RB5009 + XPON SFP Stick: It works, but my config feels like a ticking time bomb

Hi everyone,

I’ve recently ditched my ISP's Huawei ONT and replaced it with an HSGQ-XPON-Stick plugged directly into an RB5009UG+S+ running RouterOS 7.23.1. After extracting my ISP credentials, I managed to get Internet (PPPoE on VLAN 10), IPTV (VLAN 20), and VoIP (VLAN 30) all up and running.

While everything technically "works," my configuration feels structurally messy and sub-optimal from a pure networking perspective. I have two specific issues I need your architectural insight on:

1. The Management Access Nightmare (Main Issue)
   Right now, I cannot access the HSGQ SFP Stick’s WebUI (192.168.100.1) from my local LAN (192.168.8.0/24) without manually changing my PC's static IP to the 192.168.100.x subnet every single time. I tried adding a dst-nat rule to map 192.168.8.150 to 100.1, but it's completely unreliable. What is the clean, definitive way to route LAN traffic directly to the SFP stick's interface without breaking routing or masquerading?

2. Architectural Sanity Check (Dual Bridges & VLANs)
   Because of how I isolated VoIP and IPTV, I ended up creating two separate bridges: bridge (main LAN) and bridge_voip (with vlan-filtering=yes).

vlan10 (PPPoE) and vlan20 (IPTV) are hanging straight off the sfp-WAN interface.

vlan30 (VoIP) is attached to bridge_voip.

ether8 is untagged for VoIP (PVID 30).

This hybrid approach feels like a mess. Am I killing hardware offloading or introducing unnecessary CPU overhead on the RB5009 by splitting this into two bridges instead of a single unified bridge with proper VLAN filtering? How would a seasoned MikroTik engineer clean up this specific layout while maintaining strict isolation for VoIP/IPTV?

I’d highly appreciate it if someone could roast my configuration, point out the structural flaws, security gaps (especially regarding interface lists), and help me fix the SFP management access.

Thanks in advance!

