SFP GPON with DATA, IPTV, VoIP and Grandstream UCM6301

Dear all

I am very frustrated with the problems I have with my Mikrotik Router and VoIP

My ISP install Huawei GPON terminal with 3 Vlans, Vlan10 for DATA, Vlan20 for IPTV and Vlan30 for VoIP and I already extract hw_ctree.xml file from the Huawei and NOW I replace Huawei with HSGQ SFP XPON, and I already configure the Vlan10 for Internet and It’s work great and also configure Vlan20 for IPTV and it’s th STB works amazing without any issue no firewall filter rules or Nat or mangle or even IP pool and it’s work with any port or even a switch in middle or Wi-Fi

NOW my big headache is to configure Vlan30 for VoIP and connect GS UCM6301 to Mikrotik RB5009 please advise I have all Information from ISP and hw_ctree.xml file

Screen Shot 2026-01-22 at 08.02.23.336 PM1920×1080 219 KB

Your RB5009 is very well suited to have all ports in the single bridge bridge, including your "WAN" port sfp-sfpplus1 (that you renamed to sfp-WAN). That actually maps best to the switch chip, and is also the configuration I use on my RB5009. Without having the details of your current configuration, this is roughly how you can proceed:

• Turn on VLAN filtering on the main bridge interface (Bridge -> bridge -> VLAN tab -> VLAN Filtering).

• If you need IPv6, turn off IGMP Snooping on the bridge bridge if you have it turned on!

• Edit the 3 vlan10, vlan20, vlan30 interfaces and change the parent from sfp-WAN to bridge. You'll lose internet connection at this step!

• Add the port sfp-WAN to the bridge bridge (under Bridge -> Ports), in the VLAN tab of sfp-WAN, set Frame Types to "admit only vlan tagged".

• Add following entries under the Bridge -> VLANs tab:

  /interface bridge vlan
  add bridge=bridge tagged=bridge,sfp-WAN vlan-ids=10
  add bridge=bridge tagged=bridge,sfp-WAN vlan-ids=20
  add bridge=bridge tagged=bridge,sfp-WAN vlan-ids=30
  

Now you have a working configuration again, with the difference that sfp-WAN has been moved into the bridge and VLAN filtering is used on the bridge.

Next step is to configure your VoIP. This depends on which port of the router it's connected to. And whether it expects VLAN 30 to be tagged or untagged. Let's take an example that the port is ether8-LAN.

• If the Grandstream expects untagged VLAN, you only need to go to Bridge -> Ports -> ether8-LAN -> VLAN tab, put 30 in the PVID field and set Frame Types to "admit only untagged and priority tagged".

• If the Grandstream expects tagged VLAN instead:

  • Go to Bridge -> Ports -> ether8-LAN -> VLAN tab, and set Frame Types to "admit only vlan tagged".
  • Go to Bridge -> VLANs and edit the entry of VLAN 30 and add ether8-LAN to the Tagged list, so that the entry becomes:

    add bridge=bridge tagged=bridge,sfp-WAN,ether8-LAN vlan-ids=30
    

That should do it. However, to be safe, post your redacted current configuration export before proceeding.

MikroTik-RB5009UG+S+.rsc (12.9 KB)

thank you

don’t you think if I add sfp-WAN to bridge I’ll loss a hotspot?

see attached

with regards

There should be no differences with hotspot that you configured on the bridge.

However, from your configuration file, it appears that you also make use of sfp-WAN to access the management interface of the HSGQ-SFP. To preserve that, in addition to the changes I mentioned in the previous post, you'll need to also do these:

• Create a new VLAN interface, for example vlan1000 on bridge, you can of course choose other VLAN ID as you wish.

  /interface vlan
  add interface=bridge name=vlan1000 vlan-id=1000
  

• In the next step, you'll find the places that currently reference sfp-WAN as interface, and change the reference to the vlan1000 interface created above. That includes:

  • The interface list membership, currently there is an entry with interface=sfp-WAN list=WAN, edit it and change to interface=vlan1000 list=WAN.
  • The /ip address entry for 192.168.100.2/24 currently assigned to sfp-WAN, change the assignment to interface=vlan1000 instead.
  • The NAT masquerade rules that currently have out-interface=sfp-WAN, edit them to change to out-interface=vlan1000.

• Once these changes have been made, go to Bridge -> Ports, find the entry that you added previously (from the post above) for port sfp-WAN, go to the VLAN tab of that interface and set PVID to 1000 (the number chosen for vlan1000) and change Frame Types to "admit all" instead of "admit only vlan tagged" like in the previous post.

The changes make sfp-WAN a hybrid port, with the three VLAN 10, 20, 30 tagged, and the untagged VLAN is VLAN 1000. And we use the vlan1000 interface to access this untagged data, that allows you to manage HSGQ-SFP. Previously when sfp-WAN was a standalone port then this untagged data was accessible by using the interface sfp-WAN itself. Now you access it with interface vlan1000 after the configuration above.

Edit: no idea why you set ingress-filtering=no for ether4-LAN, you should set it to yes instead.

I would like to thank you for your reply

I'm not an expert in this field, and all the settings I made are just my own interpretation; I may be right or wrong. But could you please help me by modifying the file I uploaded with the settings you mentioned? I would be very grateful.

I still think it's easier and faster if you do the mentioned changes above in WinBox with the GUI. But if you want to see the changes as what will appear afterwards in /export then let's go through the exported items that will change:

Turning VLAN filtering on the bridge interface would change this section:

/interface bridge
add name=bridge port-cost-mode=short

into

/interface bridge
add name=bridge port-cost-mode=short vlan-filtering=yes

But it's easier to make this change in WinBox:

image361×103 2.71 KB

You don't have IGMP Snooping turned on so you can ignore the point mentioned above.

Edit the 3 vlan10 , vlan20 , vlan30 interfaces and change the parent from sfp-WAN to bridge will change these:

/interface vlan
add interface=sfp-WAN name=vlan10 vlan-id=10
add interface=sfp-WAN name=vlan20 vlan-id=20
add interface=sfp-WAN name=vlan30 vlan-id=30

into:

/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30

Again, this change is easier if made in WinBox, because you only have to swap the value in this dropdown control:

Adding the VLAN interface vlan1000 for management of the HSGQ-SFP stick is adding this:

/interface vlan
add interface=bridge name=vlan1000 vlan-id=1000

to the /interface vlan section above.

Add the port sfp-WAN to the bridge bridge, set PVID to 1000 and Frame Types to "admit all" results in this line be inserted in the /interface bridge port section:

/interface bridge port
add bridge=bridge interface=sfp-WAN pvid=1000

The fix for ingress-filtering of ether4-LAN is changing this line under /interface bridge port

add bridge=bridge ingress-filtering=no interface=ether4-LAN4 trusted=yes

into

add bridge=bridge interface=ether4-LAN4 trusted=yes

because ingress-filtering=yes is the default value.

The modifications made under the Bridge -> VLANs tab:

• If VLAN 30 is untagged on ether8-LAN, result in these configuration lines to be added:

  /interface bridge vlan
  add bridge=bridge tagged=bridge,sfp-WAN vlan-ids=10
  add bridge=bridge tagged=bridge,sfp-WAN vlan-ids=20
  add bridge=bridge tagged=bridge,sfp-WAN vlan-ids=30
  

  and under /interface bridge port, this

  add bridge=bridge interface=ether8-LAN8
  

  is changed to

  add bridge=bridge interface=ether8-LAN8 pvid=30 frame-types=admit-only-untagged-and-priority-tagged
  

• But if VLAN 30 is tagged on ether8-LAN, then these lines are added instead:

  /interface bridge vlan
  add bridge=bridge tagged=bridge,sfp-WAN vlan-ids=10
  add bridge=bridge tagged=bridge,sfp-WAN vlan-ids=20
  add bridge=bridge tagged=bridge,sfp-WAN,ether8-LAN vlan-ids=30
  

  and under /interface bridge port, this

  add bridge=bridge interface=ether8-LAN8
  

  is changed to

  add bridge=bridge interface=ether8-LAN8 frame-types=admit-only-vlan-tagged
  

Again, it depends on what the Grandstream device expects, untagged VLAN 30 or tagged VLAN 30.

The change in the WAN interface list membership will result in this line:

/interface list member
add interface=sfp-WAN list=WAN

becomes

/interface list member
add interface=vlan1000 list=WAN

But it's way easier to edit it in WinBox in the GUI, just swapping the dropdown control value:

The /ip address entry change result in this:

/ip address
add address=192.168.100.2/24 comment="HSGQ-SFP IP" interface=sfp-WAN network=\
    192.168.100.0

changing into:

/ip address
add address=192.168.100.2/24 comment="HSGQ-SFP IP" interface=vlan1000 network=\
    192.168.100.0

Again, edit in WinBox please!

The masquerade rule changes will replace these three masquerade rules under /ip firewall nat:

add action=masquerade chain=srcnat comment=masquerade out-interface=sfp-WAN \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment=masquerade out-interface=pppoe-out \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="forward HSGQ-SFP IP to local IP" \
    dst-address=192.168.100.1 out-interface=sfp-WAN src-address=\
    192.168.8.0/24

with this single rule:

add action=masquerade chain=srcnat comment=masquerade \
    out-interface-list=WAN

finally, friends VoIP work in UCM6301 with Mikrotik RB5009 and SFP gpon with my MT configure
thank you for all of your help

I can’t log to SFP webUi anymore

any advice or help

Hi! What I wrote in the post above about the things related to vlan1000 is exactly for the purpose of accessing the SFP WebUI. Did you add that interface, set PVID 1000 on sfp-WAN and move the address/interface lists etc?

I did this:

/interface vlan
add name=vlan1000 interface=bridge_voip vlan-id=1000
/ip address
add address=192.168.100.2/24 interface=vlan1000
/interface bridge port
set [find interface=sfp-WAN] bridge=bridge_voip pvid=1000 frame-types=admit-all
/interface bridge vlan
add bridge=bridge_voip vlan-ids=1000 untagged=sfp-WAN tagged=bridge_voip

and now i can access to WebUI, thanks