I'v got an intresting situation:
1. I have 5 IP addresses from my ISP provided via fiber. xxx.xxx.xxx.240/29 (xxx.xxx.xxx.241 is ISP gateway)
2. As ISP recomended, I created a bridge and added in it sfp interface.
3. For this time I assighned 3 addresses to this bridge-interface like : xxx.xxx.xxx.242/29, xxx.xxx.xxx.245/29 and xxx.xxx.xxx.246/29
4. xxx.xxx.xxx.242/29 is used for internet access for office users via src-nat rule src-address=192.168.10.0/24 action=src-nat to address xxx.xxx.xxx.242/29
5. xxx.xxx.xxx.245/29 is used for hosting&mail server, located in lan (different from office subnet) on address 192.168.40.40/24
6. xxx.xxx.xxx.246/29 is used as ns2 for hosting and transmits dns requests to same hosting and mail server in lan.
Problem: office users cannot access web and mail server from office network.
May be there was no need to create bridge with sfp-interface in it and I whould assign addresses direct to the sfp-interface?