpc)
sfp-sfpplus1  1.175    3  <-   68:AB:09:76:40:01  FF:FF:FF:FF:FF:FF  0:6   93.31.207.1:67 (bootps)  255.255.255.255:68 (bootpc)
sfp-sfpplus1  4.607    4  ->   6C:61:F4:0B:76:28  FF:FF:FF:FF:FF:FF        0.0.0.0:68 (bootpc)      255.255.255.255:67 (bootps)
sfp-sfpplus1  4.686    5  <-   68:AB:09:76:40:01  FF:FF:FF:FF:FF:FF  0:6   93.31.207.1:67 (bootps)  255.255.255.255:68 (bootpc)
sfp-sfpplus1  4.687    6  <-   68:AB:09:76:40:01  FF:FF:FF:FF:FF:FF  0:6   93.31.207.1:67 (bootps)  255.255.255.255:68 (bootpc)
sfp-sfpplus1  7.955    7  ->   6C:61:F4:0B:76:28  FF:FF:FF:FF:FF:FF        0.0.0.0:68 (bootpc)      255.255.255.255:67 (bootps)
sfp-sfpplus1  8.014    8  <-   68:AB:09:76:40:01  FF:FF:FF:FF:FF:FF  0:6   93.31.207.1:67 (bootps)  255.255.255.255:68 (bootpc)
sfp-sfpplus1  8.021    9  <-   68:AB:09:76:40:01  FF:FF:FF:FF:FF:FF  0:6   93.31.207.1:67 (bootps)  255.255.255.255:68 (bootpc)
sfp-sfpplus1  9.487   10  ->   6C:61:F4:0B:76:28  FF:FF:FF:FF:FF:FF        0.0.0.0:68 (bootpc)      255.255.255.255:67 (bootps)
sfp-sfpplus1  9.559   11  <-   68:AB:09:76:40:01  FF:FF:FF:FF:FF:FF  0:6   93.31.207.1:67 (bootps)  255.255.255.255:68 (bootpc)
sfp-sfpplus1  9.559   12  <-   68:AB:09:76:40:01  FF:FF:FF:FF:FF:FF  0:6   93.31.207.1:67 (bootps)  255.255.255.255:68 (bootpc)

CGGXANNX · February 28, 2026, 6:49pm

For your RB5009 you can:

First enable Safe-Mode in WinBox.
Put all the ports in a single bridge (which probably means put the sfp-sfpplus1 port in your current main LAN bridge).
Then create a vlan1000 on that bridge interface under /interface vlan with vlan-id=1000.
Add vlan1000 to the interface list WAN if your config uses that interface list
Go to Bridge -> Ports and change PVID of sfp-sfpplus1 to 1000 and set Frame Types to admit only untagged and priority tagged.
Turn on vlan-filtering=yes on the bridge if it's not yet turned on.
Edit your DHCP client, moving it from the sfp-sfpplus1 interface to the vlan1000 interface.
If your configuration does not use interface lists, but refer to sfp-sfpplus1 everywhere, such as in firewall rules, edit those settings and point them to vlan1000 instead. You can /export your configuration to a file, download it and search for occurences of sfp-sfpplus1.

But better post your current configuration export for review first, see Forum rules - #5 by gigabyte091.

moray · March 1, 2026, 4:25am

Thank you for your super quick response. I tried the suggestion and it works! I did think of putting the sfp interface on the bridge and try to “strip” the tags but I wasn’t sure exactly of the procedure. I can see now it is super easy.

I was about to post my config but I had to strip it down a bit because I had already some vlans configured. In fact I already had configured bridge filtering so applying your changes were straightforward.

Thanks again!

CGGXANNX · March 1, 2026, 4:44am

Great! The RB5009 is a very suitable device to have all ports in a single bridge and have the WAN ports just being member ports of VLANs, because all ports are connected to the switch chip, and the switch chip has full L2 hardware offload for VLAN filtering.

That's how I operate my home RB5009 since several years. In my case, there is a pppoe-out1 interface over vlan1000.

The downside is that everything has the same MAC address, if your ISP requires a specific MAC address (for example you have to clone the MAC address of the ISP router), then you'll have to either give the main bridge that same MAC address, or have to add a MACVLAN interface over the vlan1000 interface to be able to have a separate MAC address.