Last May I wrote a post in which I did some basic testing on the CCR2004-1G-2XS-PCIe and speculated on potential use cases for it.

I finally took a trip down to a data center to deploy some new hardware for colocation. I haven’t worked with RouterOS much before, so getting started was a bit bumpy due to lack of documentation… anywhere. Right off the bat I upgraded from the RouterOS 7.1 that it shipped with to the current RouterOS 7.7, which was surprisingly easy, just dragging the new .npk file over in Winbox and rebooting.

The Problem

Passthrough Mode

My only major bump was getting the SFP28 interfaces to come up; at first it turned out we still had the TOR ports shut but even then they wouldn’t come up. Even with a clean config from resetting without a default config, the SFP28-1 and SFP28-2 interfaces both came preconfigured in passthrough mode, which doesn’t allow them to come up and be used by RouterOS itself. As far as I know, from my admittedly lacking knowledge or RouterOS, no other Mikrotik devices have a passthrough interface mode. Now almost a year following the release of the product, documentation on the quirks of the platform is still extremely sparse, and I could barely even find mentions of passthrough mode, let alone how to disable it.

How do you tell if Passthrough mode is enabled on an interface?

To check if you’re in passthrough mode, run /interface/print. In the left column you will see a “P” flag if the interface is in passthrough mode

Flags: X, R - RUNNING; P - PASSTHROUGH
Columns: NAME, TYPE, ACTUAL-MTU, L2MTU, MAX-L2MTU, MAC-ADDRESS
#    NAME                TYPE   ACTUAL-MTU  L2MTU  MAX-L2MTU  MAC-ADDRESS      
;;; Virtual Interface for Proxmox
0 R  ether-pcie1         ether        1500   1600       9500  AB:CD:EF:12:34:56
;;; Spare Virtual Interface
1  P ether-pcie2         ether        1500   1600       9500  AB:CD:EF:12:34:57 <-------
2    ether-pcie3         ether        1500   1600       9500  AB:CD:EF:12:34:58
3    ether-pcie4         ether        1500   1600       9500  AB:CD:EF:12:34:59
;;; Management Interface
4 R  ether1              ether        1500   1600       9586  AB:CD:EF:12:34:5A
;;; Primary Uplink to Upstream Carrier
5 R  sfp28-1             ether        1500   1600       9586  AB:CD:EF:12:34:5B
;;; Spare SFP Interface
6 P sfp28-2             ether        1500   1600       9586  AB:CD:EF:12:34:5C <-------
7 R  upstream-vlan99      vlan         1500   1596             AB:CD:EF:12:34:5D
;;; Wireguard to Dallas, TX
8 R  wireguard-oak-dfw  wg           1420              

So how do you disable it?

From the terminal, run the following: /interface/ethernet set passhthrough-interface=none ether-pcie2

This will disable the default passthrough from sfp28-2 to ether-pcie2. Change ether-pcie2 to ether-pcie1 to clear the default passthrough from sfp28-1 to ether-pcie1.