Using ONE ETHERPORT for ANOTHER LAN

What I want to do is set Ether4 as a separate port that doesn’t access the internal default LAN of the mikrotik which accesses the internet through the WAN port ether1.
In other words a fairly standard home setup with ether1 being the WAN (cable modem), and ether 2,3,5 being DHCP served as clients by the Mikrotik gateway.
With ether4 I want to be tapping into another LAN provided by another router and a different provider.
So Ether 4 will get its IP pull from the other router. Ether 4 does not require any firewall rules.
However Ether 4 should be as separated as possible from anything else on the mikrotik…

Right now they are all single bridge (default bridge1)
They are all the same LAN well at least on the interface list the defaut LAN is connected or associated with the default bridge.
It appears they are all on the same switch.

Pure guesswork…
a. do I create a new bridge (call it bridge2) and associate ether4 to the bridge2?
b. do I create another LAN and associate this LAN with Bridge2?
Both of the above seemed easily done but what confuses me is that there is no way to name the new LAN and the fact that they are all still on the same switch (no way to designate a diff switch configuration other than vlans).

This is a test environment, eventually it will be the primary device as ether5 will become a WAN2, with load balancing only in case of failure of WAN1. However I will have some policy routes at least one for email to use the second WAN. (but far from there yet LOL).

• You don’t need another bridge, it can be just single interface (remove it from original bridge).
• LANs don’t need names to work. But if you want one, you can rename the interface.
• Even if interfaces are physically connected to same switch chip, it doesn’t mean they have to be switched. It’s configurable.

Much thanks sob, just trying to work through the ambiguities in my knowledge.

So each etherport is actually a totally separate interface and its the default config of attaching them to a bridge and then associating a LAN to that bridge which creates the working default wan to lan network (well plus the needed default fw rules).

Thus, simply removing ether4 from the existing original bridge is all that is required in terms of bridge manipulation?

It is not clear to me how to ensure the interface, the ether4, will then react when connected to my home LAN?

It is not clear to me if you are saying it needs its own LAN or not as you talk about them needing names or not but that I can name a LAN, which I have not discovered where to do this?

Also its not clear to me where you configure the switch to decouple interfaces.

Yes, removing interface from bridge will make it single independent interface (*). Then when you connect it to another network, it won’t initially react at all. You’ll need to add IP address, either static one or add DHCP client for that interface to get it automatically from network’s DHCP server, if there is one.

About the “name” for LAN, I assumed you mean name of interface (like “bridge-local”). And that doesn’t really matter, everything will work fine if the other one stays “ether4”. But perhaps by “name” you mean something different?

(*) Configuration depends on RouterOS version. Current one uses bridge and it transparently configures switch chip. Older versions had master-port option for interfaces.

Thanks Sob,
I do have on the quick set page a good depiction of what is setup.
I have my cable (ISP) connection and the default LAN setup .88.1 showing etc…

Frustrations continue…
What I did do is uncheck the box that states bridge all LAN ports on the quickset page. I’m assuming this is step one in ensuring ether4 is not connected to the other interfaces.
Please confirm?

Also would it be fair to say that unchecking this box would break any convenient connection or efficiency of using the existing LAN interfaces (flowing traffic from one device on the hex lan to another device on the same hex lan, for example if they happened to be connected physically to diff ports, lets say ether 2 and ether 3. However, they would still be able to communicate with each other, but at the router level vice the switch level and thus more of a load on the CPU?

The problem I was having was actually how to remove ether4 from the original default bridge itself. At first the solution was in creating a new bridge and a new LAN and moving/connecting ether4 to the new bridge/lan. When I removed the new bridge and LAn, based upon the advice, I realized why I created the new bridge and LAN, as I see no other way to remove the interface from the bridge. Until I thought, why not remove the interface altogether from the interface page, but that didn’t bear fruit as there is no working minus sign here, the best I could do was disable it and I don’t think that is the right path.

I tried adding an IP address in the IP address entry block (using the format of the home LAN, vice the default hex lan gateway pool) and much to my disgust, that IP address appeared in the QUICKSET page as the DHCP address of the Hex router replacing the 192.168.88.1. So I realized just adding a LANIP (that I wanted ether4 to have from the home router pool) was not working right. I am now really confused because I explicitly identified/associated the new IP address with ether4, and not the bridge???

My conclusion is that I am missing a key step?

