Hi,

I have MikroTik 1016 CCR router, with configuration:

1. On all SFP ports I have bridge created, except interface SFP3, where I have subnet 10.6.6.0/24 (with gateway 10.6.6.1).
2. SFP2 (bridge port) interface is connected to the Internet (to server with 172.23.198.1 address within 172.23.198.0/24 subnet).
3. To SFP1 (bridge port with 172.23.198.29 address) I've connected laptop (getting DHCP IP from 172.23.198.1).

All SFP's ports on bridge have access to the Internet, except SFP3, which is in separated subnet.
Besides I can't ping laptops from SFP1 to SFP3 one to another.
I can't ping from laptop on SFP1 to gateway 10.6.6.1, but I can ping from laptop on SFP3 to gateway 172.23.198.29.

What should I do, if I want to have SFP3 also access to the Internet and other subnets (172.23.198.0 in this case)?
Firewalls on laptops Windows disabled.

Look at your firewall rules, start with the ones on client devices

Look at your firewall rules, start with the ones on client devices

There's no any firewall rules on my router.
Firewalls on hosts are disabled.

can you provide results of below command in CLI?

/export hide-sensitive

can you provide results of below command in CLI?

/export hide-sensitive

Unfortunately, I've changed my configuration since I've posted my config in the first message. But in general, is there any method to EXCLUDE ONE port from bridge (all ports on bridge has an access to the Internet) and make on this excluded port separated subnet but still WITH access to the Internet?

Not necessarily the correct way, but with the limited information you provide, NATing everything out the bridge interface should give internet access to all devices behind the CCR