# 2026-06-13 23:51:02 by RouterOS 7.23.1

# software id = XXXX-XXXX

# 

# model = RB5009UG+S+

# serial number = XXXXXXXXXXX

/disk
set USB slot=USB
/interface bridge
add name=bridge port-cost-mode=short
add name=bridge_voip protocol-mode=none vlan-filtering=yes
/interface ethernet
set \[ find default-name=ether1 \] comment=
"Connect To MikroTik RB5009UPr+S+ Port 1" l2mtu=1514 name=ether1-LAN1
set \[ find default-name=ether2 \] comment=
"!!!!!!!!!!!--Port Failure--!!!!!!!!!!!!!" l2mtu=1514 name=ether2-LAN2
set \[ find default-name=ether3 \] comment=
"Connect To MikroTik RB4011iGS+RM Port 1" l2mtu=1514 name=ether3-LAN3
set \[ find default-name=ether4 \] advertise=
100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full comment=
"Connect To Zimaboard" l2mtu=1514 name=ether4-LAN4
set \[ find default-name=ether5 \] l2mtu=1514 name=ether5-LAN5
set \[ find default-name=ether6 \] comment=
"Connect To MikroTik CRS328-24P-4S+ Port 23" l2mtu=1514 name=ether6-LAN6
set \[ find default-name=ether7 \] comment="Connect To GS UCM6301 LAN Port" 
l2mtu=1514 name=ether7-LAN7
set \[ find default-name=ether8 \] comment="Connect To GS UCM6301 WAN Port" 
l2mtu=1514 name=ether8-LAN8
set \[ find default-name=sfp-sfpplus1 \] auto-negotiation=no comment=
"WAN - HSGQ XPON SFP Stick" l2mtu=1514 name=sfp-WAN sfp-ignore-rx-los=yes 
speed=2.5G-baseT
/interface vlan
add interface=sfp-WAN name=vlan10 vlan-id=10
add interface=sfp-WAN name=vlan20 vlan-id=20
add interface=bridge_voip name=vlan30 vlan-id=30
add interface=bridge_voip name=vlan1000 vlan-id=1000
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan10 name=pppoe-out user=
XXXXXXXXXXXX
/interface ethernet switch port
set sfp-WAN egress-rate=1200.0Mbps
/interface list
add name=WAN
add name=VOIP
add name=IPTV
/ip dhcp-server option
add code=60 name=option60-vendorclass value=
"'dslforum.org:HUAWEI:STB:EC2118S'"
add code=28 name=option28-broadcast value="'10.0.0.255'"
/ip dhcp-server option sets
add name=IPTV options=option60-vendorclass,option28-broadcast
/ip hotspot profile
set \[ find default=yes \] login-by=cookie,http-chap,http-pap
add dns-name=www.mfm.com hotspot-address=192.168.8.1 http-cookie-lifetime=30m 
login-by=cookie,http-chap,http-pap name=hsprof1
/ip hotspot user profile
set \[ find default=yes \] keepalive-timeout=1w mac-cookie-timeout=30m
/ip pool
add name=dhcp_pool1 ranges=192.168.8.2-192.168.8.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 bootp-lease-time=lease-time 
bootp-support=dynamic interface=bridge lease-time=1w name=dhcp1
/ip smb users
set \[ find default=yes \] disabled=yes
add name=user1
/queue simple
add comment="Queue=1024M" max-limit=1024M/1024M name=MAIN target=
192.168.8.0/24
add max-limit=20M/20M name=VoIP packet-marks=voip_pkt parent=MAIN priority=
1/1 target=""
/routing table
add disabled=no fib name=WAN
add disabled=no fib name=LAN
/system logging action
set 0 memory-lines=20000
set 1 disk-file-name=log
/ip smb
set domain=Mikrotik enabled=no interfaces=bridge
/interface bridge port
add bridge=bridge interface=ether3-LAN3 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether5-LAN5 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether7-LAN7 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether2-LAN2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether6-LAN6 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether1-LAN1
add bridge=bridge interface=ether4-LAN4 internal-path-cost=10 path-cost=10
add bridge=bridge_voip interface=sfp-WAN pvid=1000
add bridge=bridge_voip frame-types=admit-only-untagged-and-priority-tagged 
interface=ether8-LAN8 pvid=30
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set accept-router-advertisements=yes disable-ipv6=yes
/interface bridge vlan
add bridge=bridge_voip tagged=sfp-WAN,bridge_voip untagged=ether8-LAN8 
vlan-ids=30
add bridge=bridge_voip tagged=bridge_voip untagged=sfp-WAN vlan-ids=1000
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set default-profile=default use-ipsec=required
/interface list
add exclude=\*2000012 name=LAN
/interface list member
add interface=sfp-WAN list=WAN
add interface=bridge list=LAN
add interface=pppoe-out list=WAN
add interface=vlan20 list=IPTV
add interface=vlan30 list=VOIP
/ip address
add address=192.168.8.1/24 interface=bridge network=192.168.8.0
add address=192.168.8.150/24 comment="forward HSGQ-SFP IP to local IP" 
interface=bridge network=192.168.8.0
add address=192.168.100.2/24 comment="HSGQ-SFP IP" interface=sfp-WAN network=
192.168.100.0
add address=192.168.100.2/24 interface=vlan1000 network=192.168.100.0
/ip arp
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client option
add code=60 name=option60-vendorclass value=