I then said, lets try the add DHCP client approach. It seemed pretty easy to identify the DHCP client to ether4 on the pull-down menu. However it is not clear what to do with the checked boxes of peer DNS and peer NTP. Are these telling the interface to ignore the new LAN DNS and NTP information and use the existing HEX LAN ones OR the reverse, or something different? Route? Huh, if I am on a lan why would I need to route anywhere, shouldn’t the connection be automatic to the gateway of the homelan that is providing the dhcp client with a lanip? In any case this didn’t work either, I kept getting a "Couldn’t add a DHCP client - cannot run on a slave interface (6).

All easily solved by taking a sledgehammer to the box but not there yet. I cannot be the first person to want to while developing the rules for the router to be able to play with the settings but coming into the router from a different LAN. Is there a FAQ or help guide I should be looking at instead of asking a zillion probably ridiculous questions.

Oops, QuickSet… I’m affraid that I don’t know enough about it, except that it’s for basic initial setup and doesn’t handle more advanced scenarios well. And yours could already be too advanced for it. Also, once you change anything outside of QuickSet, you should not return to it anymore.

About DHCP, if you want to keep your original setup (LAN & WAN) and just connect to another LAN, then uncheck all options for DNS, NTP and default route (checked = it should be used, unechecked = it should not).

If you got “Couldn’t add a DHCP client - cannot run on a slave interface (6)”, then it looks like you didn’t remove that port from bridge. Or maybe it’s still in that other (unnecessary) bridge you created? If that’s the case, then either add DHCP client to the other bridge, or remove the interface from there too and you’ll be able to add DHCP client to interface itself.

One more thing, even if you succeed with this, you still won’t be able to access devices in the other LAN from your LAN. You’ll be able to access them (e.g. ping) only from router. That’s because by default, devices in the other LAN won’t know where to find your LAN. You’ll have to add static route for that, either to each device in other LAN, or better to other LAN’s gateway router. Destination will be 192.168.88.0/24 and gateway whatever address your router gets from DHCP (which would be better later changed to static).

Okay,

1. Still need an answer on the function/ramifications of unchecking the box that says bridge all LAN ports, that is on the quickset page.

2. I do not understand your last comment and I am thinking its perhaps its me that has not been clear… in fact, I see issues in my request.

Thus let me define the requirements more clearly.
a. WAN port connected to Cable Modem (already in effect, I have a wall jack and cable connected to ether1, that is connected to cable modem in garage)
b. Maintain current HEX LAN on ether2 (already in effect, I can plug my PC in this port, grab a HEX LANIP and use winbox and access the net, and am subject to HEX firewall rules and doublenat).
and here is the key difference… (kicking myself).
c. Be able to attach my PC to the hex router but pull an IP address from the HOMELAN router
i. attach an ethernet cable from a homelan switch to ether4
ii. attach my pc via ethernet cable to ether3 and access the homelan coming in on ether4.
iii. assumption is that my pc connection via ether3 will be through my homelan router (no double nat and homelan firewall rules apply).
iv. assumpting and question, will I still be able to administer the hex router from ether3 (via winbox)??

So, in practical terms, what I think I need to do is…
A. place ether3 and ether4 on the same bridge.
B. somehow tell ether3 to route to ether4
C. s_omehow convert ether4 to nothing more than like an unmanaged switch port_

Such that when I plug my PC into ether3, it pulls an IP from the HOMELAN coming in on ether4.
I hope this is much clearer for you as it is for me, I was muddling through in my thinking to accomplish both functions on one interface,

I am in effect attempting to replicate what I am doing now as I plug my computer back and forth from the HEX (ether2) and the AP/switch I have in the room.
I want to be able to simply do the same but by plugging the cable from ether2 to ether3 on the hex. Move the AP/switch functionality in the room to ethers 3,4 on the hex.
The main reason for now is that I want the full capability of functionality on my PC (no doublenat etc) but still be able to access the HEX for programming via winbox.
(Besides, this is an excellent exercise to understand some of the basic functionality and manipulation of the HEX unit).

I really don’t know about QuickSet settings, perhaps it will break the existing bridge into individual interfaces? Easiest way is to just say good bye to QuickSet and forget about it. It’s really just for a quick start.

And next step, you already know what to do. Create second bridge (named e.g. bridge-homelan) and add ether3 and ether4 as its ports. Bridge works like a switch. So if you have HOMELAN plugged into ether4, the PC plugged into ether3 will work exactly as if you’d plug it into HOMELAN directly. You don’t need to do anything else, bridge doesn’t do routing. To access HEX from PC, you could either use WinBox and connect to MAC address, or add an address (static or using DHCP) from HOMELAN range to bridge-homelan and use that.

Partial Success!

