Looking for solutions to replace EdgeRouter X’s.. since they have not been available for a while..
The WAN through put seems to be up to par using the HEX router.. I tried a couple tplink 605’s.. the through put was total crap.. sent them back.
So.. I had a Hex router I had come across sometime back. I flashed the latest 7.x firmware on it and started searching the Web for help doing semi-basic configs.
Port 1 is WAN/dhcp
port 2,3 are 192.168.88.0/24 *default bridge
ports 4,5 are 192.168.99.0/24 guest_bridge
It took a bit of digging, but I was happy to bridge 4 & 5 and get a DHCP server working for those ports..
*The issue: 192.168.99.0/24 cant’ get to Internet.
I would also/need to block 192.168.99.x from accessing the router setup page or any other device on the main (88.x) subnet.
I have a cable (comcast connection) 400/25 most of my work clients seem to have something anywhere from 50/50 up to 500/500.
with my edge router, i get 400+/25, double nat thru an EOL cisco RVS (my bench/sand box) i still get the same.. when I tested the tplink 605’s my though put dropped to 75/24.
So I thought I would try out the Hex router I had laying around.. seemed acceptable with that connection(s) speeds..
While a bit more evolved to setup, I don’t mind the challenge as long as it is obtainable without spending days/weeks trying to get basic small office needs accomplished.
*Multiple subnets, VLANS, port forwarding and isolation.
One bridge.
assign all vlans to the bridge
each vlan gets an IP pool, ip address, dhcp server, dhpc server network
Set the bridge port port settings /interface bridge ports (trunk and access as required)
Set the bridge vlan settings /interface bridge vlan ( to match bridge port settings).
I don’t know how to get the x.x.99.x subnet on the Internet or what needs to be added to firewall rules to keep them apart..
I’ll take a look at the links tomorrow..
thanks
While you can replicate the two bridge approach, which is roughly want EdgeRouter does internally. The more Mikrotik-way is to use VLANs. The reason being local traffic can be offloaded to the switch chip, freeing the CPU for internet routing only.
In most cases, with the default firewall, you can add any new VLANs you create using Mikrotik “Bridge VLAN Table” instructions to the “LAN” interface list (winbox under Interface>Interface List, then add a map from the vlan interface to the LAN list) and it will do the right thing to route to internet. If you want to block inter-vlan routing (since if you change nothing, you VLANs can route IP though the router), you add some “drop” rules in IP>Firewall>Filter. Lot more details, why @anav provides some links… but that’s the 10K overview.
That’s why I have a hEX S … we can’t get ER-X’s, so we wanted something similar.
Do you have an ER-X config you want to replace? Were you using vlan-aware switch0 on the ER-X? If you post the sanitized ER-X config, I may be able to help translate at least the vlan portion.
You shouldn’t be using multiple bridges on the hEX if you want hardware switching to work, and you probably do
I have spent the most time playing with vlans on the a hEX S (RB760iGS) You say HEX (by that do you mean RB750Gr3?)
@anav has some good pointers in NEW USER PATHWAY TO CONFIG SUCCESS There is one specifically about the firewall (which is very different in config than on the edgerouter, although they both use iptables “under the hood”. In the EdgeRouter the iptables details are behind the vyatta firewall abstraction.
If you’re doing multiple small offices, I would recommend one of the ARM based devices so that you can use ZeroTier later to tie things together. It’s the simplest and easiest VPN/SD-WAN protocol to get working and is pretty much set and forget.
If you are just using the hEX PoE as a learning platform, my guess is that it will work, since it uses the QCA8337 switch chip.
What features do you need in the router? SFP? Passive PoE? vlans? Want to run v6? Want to run ZeroTier? Want to run The Dude server? Want USB? Want microSD? Want more DRAM?
If all you need is a 5 port router with the most features (the ARM is currently the only platform with ZeroTier as noted by @IPANetEngineer), the hap ac2 has twice the full cores that the MT7621A has, and they are probably similar in throughput per core, the MT7621A has a slightly faster clock, but without doing benchmarks, I can’t say, and I don’t have a hap ac2. HAP AC2 or the HEX (RB750Gr3)? has a short discussion.
One advantage of the hap ac2 is that the internal link between the CPU and the AR8327 switch chip is a single 2Gb link vs two 1Gb links
As to how to post config, just like you would post the config on the hEX PoE export. In the post editing window, click the icon that looks like a black box with two square braces in it. That will format as code block.
If you were asking about how to “export” the ER-X config, from EdgeOS $ prompt type show configuration | cat copy output to a text editor and remove any sensitive info that wasn’t removed by show (you probably won’t have much to sanitize in the config since it probably won’t have your global public address, but if you have a pppoe connection redact your credentials. If you want help with that part, ask on the ubiquiti ui.com forum.
This post has an example of my lab ER-X config and my hEX S config from when I was testing between my ER-X and hEX S. And this post has my notes to myself explaining what the RouterOS config is doing. Because in RouterOS vlan conifg is vlan centric, in EdgeOS it is switch-port centric. Now that I think about it, it isn’t that simple, see the annotated post (/interface bridge port defines ingress behavior per port, /interface bridge vlan has one row for every vlan, but that row describes how egress frames will be sent per port, tagged or untagge). I am assuming you know how to use the ER-X vlan-aware switch0, if not, ask on the ubiquiti forum under EdgeMAX tag.
