First answer to question #3: it happens, but it's not normal. It means that firewall does not block these connection attempts so you actually see attempts (hopefully it stays at attempts). And that means you have to do something about firewall.
If you just started off with configuring your router, then it quite likely lacks a decent firewall rule set, CCR line does not have any firewall by default. SOHO line of mikrotik routers, on the other hand, comes with a pretty decent firewall rule set (and a few related settings) by default:
/ip firewall nat
add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
It is very important to add interfaces to proper interface lists. Depending on particular setup it might bi right like this:
/interface list
add name=WAN comment="defconf"
add name=LAN comment="defconf"
/interface list member
add list=LAN interface=bridge comment="defconf"
# if LAN IP address is not on bridge, but on some etherX interface, add that interface to LAN interface list as well
add list=WAN interface=ether1 comment="defconf"
# and add PPPoE interface so that firewall does its job ... assuming default PPPoE interface name is used
add list=WAN interface=pppoe-out1 comment="logical WAN interface"
Then add your NAT rules (port forwarding) to
/ip firewall nat section, no changes are necessary in
/ip firewall filter section.
To answer your question #2 about connection to switch: it depends if ether2 and sfp-sfpplus1 interfaces are members of a bridge. If they are, then you can indeed simply replace ethernet connection with SFP-SFP connection. If these interfaces are not members of bridge, then you'd have to reconfigure router a bit before changing the connection.