You might post the ether1 setup (which works) and then the sfp1 setup (which does not). I'll compare them for you.
Oh, thank you very much.
ether1 as WAN(DHCP)
# sep/28/2017 23:06:20 by RouterOS 6.40.3
# software id = UVM1-F323
#
# model = 2011UiAS-2HnD
# serial number = 7A6707093BBC
/interface bridge
add admin-mac=64:D1:54:2C:EF:79 auto-mac=no comment=defconf name=bridge
add name=openvpn1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=russia disabled=no distance=indoors mode=ap-bridge ssid=danilabagroff \
wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.1.0.100-10.1.0.254
add name=openvpn1 ranges=10.7.0.2-10.7.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=openvpn1 dns-server=10.1.0.1 local-address=10.7.0.1 name=openvpn1 \
remote-address=openvpn1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
{...}
/ip address
add address=10.1.0.1/24 comment=defconf interface=ether2-master network=\
10.1.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
{...}
/ip dhcp-server network
add address=10.1.0.0/24 comment=defconf gateway=10.1.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
{...}
/ip firewall filter
add action=accept chain=input comment=OpenVPN dst-port=1194 in-interface=\
ether1 protocol=tcp
add action=accept chain=input comment="Access from VPN network" src-address=\
10.7.0.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=netmap chain=dstnat comment="HTTP Proxy" dst-port=80 in-interface=\
ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=80
add action=netmap chain=dstnat comment="HTTPS Proxy" dst-port=443 \
in-interface=ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=443
/ip route
add comment="266 Subnet" distance=1 dst-address=10.2.0.0/24 gateway=10.7.0.2
/ip service
set telnet disabled=yes
set www address=10.1.0.0/24,10.7.0.0/24 port=8080
set ssh address=10.1.0.0/24,10.7.0.0/24
set winbox disabled=yes
/ppp secret
{...}
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=gw1
/system ntp client
set enabled=yes server-dns-names=0.ru.pool.ntp.org,1.ru.pool.ntp.org
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
sfp1 as WAN(DHCP)
# sep/28/2017 23:15:46 by RouterOS 6.40.3
# software id = UVM1-F323
#
# model = 2011UiAS-2HnD
# serial number = 7A6707093BBC
/interface bridge
add admin-mac=64:D1:54:2C:EF:79 auto-mac=no comment=defconf name=bridge
add name=openvpn1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=russia disabled=no distance=indoors mode=ap-bridge ssid=danilabagroff \
wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.1.0.100-10.1.0.254
add name=openvpn1 ranges=10.7.0.2-10.7.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=openvpn1 dns-server=10.1.0.1 local-address=10.7.0.1 name=openvpn1 \
remote-address=openvpn1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
/interface ovpn-server server
{...}
/ip address
add address=10.1.0.1/24 comment=defconf interface=ether2-master network=\
10.1.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1
/ip dhcp-server lease
{...}
/ip dhcp-server network
add address=10.1.0.0/24 comment=defconf gateway=10.1.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
{...}
/ip firewall filter
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=accept chain=input comment=OpenVPN dst-port=1194 in-interface=\
ether1 protocol=tcp
add action=accept chain=input comment="Access from VPN network" src-address=\
10.7.0.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=masquerade chain=srcnat out-interface=ether1
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=netmap chain=dstnat comment="HTTP Proxy" dst-port=80 in-interface=\
ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=80
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=netmap chain=dstnat comment="HTTPS Proxy" dst-port=443 \
in-interface=ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=443
/ip route
add comment="266 Subnet" distance=1 dst-address=10.2.0.0/24 gateway=10.7.0.2
/ip service
set telnet disabled=yes
set www address=10.1.0.0/24,10.7.0.0/24 port=8080
set ssh address=10.1.0.0/24,10.7.0.0/24
set winbox disabled=yes
/ppp secret
{..}
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=gw1
/system ntp client
set enabled=yes server-dns-names=0.ru.pool.ntp.org,1.ru.pool.ntp.org
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge