Using a hEX S as a VLAN

I work in a production department, we program Teltonika RUT routers to a standardized configuration to be delivered to venues. We currently program each unit individually on 192.168.1.1.

I have purchased a hEX S, I want the ability to have 3 Teltonika routers connected directly to the hEX S and i want to be able to connect via my workstation, to each router individually on their factory IP 192.18.1.1 so i can program them at the same time, being able to work on 3 routers are the same time will increase my output of standardized routers.

I’ve managed to work through connecting 1 router using port 8001 on ether3 (192.168.88.1:8001), but ether4 and ether5 (8002 and 8803, respectivly) don’t load the webui of the Teltonika Routers.

I’ve put my config below, but I cannot figure out at what step this is going wrong.

/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add fib name=to-ether3
add fib name=to-ether4
add fib name=to-ether5
add fib name=to-ether3
add fib name=to-ether4
add fib name=to-ether5
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=sfp1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.1.2/24 comment="To Teltonika #1" interface=ether3 \
    network=192.168.1.0
add address=192.168.2.2/24 comment="To Teltonika #2" interface=ether4 \
    network=192.168.2.0
add address=192.168.3.2/24 comment="To Teltonika #3" interface=ether5 \
    network=192.168.3.0
/ip dhcp-client
# Interface not active
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=192.168.88.1 dst-port=\
    8001 new-routing-mark=to-ether3 protocol=tcp
add action=mark-routing chain=prerouting dst-address=192.168.88.1 dst-port=\
    8002 new-routing-mark=to-ether4 protocol=tcp
add action=mark-routing chain=prerouting dst-address=192.168.88.1 dst-port=\
    8003 new-routing-mark=to-ether5 protocol=tcp
add action=mark-routing chain=prerouting dst-address=192.168.88.1 dst-port=\
    8001 new-routing-mark=to-ether3 protocol=tcp
add action=mark-routing chain=prerouting dst-address=192.168.88.1 dst-port=\
    8002 new-routing-mark=to-ether4 protocol=tcp
add action=mark-routing chain=prerouting dst-address=192.168.88.1 dst-port=\
    8003 new-routing-mark=to-ether5 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT to Teltonika 1" \
    out-interface=ether3
add action=masquerade chain=srcnat comment="NAT to Teltonika 2" \
    out-interface=ether4
add action=masquerade chain=srcnat comment="NAT to Teltonika 3" \
    out-interface=ether5
add action=dst-nat chain=dstnat comment="Teltonika 1 Web" dst-address=\
    192.168.88.1 dst-port=8001 protocol=tcp to-addresses=192.168.1.1 \
    to-ports=80
add action=dst-nat chain=dstnat comment="Teltonika 2 Web" dst-address=\
    192.168.88.1 dst-port=8002 protocol=tcp to-addresses=192.168.2.1 \
    to-ports=80
add action=dst-nat chain=dstnat comment="Teltonika 3 Web" dst-address=\
    192.168.88.1 dst-port=8003 protocol=tcp to-addresses=192.168.3.1 \
    to-ports=80
/ip route
add comment="Route to Teltonika 1" disabled=no distance=1 dst-address=\
    192.168.1.1/32 gateway=0.0.0.0 routing-table=to-ether3 \
    suppress-hw-offload=no
add comment="Route to Teltonika 2" disabled=no distance=1 dst-address=\
    192.168.1.1/32 gateway=0.0.0.0 routing-table=to-ether4 \
    suppress-hw-offload=no
add comment="Route to Teltonika 3" disabled=no distance=1 dst-address=\
    192.168.1.1/32 gateway=0.0.0.0 routing-table=to-ether5 \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup disabled=no routing-mark=to-ether3 table=to-ether3
add action=lookup disabled=no routing-mark=to-ether4 table=to-ether4
add action=lookup routing-mark=to-ether5 table=to-ether5
add action=lookup routing-mark=to-ether3 table=to-ether3
add action=lookup routing-mark=to-ether4 table=to-ether4
add action=lookup routing-mark=to-ether5 table=to-ether5
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
`

This has been discussed already before.

See here for some info / ideas / …

Thank you so much, I am a total novice with this sort of thing. Thanks for pointing me in the right direction!

Holvoetn’s link points you in the right direction, and this thread actually contains a full worked example of what you need:

Hi Lurker888, thanks for point me at that! It has been a great help in trying to understand what I’m doing.

I do have some questions though to scale it for my usage,I cant seem to connect directly to the Mikrotik through my browser user 88.1, but I’m connected on WinBox.