"'dslforum.org:HUAWEI:STB:EC2118S'"
add code=28 name=option28-broadcast value="'10.0.0.255'"
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.8.0/24 comment="hotspot network" dns-server=192.168.8.200 
gateway=192.168.8.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.8.200
/ip firewall address-list
/ip firewall filter
add action=accept chain=input comment="Allow Grafana CT 105 API" dst-port=
8728 protocol=tcp src-address=192.168.8.119
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=accept chain=input comment="Allow established" connection-state=
established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=drop chain=input comment="Drop mgmt brute force" src-address-list=
mgmt_blacklist
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow LAN management" 
in-interface-list=LAN
add action=add-src-to-address-list address-list=mgmt_blacklist 
address-list-timeout=1d chain=input comment="Detect mgmt brute force" 
dst-port=22,80,8291 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop port scanners" src-address-list=
port_scanners
add action=drop chain=input comment="Drop all WAN input" in-interface-list=
WAN
add action=accept chain=forward comment="Allow established forward" 
connection-state=established,related
add action=drop chain=forward comment="Drop invalid forward" 
connection-state=invalid
add action=accept chain=forward comment="LAN to Internet" in-interface-list=
LAN out-interface-list=WAN
add action=accept chain=forward comment="VoIP to Internet" in-interface-list=
VOIP out-interface-list=WAN
add action=accept chain=forward comment="IPTV to Internet" in-interface-list=
IPTV out-interface-list=WAN
add action=drop chain=forward comment="Block IPTV to LAN" in-interface-list=
IPTV out-interface-list=LAN
add action=drop chain=forward comment="Block VoIP to LAN" in-interface-list=
VOIP out-interface-list=LAN
add action=drop chain=forward comment="Block WAN to LAN" in-interface-list=
WAN out-interface-list=LAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment="VoIP OUT" dst-port=
5060,10000-20000 new-connection-mark=voip_conn protocol=udp src-address=
192.168.8.25
add action=mark-connection chain=prerouting comment="VoIP IN" dst-address=
192.168.8.25 new-connection-mark=voip_conn protocol=udp src-port=
5060,10000-20000
add action=mark-packet chain=prerouting comment="Mark VoIP packets" 
connection-mark=voip_conn new-packet-mark=voip_pkt passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="LAN to SFP management" 
dst-address=192.168.100.0/24 src-address=192.168.8.0/24
add action=masquerade chain=srcnat comment="Masquerade HotSpot Network" 
src-address=192.168.8.0/24
add action=masquerade chain=srcnat comment="PPPoE Masquerade" out-interface=
pppoe-out
add action=dst-nat chain=dstnat comment="forward HSGQ-SFP IP to local IP" 
dst-address=192.168.8.150 dst-port=80 protocol=tcp to-addresses=
192.168.100.1 to-ports=80
add action=dst-nat chain=dstnat comment="DNS Pi-Hole1" dst-address=
!192.168.8.200 dst-port=53 protocol=tcp src-address=!192.168.8.200 
to-addresses=192.168.8.200
add action=dst-nat chain=dstnat comment="DNS Pi-Hole1" dst-address=
!192.168.8.200 dst-port=53 protocol=udp src-address=!192.168.8.200 
to-addresses=192.168.8.200
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
/ip firewall raw
add action=add-src-to-address-list address-list=port_scanners 
address-list-timeout=1d chain=prerouting comment=
"Detect port scanners RAW" in-interface-list=WAN protocol=tcp psd=
21,3s,3,1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes sip-direct-media=no
set pptp disabled=yes
/ip hotspot
add addresses-per-mac=unlimited disabled=no interface=bridge name=hotspot1 
profile=hsprof1
/ip hotspot ip-binding
/ip hotspot user
add name=admin
/ip ipsec profile
set \[ find default=yes \] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set reverse-proxy disabled=yes
set api address=192.168.8.0/24
set api-ssl disabled=yes
/ip smb shares
add directory=/usb1 name=share1
/ip ssh
set strong-crypto=yes
/ip traffic-flow
set active-flow-timeout=1m cache-entries=4k interfaces=bridge
/ipv6 nd
set \[ find default=yes \] advertise-dns=yes
/routing igmp-proxy
set quick-leave=yes
/system clock
set time-zone-name=Asia/Qatar
/system identity
set name="MikroTik RB5009UG+S+"
/system logging
add topics=interface
/system note
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes
/system ntp client servers
add address=1.qa.pool.ntp.org
/system resource irq rps
set \*1A disabled=yes
/system scheduler
/tool bandwidth-server
set enabled=no
/tool e-mail
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool netwatch
/tool sms
set channel=2 port=usb1 receive-enabled=yes
/tool sniffer

