Migration to HEX S (2025) - vlan's problems - help needed

slv · December 7, 2025, 10:43am

Hi guys,

I have a working RB750Gr3 hEX router with two VLANs and a PPoE server. This hardware is getting old and, moreover, I am expecting to switch to a fibre connection in the near future. Thus, I have decided to buy a successor to the old HEX router. I bought the HEX S (E60iUGS) and am trying to migrate my configuration. As you might expect, I have encountered a few issues:

The new switch chip EN7523 does not support the “/interface ethernet switch vlan” command.
The DHCP server is showing “DHCP server cannot run on slave interface”.
There are probably a few other problems.

I’m trying to understand what has changed here (I haven’t touched any Mikrotik routers for the last 5 years).

My requirements are simple: One WAN port with a static IP address, one trunk port carrying two VLANs, a PPoE server and a CCTV LAN.

I have spent many hours reading the forum over the last few days and I know that I should use bridge VLAN filtering, but my configuration is still incorrect. Here is the minimum start configuration – even this part is not working. Please could you review it and advise how to correct it?

/interface ethernet
set [ find default-name=ether1 ] name=WAN
set [ find default-name=ether2 ] name=OffBridgeMGMT
set [ find default-name=ether3 ] name=CCTV
set [ find default-name=ether4 ] name=PPoE
set [ find default-name=ether5 ] name=Trunk

/interface vlan

/ip address
add address=192.168.77.1/24 interface=OffBridgeMGMT network=192.168.77.0

/interface list
add name=MGMT

/interface list member
add interface=OffBridgeMGMT list=MGMT

/interface bridge
add name=bridge1 vlan-filtering=no

/interface bridge port
add bridge=bridge1 interface=Trunk frame-types=admit-only-vlan-tagged
add bridge=bridge1 interface=CCTV pvid=1 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=PPoE pvid=88 frame-types=admit-only-untagged-and-priority-tagged

/interface bridge vlan
add bridge=bridge1 tagged=Trunk vlan-ids=1
add bridge=bridge1 tagged=Trunk vlan-ids=88

/interface bridge set bridge1 vlan-filtering=yes

/ip pool
add name=PPoE-pool ranges=192.168.88.10-192.168.88.99
add name=CCTV-pool ranges=192.168.0.20-192.168.0.200

/ip dhcp-server
add address-pool=PPoE-pool interface=PPoE lease-time=1d name=dhcp1
add address-pool=CCTV-pool disabled=no interface=CCTV lease-time=1d name=dhcp2

I see that many people are complaining about the output of the HEX. I bought it because I thought it would be several times more powerful than the old one. But now I’m wondering if this hardware can handle a 1 Gb internet connection. Should I return it and switch to the L009UiGS-RM?

I look forward to hearing your advice.

Slawek

jaclaz · December 7, 2025, 11:11am

Well, the L009 is actually a lot slower than a hex S, at least in the usual test results metric we use to approximate the real world performance, the 512 bytes packet/25 firewall filter rules:
Hex S (2025): 498.1 Mbps
L009: 323.6 Mbps

In most (but not all) configurations, fasttrack will be used, so the Hex S should be capable of routing almost 1 Gb, the L009 won't.

Post the current (working) configuration on your old hex, it will be easier to assist you in "translating" it to the new device.

The Ax2 or - better - the Ax3 are the cheapest devices that can handle a 1 Gb internet connection "comfortably", see:

jaclaz · December 7, 2025, 2:07pm

Hmmm.

Rules of the Mikrotik Club:

anav · December 7, 2025, 5:47pm

Im not sure if still recommended but most people seem to avoid using ether1 for the WAN on that model.
Also the safe and currently recommended version 7 firmware is 7.19.6

Buckeye · December 8, 2025, 4:38am

We need more details. "not working" is too vague. e.g. "My car isn't working. What's wrong with it?"

https://web.archive.org/web/20240115025942/https://forum.mikrotik.com/viewtopic.php?p=908118
https://www.co.kerr.tx.us/it/howtoreport.html
How to Report Bugs Effectively

You don't have any vlan interfaces listed. So I will assume the U60iUGS is being used as a smart switch for another router connected through the trunk link?

A vlan interface is the connection to a specific vlan in the internal switch (whether it is using a hardware switch or the switch funtionality is being emulated by software in the linux kernel).

It seem odd to me that you would have a WAN interface as the only interface the router sees.

What output do you get from the commands:

/interface print
/interface bridge print
/interface bridge port print
/interface bridge vlan print

I have never used the old method with the switch commands on my RB760iGS, but with recent versions of v7 (e.g. 7.19.6) the internal switch chip will be used in the vlan-filtering setup on the U60iUGS, so the L2 performance between the ports connected to the integrated switch (ether2-ether5) should be near wire speed.

slv · December 8, 2025, 12:26pm

Do we have somewhere diagram how the physical ports are connected inside the RB760iGS?
I only was able to find this diagram

In my example, the router is equipped with an EN7523, unlike the EN7562 in the screenshot above.

Is it worse to use Eth1 directly connected to the CPU than to use Eth2 as a WAN? Honestly, I need two physical interfaces. If we can create one as a WAN and the other as a trunk carrying two VLANs, that would work.

slv · December 8, 2025, 12:51pm

@Buckeye In the meantime, I found this written example to be very helpful. It not only takes care of the core settings, like bridge, but also has settings for security. I’m trying to use it as a template now and adapt it to my needs — to build two VLAN interfaces and host some services. I will let you know about my progress.

jaclaz · December 8, 2025, 1:05pm

When the device came out, people started reporting issues with the speed of ether1 as WAN.

The temporary workaround was to use any of ether2-5 as WAN instead, but the issue was/is a software one so newer versions of RoS addressed the issue(I believe in 7.20 beta5 or around it).

If you use latest stable ether1 should work as intended with full speed.

Buckeye · December 8, 2025, 7:30pm

I think that the "switch" portion is the same in several SoC's

See https://git.infobricfleet.com/gtu/openwrt/-/blob/v24.10.3/target/linux/airoha/en7523/target.mk

So the "switch" is listed as EN7523 and the CPU is listed as EN7562 in the E60iUGS spec

More reference material:

From

https://lists.denx.de/pipermail/u-boot/2025-November/602122.html

+config TARGET_EN7523

bool "Airoha EN7523 SoC"
select CPU_V7A
select ARMV7_SET_CORTEX_SMPEN
help

The Airoha EN7523 family (en7523/en7529/en7562) is an ARM-based

SoCs with a dual-core CPU. It comes with Wi-Fi 5/6 support and

connectivity to Ethernet PHY, DDR, PCIe, USB, UART and VoIP.

With advanced hardware design, EN7523 provides high processing

```
performance and low power consumption.
```

Buckeye · December 12, 2025, 5:25pm

This is the block diagram for the Original version of the HEX S (RB760iGS). It used different SoC and all RJ45 ports were connected "through" the switch. However, the "model" that anav was referring to was the E60iUGS, which as you can see in the diagram above has a direct CPU connection to Eth1 that bypasses the switch. Normally that would be a good thing for a WAN port, because it has a dedicated channel, however there was an issue on earlier versions of ROS (reportedly fixed in 7.20.x and back ported to 7.19.6) that is discussed in this thread Hex E50UG. But some reports say it is fixed, and some say Eth1 routed performance is still slower than when going through a switched port. E.g. Hex E50UG - #170 by codelogic and Hex E50UG - #171 by eric0x7677