My flow seems right in that I want to use 88.3 88.4 88.5 to use ether 3/4/5 to connect to the RUT devices

. `[admin@MikroTik] > /interface list

[admin@MikroTik] /interface/list> add name=Teltonika-Ports

[admin@MikroTik] /interface/list> add name=WAN

[admin@MikroTik] /interface/list> /    
 
[admin@MikroTik] > /interface list member

[admin@MikroTik] /interface/list/member> add interface=ether1 list=WAN

[admin@MikroTik] /interface/list/member> add interface=ether3 list=Teltonika-Ports 

[admin@MikroTik] /interface/list/member> add interface=ether4 list=Teltonika-Ports 

[admin@MikroTik] /interface/list/member> add interface=ether5 list=Teltonika-Ports 

[admin@MikroTik] /interface/list/member> /

[admin@MikroTik] > /ip address

[admin@MikroTik] /ip/address> add address=192.168.88.1/24 interface=ether1 comment="Primary IP for Mikrotik"

[admin@MikroTik] /ip/address> add address=192.168.88.2/24 interface=ether1 comment="Teltonika1 External IP"

[admin@MikroTik] /ip/address> add address=192.168.88.3/24 interface=ether1 comment="Teltonika2 External IP"  

[admin@MikroTik] /ip/address> add address=192.168.88.4/24 interface=ether1 comment="Teltonika3 External IP"  

[admin@MikroTik] /ip/address> add address=192.168.1.1/24 interface=ether3 comment="Teltonika1 Network"

[admin@MikroTik] /ip/address> add address=192.168.1.1/24 interface=ether4 comment="Teltonika2 Network"  

[admin@MikroTik] /ip/address> add address=192.168.1.1/24 interface=ether5 comment="Teltonika3 Network"  

[admin@MikroTik] /ip/address> /

[admin@MikroTik] > /routing table

[admin@MikroTik] /routing/table> add disabled=no fib name=to-teltonika1

[admin@MikroTik] /routing/table> add disabled=no fib name=to-teltonika2

[admin@MikroTik] /routing/table> add disabled=no fib name=to-teltonika3

[admin@MikroTik] /routing/table> /

[admin@MikroTik] > /routing rule

[admin@MikroTik] /routing/rule> add action=lookup-only-in-table routing-mark=to-teltonika1 table=to-teltonika1 

[admin@MikroTik] /routing/rule> add action=lookup-only-in-table routing-mark=to-teltonika2 table=to-teltonika2 

[admin@MikroTik] /routing/rule> add action=lookup-only-in-table routing-mark=to-teltonika3 table=to-teltonika3 

[admin@MikroTik] /routing/rule> /

[admin@MikroTik] > /ip firewall mangle

[admin@MikroTik] /ip/firewall/mangle> add chain=prerouting in-interface=ether1 dst-address=192.168.88.2 action=mark-routing new-routing-mark=to-teltonika1 comment="mark route to Teltonika1"

[admin@MikroTik] /ip/firewall/mangle> add chain=prerouting in-interface=ether1 dst-address=192.168.88.3 action=mark-routing new-routing-mark=to-teltonika2 comment="mark route to Teltonika2"   

[admin@MikroTik] /ip/firewall/mangle> add chain=prerouting in-interface=ether1 dst-address=192.168.88.4 action=mark-routing new-routing-mark=to-teltonika3 comment="mark route to Teltonika3"   

[admin@MikroTik] /ip/firewall/mangle> /

[admin@MikroTik] > /ip route

[admin@MikroTik] /ip/route> add dst-address=192.168.1.1/24 gateway=ether3 routing-table=to-teltonika1 comment="Route to Teltonika1"

[admin@MikroTik] /ip/route> add dst-address=192.168.1.1/24 gateway=ether4 routing-table=to-teltonika2 comment="Route to Teltonika2"   

[admin@MikroTik] /ip/route> add dst-address=192.168.1.1/24 gateway=ether5 routing-table=to-teltonika3 comment="Route to Teltonika3"  
 
[admin@MikroTik] /ip/route> / 

[admin@MikroTik] > /ip firewall nat

[admin@MikroTik] /ip/firewall/nat> add chain=dstnat in-interface=ether1 dst-address=192.168.88.2 action=dst-nat to-address=192.168.1.1 comment="Teltonika1 Inbound"

[admin@MikroTik] /ip/firewall/nat> add chain=dstnat in-interface=ether1 dst-address=192.168.88.3 action=dst-nat to-address=192.168.1.1 comment="Teltonika2 Inbound"   

[admin@MikroTik] /ip/firewall/nat> add chain=dstnat in-interface=ether1 dst-address=192.168.88.4 action=dst-nat to-address=192.168.1.1 comment="Teltonika3 Inbound"  

[admin@MikroTik] /ip/firewall/nat> add chain=srcnat out-interface-list=Teltonika-Ports action=src-nat to-address=192.168.1.1 comment="source NAT to Teltonikas"

[admin@MikroTik] /ip/firewall/nat> /

[admin@MikroTik] > /ip firewall connection tracking set enabled=yes

And the questions are ??