I've looked over your config, and it's not as much of a mess as you describe, at least with respect to your questions.

First, the admin access. This is not exactly a novel scenario, and the solution is fairly straight forward. As you've already noticed, you need to have an address in the 192.168.100.0/24 range to access this interface. So we'll go ahead and add this. The other part is that this address should be used when you access the admin interface, and this is what src-nat is for. (If you wish to think about it this way: you use the assigned WAN address when speaking to the world, but you use the 192.168.100.0/24 address when addressing the router.)

/ip address add interface=sfp-WAN address=192.168.100.10/24
# Put this rule *right beofre* the masquerade to WAN rule
/ip firewall nat add chain=srcnat action=src-nat out-interface=sfp-WAN dst-address=192.168.100.0/24 to-addresses=192.168.100.10

As to the multiple bridges thing. Yes, your current solution is kind of a mixture of anti-patterns, but it's really not all that bad, i.e. it does what it should.

The "single bridge" advice is partly an idiomatic best practice advice, and partly to enable hw offloading to be the most effective. While the rb5009 has a very nice switch chip, and I would fully encourage you to use it to its fullest potential, forwarding IPTV and telephony packets is not going to tax the cpu in the slightest.

There is one change I would recommend: as only one bridge can take advantage of hw offloading, make sure that it is the one carrying the bulk of the traffic. To ensure this, turn off hw offloading on all the ports of the other bridge (in bridge->port.)

P.S. Please use the code formatting option when posting long listings. It's three backticks on a single line, both to start and end the code quote.

EDIT: I made an oopsie in the suggested code. Now it's fixed.

thanks for the solid breakdown and the insights regarding the dual bridge setup. Your explanation about HW offloading makes perfect sense, and I will definitely disable HW offloading on the VoIP bridge ports to keep the main LAN prioritized on the switch chip.

However, regarding the admin access to the SFP Stick, I hit a roadblock.

Since my configuration already has the IP 192.168.100.2/24 assigned to the sfp-WAN interface, I didn't add a new IP. Instead, I created a clean src-nat rule mapping dst-address=192.168.100.0/24 to to-addresses=192.168.100.2, leaving the Out. Interface blank to avoid the "slave interface" error in RouterOS v7. I also placed this rule at the very top of my NAT table (Position 0), before any masquerade rules.

Despite doing this, I am still getting a strict "ERR_CONNECTION_TIMED_OUT" when trying to reach 192.168.100.1 from my local LAN (192.168.8.0/24).

It seems like the packets are either being trapped by the Hotspot service running on my main bridge, or dropped by a forward filter rule that I'm overlooking.

Since the sfp-WAN is technically a slave port under the VoIP bridge, do I need to explicitly allow forwarding from the main LAN subnet to the 192.168.100.0/24 subnet in the IP Filter rules, or bypass the Hotspot using Walled Garden? How should I properly trace where this packet is getting dropped?

@qatar2022

Please post your code/config using < / > "preformatted text" tag as it helps reading it a lot

The "slave interface warning" set off some warning lights in my head. And indeed, in this regard your config is a bit messed up and needs a bit of correction.

I'll take a closer look a bit later.

I didn't even bother to make the web interface of the GPON SFP module accessible from the internal network after initial setup. Which settings are you expecting to change in the future?

@Avalanche I think it's more about having a correct configuration.

This is the source of your problems. Currently your config only works because of implementation details.

You shouldn't have sfp-WAN itself in the bridge.

The idiomatic way of doing this setup with multiple bridges is as follows:

• add the three vlan interfaces to sfp-WAN, 10, 20 and 30
• attach your pppoe client to the appropriate vlan

Then. if you want to bridge voip (vlan30) and transfer it untagged to ether8-LAN8, as you are doing it currently, you simply create a non-vlan-filtered bridge with protocol=none and make vlan30 and ether8-LAN8 ports of it. (In the described scenario vlan filtering on this bridge is neither needed nor desirable, because the vlan interface attached to the sfp takes care of the untagging. If your IP phone would like to have the packers still tagged, as some do, you create a vlan interface with the same vlan id 30 on ether8-LAN8, and bridge the two vlan interfaces with the non-vlan-filtered bridge.)

I don't see that you'd be transferring iptv anywhere currently, but if you wanted to, you'd do the same as for the voip, including creating an additional bridge.

This obviously means getting rid of your current vlan filtered bridge.

Doing this means making radical changes to your configuration. I would suggest that you create a binary backup (files->backup) of your current (working) configuration and download it to your computer. This will enable you to get back to the current configuration even if things don't work out with minimal disruption.

Fixed

Also if the code is large, routeros should be added to the end of the opening 3 backticks:

```routeros
<paste stuff here>
```

otherwise the automatic syntax highlighting will not work.

