I bought Mikrotik Router RB2011ILS+SFP module with intention to have just all-in-one hardware for my private network and get rid of Milan switch from ISP. Before the replacement of Milan switch with Mikrotik router I had optic fibers connected to Milan switch and from that switch 3 eth cables out: 1 for tv setup box, 1 for patton S-DTA for isdn telephony and 1 to my router for internet.
I installed Mikrotik router and connected optic fibers to SFP module and other devices connected to ether1 (Patton S-DTA), ether3 (tv box), ether4 (Cisco AP), ether5 (NAS),.... I setup the mikrotik router as following:

# may/29/2016 12:58:54 by RouterOS 6.35.2
#
/interface bridge
add admin-mac=??:??:??:??:??:?? auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-isdn
set [ find default-name=ether2 ] master-port=ether1-imac name=ether2-switch
set [ find default-name=ether3 ] master-port=ether1-imac name=ether3-iptv
set [ find default-name=ether4 ] master-port=ether1-imac name=ether4-ap
set [ find default-name=ether5 ] master-port=ether1-imac name=ether5-nas
set [ find default-name=ether7 ] master-port=ether6 name=ether7-alarm
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6 name=ether9-ha
set [ find default-name=ether10 ] master-port=ether6
/ip neighbor discovery
set sfp1 discover=no
set bridge comment=defconf
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name="dhcp server"
/interface bridge port
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge interface=ether1-isdn
/ip address
add address=192.168.1.1/16 comment=defconf interface=ether1-isdn network=\
192.168.0.0
add address=95.105.25.155/16 interface=sfp1 network=95.105.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=sfp1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=85.255.219.75,85.255.220.75
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add chain=input dst-address-type=broadcast
add chain=input protocol=igmp
add chain=input dst-port=5000 protocol=udp
add chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface=ether1-isdn
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=sfp1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=sfp1
/ip route
add distance=1 gateway=95.105.0.1
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=sfp1 upstream=yes
add interface=bridge
/system clock
set time-zone-name=Europe/Belgrade
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether1-isdn
add interface=ether2-switch
add interface=ether6
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether1-isdn
add interface=ether2-switch
add interface=ether6
#######################################

Everything works (internet, multicast IPTV) except the ISDN telephony. Guys from ISP told me that I should directly connect port ether1 to sfp1 in order to make it work.
Can someone please help how should I set up the router to add also direct connection sfp1 and ether1 port?

Andrej

It sounds like what they were telling you is that you need to create a bridge called WAN. And then connect the interfaces to that bridge (sfp1 and ether1). You will need to set your DHCP client or static IP address to the WAN bridge instead of a specific interface. Also your src nat masq. rule will have to be changed to use WAN as the out interface.

That will put any device connected to ether1 directly on the internet where it can obtain an IP directly from the ISP.

Can someone please help how should I set up the router to add also direct connection sfp1 and ether1 port?

It sounds like what they were telling you is that you need to create a bridge called WAN. And then connect the interfaces to that bridge (sfp1 and ether1). You will need to set your DHCP client or static IP address to the WAN bridge instead of a specific interface. Also your src nat masq. rule will have to be changed to use WAN as the out interface.

That will put any device connected to ether1 directly on the internet where it can obtain an IP directly from the ISP.

Don't forget to also modify the firewall filter table rules to reference the WAN bridge as well, or else you'll be open to DNS-amp DDoS abuse.

Thanks for the help. After setting up new bridge and changes in firewall, ISDN telephony now works!

Andrej