PS can you PLEASE use export of config and include it between </> quotes ?
Much easier for everyone to read.

Sorry, I know I am trying your patience, I am a complete novice at this and believe me I am pulling my hair out over it.

# MikroTik Configuration for Teltonika Routers Isolation and Access via 192.168.88.X

# Basic Identity
/system identity set name="Teltonika-Gateway"

# Interface Lists
/interface list
add name=Teltonika-Ports
add name=WAN

/interface list member
add interface=ether1 list=WAN
add interface=ether3 list=Teltonika-Ports
add interface=ether4 list=Teltonika-Ports
add interface=ether5 list=Teltonika-Ports

# IP Configuration
/ip address
add address=192.168.88.1/24 interface=bridge comment="Main Access IP"
add address=192.168.88.2/32 interface=bridge comment="Teltonika 1 Access"
add address=192.168.88.3/32 interface=bridge comment="Teltonika 2 Access"
add address=192.168.88.4/32 interface=bridge comment="Teltonika 3 Access"
add address=192.168.1.1/24 interface=ether3 comment="Teltonika 1 Internal"
add address=192.168.1.1/24 interface=ether4 comment="Teltonika 2 Internal"
add address=192.168.1.1/24 interface=ether5 comment="Teltonika 3 Internal"

# Routing Tables
/routing table
add disabled=no fib name=to-teltonika1
add disabled=no fib name=to-teltonika2
add disabled=no fib name=to-teltonika3

# Routing Rules
/routing rule
add action=lookup-only-in-table routing-mark=to-teltonika1 table=to-teltonika1
add action=lookup-only-in-table routing-mark=to-teltonika2 table=to-teltonika2
add action=lookup-only-in-table routing-mark=to-teltonika3 table=to-teltonika3

# Mangle Rules
/ip firewall mangle
add chain=prerouting src-address=192.168.101.0/24 dst-address=192.168.88.2 action=mark-routing new-routing-mark=to-teltonika1 comment="Route to Teltonika1"
add chain=prerouting src-address=192.168.101.0/24 dst-address=192.168.88.3 action=mark-routing new-routing-mark=to-teltonika2 comment="Route to Teltonika2"
add chain=prerouting src-address=192.168.101.0/24 dst-address=192.168.88.4 action=mark-routing new-routing-mark=to-teltonika3 comment="Route to Teltonika3"

# Routes
/ip route
add dst-address=192.168.1.0/24 gateway=ether3 routing-table=to-teltonika1 comment="Route to Teltonika1"
add dst-address=192.168.1.0/24 gateway=ether4 routing-table=to-teltonika2 comment="Route to Teltonika2"
add dst-address=192.168.1.0/24 gateway=ether5 routing-table=to-teltonika3 comment="Route to Teltonika3"

# NAT Rules
/ip firewall nat
add chain=dstnat in-interface=bridge dst-address=192.168.88.2 action=dst-nat to-addresses=192.168.1.1 comment="Access Teltonika1"
add chain=dstnat in-interface=bridge dst-address=192.168.88.3 action=dst-nat to-addresses=192.168.1.1 comment="Access Teltonika2"
add chain=dstnat in-interface=bridge dst-address=192.168.88.4 action=dst-nat to-addresses=192.168.1.1 comment="Access Teltonika3"

add chain=srcnat out-interface-list=Teltonika-Ports action=src-nat to-addresses=192.168.1.1 comment="Source NAT to Teltonikas"

/ip firewall connection tracking
set enabled=yes

Above is my Config, but my question is why isn’t this allowing me to connect to each individual router via their default addresses that I’ve assigned 88.2 etc.

If I were to use the original Config that I haphazardly built, it allows me a connection on one ethernet port (ether2) but doesnt let me access the other two.