/disk

set USB slot=USB

/interface bridge

add name=bridge port-cost-mode=short

add name=bridge_voip protocol-mode=none vlan-filtering=yes

/interface ethernet

set [ find default-name=ether1 ] comment=\

"Connect To MikroTik RB5009UPr+S+ Port 1" l2mtu=1514 name=ether1-LAN1

set [ find default-name=ether2 ] comment=\

"!!!!!!!!!!!--Port Failure--!!!!!!!!!!!!!" l2mtu=1514 name=ether2-LAN2

set [ find default-name=ether3 ] comment=\

"Connect To MikroTik RB4011iGS+RM Port 1" l2mtu=1514 name=ether3-LAN3

set [ find default-name=ether4 ] advertise=\

100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full comment=\

"Connect To Zimaboard" l2mtu=1514 name=ether4-LAN4

set [ find default-name=ether5 ] l2mtu=1514 name=ether5-LAN5

set [ find default-name=ether6 ] comment=\

"Connect To MikroTik CRS328-24P-4S+ Port 23" l2mtu=1514 name=ether6-LAN6

set [ find default-name=ether7 ] comment="Connect To GS UCM6301 LAN Port" \

l2mtu=1514 name=ether7-LAN7

set [ find default-name=ether8 ] comment="Connect To GS UCM6301 WAN Port" \

l2mtu=1514 name=ether8-LAN8

set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment=\

"WAN - HSGQ XPON SFP Stick" l2mtu=1514 name=sfp-WAN sfp-ignore-rx-los=yes \

speed=2.5G-baseT

/interface vlan

add interface=sfp-WAN name=vlan10 vlan-id=10

add interface=sfp-WAN name=vlan20 vlan-id=20

add interface=bridge_voip name=vlan30 vlan-id=30

add interface=bridge_voip name=vlan1000 vlan-id=1000

/interface pppoe-client

add add-default-route=yes disabled=no interface=vlan10 name=pppoe-out user=\

XXXXXXXXXXXX

/interface ethernet switch port

set sfp-WAN egress-rate=1200.0Mbps

/interface list

add name=WAN

add name=VOIP

add name=IPTV

/ip dhcp-server option

add code=60 name=option60-vendorclass value=\

"'dslforum.org:HUAWEI:STB:EC2118S'"

add code=28 name=option28-broadcast value="'10.0.0.255'"

/ip dhcp-server option sets

add name=IPTV options=option60-vendorclass,option28-broadcast

/ip hotspot profile

set [ find default=yes ] login-by=cookie,http-chap,http-pap

add dns-name=www.mfm.com hotspot-address=192.168.8.1 http-cookie-lifetime=30m \

login-by=cookie,http-chap,http-pap name=hsprof1

/ip hotspot user profile

set [ find default=yes ] keepalive-timeout=1w mac-cookie-timeout=30m

/ip pool

add name=dhcp_pool1 ranges=192.168.8.2-192.168.8.254

/ip dhcp-server

add add-arp=yes address-pool=dhcp_pool1 bootp-lease-time=lease-time \

bootp-support=dynamic interface=bridge lease-time=1w name=dhcp1

/ip smb users

set [ find default=yes ] disabled=yes

add name=user1

/queue simple

add comment="Queue=1024M" max-limit=1024M/1024M name=MAIN target=\

192.168.8.0/24

add max-limit=20M/20M name=VoIP packet-marks=voip_pkt parent=MAIN priority=\

1/1 target=""