I created a new Bridge called Home_Lan.
I assigned the interfaces of ether3 and ether4 to the bridge.
I now can plug in a cable from my home lan into ehter4 and the cable from PC into ether3 and am connected to the HOME LAN !!

However, I cannot seem to find a way to access the mikrotik in terms of managing the setup.
I tried adding an IP address 192.168.x.1/24 and assigned this to ether3 (the port I plug my PC into).
I was hoping I would be able to access the HEX via winbox. It is searching for the gateway IP of the hex by the way..
I didnt see a way to search by mac address.
Refreshing winbox does not discover the hex.
What else should I be doing??

I can think of two other possible paths.
a. static route on the home lan router that details the hex gateway LANIP OR
b. maybe the default firewall rules on the HEX router are preventing non-lan IP to HEX LANIP traffic ???

As Sob said, put an ip address to bridge->Home_Lan (static or from DHCP) and don’t assign an ip to Ether3.
You can also connect with MAC address from winbox. Check the tab Neighbors and choose the Mac address

Hi JB,
Im not quite getting your solution.

Ive tried both Ip address and dhcp and made zero progress.

Just so its clear…

1. attach an IP address to the bridge!! (not the interface).
2. the ip address should be the home-lan like 192.168.1.0/24

I am not at the unit and thus have to ask, can an IP address be associated with a bridge?

Side question. What is the function of LAN entries.
One seems to be able to add LANS but there is no way to name them, its like one ends up with a list of LANS
LAN
LAN
LAN

Yes. Is your pc have an IP address from 192.168.1/0/24 range?

Yes of course. A bridge is an interface (like ether3)

Where you see those LAN entries?

Hi JB,
Found the culprit, it was way back, i had changed a default on the quickset page, a checkbox that said bridge all LAN. I had unchecked it.
I checked it and right away got connectivity to my HEX while on the homelan through winbox.
I disabled my fw rule and my IP address and it still worked so I knew it was that single item.

However now I want to practice fw rules and see if they can be applied in this case. I have this what some would call leakage between two lans LOL.
I want to allow the winbox through this connection but block everything else. Something like.

Input Rule -
destination: 192.168.88.1
src: my pc 192.168.0.yy
dest port: winbox port being used
src port: winbox port being used
protocol: tcp I assume

In Interface: HOMELAN
Actions: Forward.

Followed by what I assume will be an input drop rule.
Input rule-
destination: 192.168.88.1
src: HOMELAN
dest/source ports: how do I indicate all ports?
protocol: how do indicate both tcp and udp?

In Interafce: HOMELAN
Action: Drop

Few quick pointers:

• Traffic through router (forwarded from one onterface to another) goes in forward chain
• Traffic to router itsef (e.g. WinBox connections) goes in input chain
• For rule to match all ports, keep dst-port option empty (no limit = matches all), same for protocol
• Be safe, before you add drop rule somewhere, either make it only log rule first (see what it catches and only if you’re sure it’s ok, turn it into drop rule) or use Safe Mode (there’s button in WinBox)

Also you might consider posting output of “/export hide-sensitive” (run in Terminal), because it’s hard to guess what you might have there now.

Hi Sob,

Thanks for your patience!

In this case I believe what I want to do, before making any rules is being clear on the intent.
Requirement1: BLOCK ALL HOMELAN TO HEX LAN TRAFFIC (forward?)
Requirement2: BLOCK ALL HOMELAN TO HEX ROUTER TRAFFIC (input?)
Requirement2: ALLOW ONLY WINBOX ACCESS TO HEX ROUTER FOR CONFIG MGMT PURPOSES FROM HOMELAN ( specific service ?)
Requirement3: ABILITY TO LIMIT WINBOX ACCESS BY HOMELAN devices by creating a HOMELAN GROUP (consisting of one or more defined addresses).

I want to understand if GROUP function is USED in mikrotik OS (for addresses and services), such that one can make rules that apply to groups be they routing rules or fiw rules or VPN rules etc… Does the router have an Object Oriented schema?

In regards to all ports/proticols etc - thanks for the TIP on empty entries matching all!!..

Just to confirm though,
0-65553 or so describes all ports as well right?
CHECKBOX checked to the left of a port selection, such as 8291 for example means all other ports except 8291 right??

The question I have is, If I am using the winbox and going from my pC on the HOMELAN to the hex router…
destination port is any port?
while src port is 8291?
(or do I have that reversed).

VNICE and practical, about the LOG RULE, so basically don’t accept or drop, but use LOG RULE to see what is transpiring!!! KEWL.

