Can I route only external traffic of one device through a VPN?

Hello,

I plan on getting a MikroTik RouterBoard hAP lite.

I want to mainly use it as a switch and wireless access point. One ethernet port (likewise the first) will be the uplink to my main router that connects to my ISP. The other ethernet ports will be for some devices.

Now, I want for one device (i.e. the one connected to port 4), that all external traffic (outgoing traffic to the internet from this device) should be routed through a VPN. The hAP lite should also be the VPN client for this VPN. However, all internal traffic (i.e. another device on my lan wants to connect to this device, or this device connecting to my NAS on the local network) should not be routed through the VPN, obviously.

However, the network management, dhcp etc. should still be managed by my ISPs main router.

Is this possible, and if yes, what do I have to do to make this work?

Sorry not at a PC to give you exact code but you can do this.
Using mangle you can mark packets from your single device then use ip routes to route the marked traffic out of the vpn client on the router.

There are different ways, depending on how much transparent you want it to be. You can use e.g. config from this thread as starting point, it just need some tweaks for when you add VPN.