/routing table

add disabled=no fib name=WAN

add disabled=no fib name=LAN

/system logging action

set 0 memory-lines=20000

set 1 disk-file-name=log

/ip smb

set domain=Mikrotik enabled=no interfaces=bridge

/interface bridge port

add bridge=bridge interface=ether3-LAN3 internal-path-cost=10 path-cost=10

add bridge=bridge interface=ether5-LAN5 internal-path-cost=10 path-cost=10

add bridge=bridge interface=ether7-LAN7 internal-path-cost=10 path-cost=10

add bridge=bridge interface=ether2-LAN2 internal-path-cost=10 path-cost=10

add bridge=bridge interface=ether6-LAN6 internal-path-cost=10 path-cost=10

add bridge=bridge interface=ether1-LAN1

add bridge=bridge interface=ether4-LAN4 internal-path-cost=10 path-cost=10

add bridge=bridge_voip interface=sfp-WAN pvid=1000

add bridge=bridge_voip frame-types=admit-only-untagged-and-priority-tagged \

interface=ether8-LAN8 pvid=30

/ip firewall connection tracking

set udp-timeout=10s

/ip neighbor discovery-settings

set discover-interface-list=all

/ipv6 settings

set accept-router-advertisements=yes disable-ipv6=yes

/interface bridge vlan

add bridge=bridge_voip tagged=sfp-WAN,bridge_voip untagged=ether8-LAN8 \

vlan-ids=30

add bridge=bridge_voip tagged=bridge_voip untagged=sfp-WAN vlan-ids=1000

/interface detect-internet

set detect-interface-list=all

/interface l2tp-server server

set default-profile=default use-ipsec=required

/interface list

add exclude=*2000012 name=LAN

/interface list member

add interface=sfp-WAN list=WAN

add interface=bridge list=LAN

add interface=pppoe-out list=WAN

add interface=vlan20 list=IPTV

add interface=vlan30 list=VOIP

/ip address

add address=192.168.8.1/24 interface=bridge network=192.168.8.0

add address=192.168.8.150/24 comment="forward HSGQ-SFP IP to local IP" \

interface=bridge network=192.168.8.0

add address=192.168.100.2/24 comment="HSGQ-SFP IP" interface=sfp-WAN network=\

192.168.100.0

add address=192.168.100.2/24 interface=vlan1000 network=192.168.100.0

/ip arp

/ip cloud

set ddns-enabled=yes ddns-update-interval=10m

/ip dhcp-client option

add code=60 name=option60-vendorclass value=\

"'dslforum.org:HUAWEI:STB:EC2118S'"

add code=28 name=option28-broadcast value="'10.0.0.255'"

/ip dhcp-server lease

/ip dhcp-server network

add address=192.168.8.0/24 comment="hotspot network" dns-server=192.168.8.200 \

gateway=192.168.8.1 netmask=24

/ip dns

set allow-remote-requests=yes servers=192.168.8.200

/ip firewall address-list

/ip firewall filter

add action=accept chain=input comment="Allow Grafana CT 105 API" dst-port=\

8728 protocol=tcp src-address=192.168.8.119

add action=passthrough chain=unused-hs-chain comment=\

"place hotspot rules here" disabled=yes

add action=accept chain=input comment="Allow established" connection-state=\

established,related

add action=drop chain=input comment="Drop invalid" connection-state=invalid

add action=drop chain=input comment="Drop mgmt brute force" src-address-list=\

mgmt_blacklist

add action=accept chain=input comment="Allow ICMP" protocol=icmp

add action=accept chain=input comment="Allow LAN management" \

in-interface-list=LAN

add action=add-src-to-address-list address-list=mgmt_blacklist \

address-list-timeout=1d chain=input comment="Detect mgmt brute force" \

dst-port=22,80,8291 in-interface-list=WAN protocol=tcp

add action=drop chain=input comment="Drop port scanners" src-address-list=\

port_scanners

add action=drop chain=input comment="Drop all WAN input" in-interface-list=\

WAN

add action=accept chain=forward comment="Allow established forward" \

connection-state=established,related

add action=drop chain=forward comment="Drop invalid forward" \

connection-state=invalid

add action=accept chain=forward comment="LAN to Internet" in-interface-list=\

LAN out-interface-list=WAN

add action=accept chain=forward comment="VoIP to Internet" in-interface-list=\

VOIP out-interface-list=WAN

add action=accept chain=forward comment="IPTV to Internet" in-interface-list=\

IPTV out-interface-list=WAN

add action=drop chain=forward comment="Block IPTV to LAN" in-interface-list=\

IPTV out-interface-list=LAN

add action=drop chain=forward comment="Block VoIP to LAN" in-interface-list=\

VOIP out-interface-list=LAN

add action=drop chain=forward comment="Block WAN to LAN" in-interface-list=\

WAN out-interface-list=LAN

/ip firewall mangle

add action=mark-connection chain=prerouting comment="VoIP OUT" dst-port=\

5060,10000-20000 new-connection-mark=voip_conn protocol=udp src-address=\

192.168.8.25

add action=mark-connection chain=prerouting comment="VoIP IN" dst-address=\

192.168.8.25 new-connection-mark=voip_conn protocol=udp src-port=\

5060,10000-20000

add action=mark-packet chain=prerouting comment="Mark VoIP packets" \

connection-mark=voip_conn new-packet-mark=voip_pkt passthrough=no

/ip firewall nat

add action=masquerade chain=srcnat comment="LAN to SFP management" \

dst-address=192.168.100.0/24 src-address=192.168.8.0/24

add action=masquerade chain=srcnat comment="Masquerade HotSpot Network" \

src-address=192.168.8.0/24

add action=masquerade chain=srcnat comment="PPPoE Masquerade" out-interface=\

pppoe-out

add action=dst-nat chain=dstnat comment="forward HSGQ-SFP IP to local IP" \

dst-address=192.168.8.150 dst-port=80 protocol=tcp to-addresses=\

192.168.100.1 to-ports=80

add action=dst-nat chain=dstnat comment="DNS Pi-Hole1" dst-address=\

!192.168.8.200 dst-port=53 protocol=tcp src-address=!192.168.8.200 \

to-addresses=192.168.8.200

add action=dst-nat chain=dstnat comment="DNS Pi-Hole1" dst-address=\

!192.168.8.200 dst-port=53 protocol=udp src-address=!192.168.8.200 \

to-addresses=192.168.8.200

add action=passthrough chain=unused-hs-chain comment=\

"place hotspot rules here" disabled=yes

/ip firewall raw

add action=add-src-to-address-list address-list=port_scanners \

address-list-timeout=1d chain=prerouting comment=\

"Detect port scanners RAW" in-interface-list=WAN protocol=tcp psd=\

21,3s,3,1

/ip firewall service-port

set ftp disabled=yes

set tftp disabled=yes

set h323 disabled=yes

set sip disabled=yes sip-direct-media=no

set pptp disabled=yes

/ip hotspot

add addresses-per-mac=unlimited disabled=no interface=bridge name=hotspot1 \

profile=hsprof1

/ip hotspot ip-binding

/ip hotspot user

add name=admin

/ip ipsec profile

set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5

/ip kid-control

add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\

0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\

0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d

/ip service

set ftp disabled=yes

set ssh disabled=yes

set telnet disabled=yes

set www disabled=yes

set reverse-proxy disabled=yes

set api address=192.168.8.0/24

set api-ssl disabled=yes

/ip smb shares

add directory=/usb1 name=share1

/ip ssh

set strong-crypto=yes

/ip traffic-flow

set active-flow-timeout=1m cache-entries=4k interfaces=bridge

/ipv6 nd

set [ find default=yes ] advertise-dns=yes

/routing igmp-proxy

set quick-leave=yes

/system clock

set time-zone-name=Asia/Qatar

/system identity

set name="MikroTik RB5009UG+S+"

/system logging

add topics=interface

/system note

/system ntp client

set enabled=yes

/system ntp server

set broadcast=yes enabled=yes

/system ntp client servers

add address=1.qa.pool.ntp.org

/system resource irq rps

set *1A disabled=yes

/system scheduler

/tool bandwidth-server

set enabled=no

/tool e-mail

/tool mac-server

set allowed-interface-list=LAN

/tool mac-server mac-winbox

set allowed-interface-list=LAN

/tool mac-server ping

set enabled=no

/tool netwatch

/tool sms

set channel=2 port=usb1 receive-enabled=yes

/tool sniffer

thank you for the detailed structural breakdown! Your explanation makes perfect sense, and I completely agree that removing sfp-WAN from the bridge is the right approach to clean up this configuration.

Since my current configuration has other active services running, could you please provide only the specific change/delta commands needed to transition from my current setup to the new one, rather than the entire configuration file?

This will make it much safer and easier for me to apply via the Terminal without accidentally resetting or displacing other working parameters.

Looking forward to your commands so I can test and report back!

moan moan moan ... fixed as well.

It's easily noticeable, and it's not a good sign.