# 2025-05-22 17:14:53 by RouterOS 7.19.1
# software id = DKFZ-NRVU
#
# model = RB760iGS
# serial number = HGV0ADM88JV
/interface bridge
add admin-mac=F4:1E:57:04:7B:E3 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add fib name=to-ether3
add fib name=to-ether4
add fib name=to-ether5
add fib name=to-ether3
add fib name=to-ether4
add fib name=to-ether5
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=sfp1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.1.2/24 comment="To Teltonika #1" interface=ether3 \
    network=192.168.1.0
add address=192.168.2.2/24 comment="To Teltonika #2" interface=ether4 \
    network=192.168.2.0
add address=192.168.3.2/24 comment="To Teltonika #3" interface=ether5 \
    network=192.168.3.0
/ip dhcp-client
# Interface not active
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=192.168.88.1 dst-port=\
    8001 new-routing-mark=to-ether3 protocol=tcp
add action=mark-routing chain=prerouting dst-address=192.168.88.1 dst-port=\
    8002 new-routing-mark=to-ether4 protocol=tcp
add action=mark-routing chain=prerouting dst-address=192.168.88.1 dst-port=\
    8003 new-routing-mark=to-ether5 protocol=tcp
add action=mark-routing chain=prerouting dst-address=192.168.88.1 dst-port=\
    8001 new-routing-mark=to-ether3 protocol=tcp
add action=mark-routing chain=prerouting dst-address=192.168.88.1 dst-port=\
    8002 new-routing-mark=to-ether4 protocol=tcp
add action=mark-routing chain=prerouting dst-address=192.168.88.1 dst-port=\
    8003 new-routing-mark=to-ether5 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT to Teltonika 1" \
    out-interface=ether3
add action=masquerade chain=srcnat comment="NAT to Teltonika 2" \
    out-interface=ether4
add action=masquerade chain=srcnat comment="NAT to Teltonika 3" \
    out-interface=ether5
add action=dst-nat chain=dstnat comment="Teltonika 1 Web" dst-address=\
    192.168.88.1 dst-port=8001 protocol=tcp to-addresses=192.168.1.1 \
    to-ports=80
add action=dst-nat chain=dstnat comment="Teltonika 2 Web" dst-address=\
    192.168.88.1 dst-port=8002 protocol=tcp to-addresses=192.168.2.1 \
    to-ports=80
add action=dst-nat chain=dstnat comment="Teltonika 3 Web" dst-address=\
    192.168.88.1 dst-port=8003 protocol=tcp to-addresses=192.168.3.1 \
    to-ports=80
/ip route
add comment="Route to Teltonika 1" disabled=no distance=1 dst-address=\
    192.168.1.1/32 gateway=0.0.0.0 routing-table=to-ether3 \
    suppress-hw-offload=no
add comment="Route to Teltonika 2" disabled=no distance=1 dst-address=\
    192.168.1.1/32 gateway=0.0.0.0 routing-table=to-ether4 \
    suppress-hw-offload=no
add comment="Route to Teltonika 3" disabled=no distance=1 dst-address=\
    192.168.1.1/32 gateway=0.0.0.0 routing-table=to-ether5 \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup disabled=no routing-mark=to-ether3 table=to-ether3
add action=lookup disabled=no routing-mark=to-ether4 table=to-ether4
add action=lookup routing-mark=to-ether5 table=to-ether5
add action=lookup routing-mark=to-ether3 table=to-ether3
add action=lookup routing-mark=to-ether4 table=to-ether4
add action=lookup routing-mark=to-ether5 table=to-ether5
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

More reference threads (complete working example and related links):

This application is quite far from something “default” and you’re making several mistakes:

• The instructions you followed are for a “bare” (unconfigured) device, not one that has the default configuration
• The firewall is not correctly configured. I suggest turning the “filters” part off until you have your routing/natting in order
• The above is part of why you can’t access the Mikrotik correctly. The other is that you probably will need a dhcp server on the thing to give addresses to your PC
• Where you specify 192.168.1.1 (both in addresses and nat) you are configuring the addresses of the Mikrotik, which should be different than the Teltonika default - let’s say .5

Altogether, as you want this for work, it would maybe be best to ask a colleague with more networking experience configure this?

Also linked in the thread is the final solution, which even has macro substitutions for the things that you want - maybe use that?

Well, you have more than one thing mixed up.
You are seemingly following the method in the post lurker888 suggested, but when you follow a method, follow it completely.
The Teltonika devices that you connect (respectively) to ether2, ether3 and ether4 will have address 192.168.1.1.
So assign to ether2, ether3 and ether4 addresses 192.168.1.2/24, 192.168.1.3/24, 192.168.1.4/24 (you can add to all of them the same address, say 192.168.1.100, but it will be easier to get confused).
Then you are connecting to the Hex S via ether1, so you need to assign to ether1 192.168.88.1.
You have NO bridge in your configuration (which is good) but then you assign IP addresses 192.168.88.1, .2, .3 and .4 to the bridge (with a /32 netmask, that makes little sense).
You have the mangle rules in pre-routing that mark connections with destination 192.168.88.2, .3 and .4, OK.
Where are the other mangle rules?
You have the routing rules that send marked packets to the specific table, OK.
You have the dst-nat rules that change on the fly the destination addresses to 192.168.1.1, OK.

Compare again your setup with the one linked to by lurker888 or - possibly easier - with the “final” version posted here: