Routing internet from SFP to ethernet ports (RB5009UG)

RouterOS Beginner Basics
1

Good day

I successfully connected my new RB5009UG+S+IN via SFP (Nokia XS-010X-Q XGS-PON Bridge) to the OTO (Switzerland) fibre outlet. The configuration is straight forward: VLAN with ID 10 is required in Switzerland with Swisscom network infrastructure, so I created a VLAN interface for the sfp-sfpplus1 interface with the ID 10 setting. I then created the DHCP Client configuration for the new VLAN interface with default settings. It works. I can see the IP address, Gateway, etc. in Status. The router is connected to internet and I am able to check for RouterOS updates and I was able to install the latest stable version.

The router also established a DHCP network and devices can be connected to the ethernet ports, get IP addresses assigned, etc. - everything like you would expect.

However, there is no actual internet connection on the ethernet ports. Does Router OS on the RB5009UG+S+IN by default not route internet from the SFP interface to all ethernet ports by default like I would expect this from any router or what am I missing? Is the VLAN interface somehow preventing that internet is routed to the ethernet ports because the sfp-sfpplus1 interface runs as Slave?

I didn’t touch Quick Set. I am using Winbox. I currently cannot share my config because it includes a login for my internet provider to troubleshoot the issue.

Thanks for first helping me understand if there is a misunderstanding in the logic of the setup.

2

Well, change/edit that (and the other possibly sensitive information), and post the configuration, instructions here:
Forum rules - #5 by gigabyte091

Loosely the default configuration categorizes interfaces as either LAN or WAN, and nat and firewall use that categorization, so you need to make sure that the VLAN interface is added as WAN, i.e. you should have something like:

/interface list members
add interface=VlanWAN list=WAN
3

As Jaclaz points out, one only needs to export the file, and then using a program like notepad++
Remove

a. router serial number
b. any public WANIP information ( aka WAN DHCP information ( your actual wanip, the gateway IP etc)
c. any keys if you are using vpn ( probably not yet )
d. the dhcp lease list, sometime people put personal names on things etc.

the rest is of no consequence……
most likely you are missing firewall rules and some nat rules and probably shouldnt connect anything to the internet until you do.
Here is a good generic safe set of rules.
First ensure the ISP associated vlan is identifed on the interface list as well as the bridge.

/interface list
add list=WAN
add list=LAN
/interface list members
add interface=vlanISP list=WAN ( whatever the vlan interface is called )
add interface=bridge list=LAN ( whatever your bridge is called )
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1 in-interface=lo src-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=
LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN

you can manually add these one by one through winbox and the appropriate menu but REAL QUICK and easier………

Simply go to winbox, then click on the left hand menu selection of New Terminal
Then copy the above ( from /interface list down to and including last line ).
Then paste it at the prompt blinking on the bottom of the page brought up by selecting New Terminal.

You can then at the prompt type /export to see for yourself the new rules………..
Then come back for further assistance if required. ( but ensure you provide the latest config as that is what is relevant )

BUT BUT BUT Before you do any of that, best advice is to create another way to access the router safely as what I call emergency access or a safe spot to do any configuration.

Take any etherport and do the following, lets say ether10
FIRST take ether10 off the bridge ( go to bridge menu on left hand side menu, select ports sub-menu at top
find ether10 and remove.

/interface ethernet
set [ find default-name=ether10 ] name=emergaccess10
/ip address
add address=192.168.78.1/30 interface=emergaccess10 network=192.168.78.0
/interface list
add interface=emergaccess10 list=LAN

Then all one has to do is plug their pc/laptop into ether10 change the ipv4 settings on the nic card to
192.168.78.2, and with username and password you should gain access via winbox.

4

No, PLEASE DON'T, you may come out with duplicated settings.

CHECK BEFORE copy/pasting the whole set above.
(and you will have errors because the snippet anav posted contains parts that are not correct commands).

If you have the default firewall compare your settings with the ones here:
Buying - RB1100AHx4 Dude Edition - Questions about Firewall - #4 by rextended
LEAVE IT ALONE (anav has this obsession to change it even when it it is not actually needed to do so).

You also already have almost surely this:

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN

LEAVE IT ALONE

And this:

/interface list
add list=WAN
add list=LAN

LEAVE IT ALONE

The ONLY thing that you should check and in case change is:

/interface list members
add interface=vlanISP list=WAN
add interface=bridge list=LAN

where "vlanISP" is the name of the VLAN interface you created and "bridge" is the name of the bridge you have.

5

So jaclaz, since I dont have a 5009………Does it come with any rules, firewall, nat, interface lists………..

If it already does, fine some duplication may occur, and probably not needed.
BUT, if none then much better to get some rules in place.
Again we disagree and thats what makes life interesting……… :slight_smile:

6

Yes, it does, the default configuration is among those that tangent collects and makes available (though of course it may depend on the RouterOS in factory, some minor differences may exist):
https://tangentsoft.com/mikrotik/dir?ci=tip&name=defconf
check file:

It is in "terse" format, to convert it to the "normal" format you can use:
Terse export converter and config compare

7

Hope this helps.

# 2026-05-09 18:21:38 by RouterOS 7.22.3
# software id = XXX
#
# model = RB5009UG+S+
# serial number = XXX
/interface bridge
add admin-mac= XXX auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=sfp-sfpplus1 name="iWay FTTH" vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add interface="iWay FTTH" name=FTTH
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 \
    in-interface=lo src-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    in-interface-list=WAN
add action=accept chain=input comment="XXX" src-address=\
    XXX
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input src-address=XXX
add action=drop chain=input connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zurich
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
8

The ONLY thing that you should check and in case change is:

/interface list members
add interface=vlanISP list=WAN
add interface=bridge list=LAN

I don’t see this in my config. Would you mind sharing the Terminal command to add this or how and where to set this in the Winbox GUI?

Cheers!

9

The code posted IS the terminal command to use.

10

You have now in your configuration (it is the default):

This means loosely:

  1. put interface "bridge" into group "LAN"
  2. put interface "ether1" into group "WAN"

Your interface "sfp-sfpplus1" is member of the bridge:

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1

You added a VLAN interface:

/interface vlan
add interface=sfp-sfpplus1 name="iWay FTTH" vlan-id=10

on top of it, this interface cannot evidently have been set among either LAN or WAN.

BUT it NEEDS to be categorized as WAN, otherwise firewall filter and nat settings won't apply to it.

So simply run in terminal (you can copy/paste the following):

/interface list member
add comment=myconf interface="iWay FTTH" list=WAN

But I believe you should also remove the sfp-sfpplus1 underlying interface from the bridge (this is easier in GUI) on terminal:

/interface bridge port
remove [ find interface=sfp-sfpplus1 ]
11

THIS IS IT. This is the setting that makes it work. Easy to find, once you know it. Thank you so much everyone.

Screenshot 2026-05-09 at 20.01.28
Screenshot 2026-05-09 at 20.01.281778Ă—824 74.9 KB

12

You should change the comment from "defconf" to "myconf" (or whatever you prefer) so that checking the configuration in the future will more evidently show the change.
At this point, your ether1 Is neither LAN nor WAN and not part of the bridge.
You can either add It to bridge or make it an off bridge port (an emergency access), instructions here:
Once and for all COMPLETE Offbridge Port setup

13

As a final note: When serving internet via the SFP port instead of Ethernet port 1 (ether1), then ether1 is not part of the bridge by default. ether1 needs to be added to the bridge in order to make it part of the LAN setup.