Yes, I back up my configs with /export backup or something like that.
What would the hide-sensitive be protecting?
Im assuming its for USERs and their passwords? Anything else?

Lets take a shortcut. Here are some rules to get you started:

/ip firewall filter
add action=accept chain=forward comment="allow established & related connections" connection-state=established,related
add action=drop chain=forward comment="drop invalid packets" connection-state=invalid
add action=accept chain=forward comment="allow traffic from LAN to internet" in-interface=<HEXLAN> out-interface=<WAN>
add action=accept chain=forward comment="allow forwarded ports" connection-nat-state=dstnat
add action=log chain=forward comment="log what will be blocked"
add action=reject chain=forward comment="block it" disabled=yes reject-with=icmp-admin-prohibited
/ip firewall nat
add action=masquerade chain=srcnat out-interface=<WAN>
/ip firewall address-list
add address=<IP address of your PC> list=winbox-allow
/ip firewall filter
add action=accept chain=input comment="allow established & related connections" connection-state=established,related
add action=drop chain=input comment="drop invalid packets" connection-state=invalid
add action=accept chain=input comment="allow ICMP (ping)" protocol=icmp
add action=accept chain=input comment="allow DNS for LAN clients" dst-port=53 in-interface=<HEXLAN> protocol=tcp
add action=accept chain=input comment="allow DNS for LAN clients" dst-port=53 in-interface=<HEXLAN> protocol=udp
add action=accept chain=input comment="allow WinBox access from selected addresses" dst-port=8291 protocol=tcp src-address-list=winbox-allow
add action=log chain=input comment="log what will be blocked" log-prefix="to be blocked"
add action=reject chain=input comment="block it" disabled=yes reject-with=icmp-admin-prohibited

It will allow devices connected to HEX LAN access internet and use router as their DNS resolver. It will also allow you to access WinBox. Everything else will be blocked (once you enable reject rules at the end).

Now, this is just one way of doing things. There are also others. One of those is default config you probably have now. You can’t say that one way is always clearly better than the other. Sometimes yes, sometimes no, it’s also the matter of personal preferences. Read the rules and try to understand what they do (both what I posted and what you have now). Once you start to understand the logic, it will become easy.

Other things:

• 0-65535 is all ports, but if you need to specify all ports, just keep the field empty
• checkbox with “!” is negation, so yes, it means everything except what you enter
• hide-sensitive option for export filters out passwords, not sure if other stuff too, but you can clear other secrets manually if you want (but don’t overdo it)

Please keep discussion responses in separate bins for clearer consumption

SECTION 1 DISCUSSION

Here is my FW rule grouping as it stand now.
So far I have been unable to block anything from the HOMELAN to HEX Router or HEX LAN, let alone block WINBOX.

The only connectivity I want from HOMELAN to the HEX side is my PC on the HOMELAN 192.168.0.xx, to reach the WINBOX at 192.168.88.1 via port 8291.

Explained
INPUT
0. passthrough forward rule (not listed below) - special dummy rule to show fast track counters

1. drop anything from blacklist (combines 3 lists)
2. drop anything from bad countries.
   (I gather the intent here is to prevent even scanning leakage??, same with 3)

3.4. A pair of bizarre telnet rules, apparently the second rule generates a firewall address list that the first rule then uses. From a reliable source, I just don’t understand it LOL, other than i probably detects port scans on telnet port and put them into a portscan list (I just looked and yup one is there) which populates a list that is read by the first rule for the next session, further it keeps the list for xx amount of days and then old dates fall off.

5. Drop rule for any invalid connection state traffic - not quite sure what this means but sounds good.
6. Accept ICMP
7. Accept valid traffic - (established,related, untracked" connection-state=established,related,untracked)??
8. Drop all traffic not coming from the LAN?

What exactly are 7,8 saying in laymans terms. Assuming 7 is saying, hey this return traffic is legit because it originated from behind the router, ie from the LAN? Assuming 8 is saying, this is traffic that is attempting to get into the router but didnt result from originating on the LAN??

What is the difference between 5 and 8??

FORWARD
0. fasstrack forward rule

1. Forward Valid outgoing traffic leaving LAN?? (accept established,related, untracked" connection-state=established,related,untracked)
2. forward vpn incoming to lan
3. forward vpn outgoing from lan
4. Do not forward send any invalid connection state traffic
5. Do Not Understand?
6. Do Not Understand?

I am thinking that there is a relationship between 5 and 7,8 above in input???

7 - other rules on blocking protocols and SSH details…

/ip firewall filter
add action=drop chain=input comment="blacklist block (adverts, roguedom, malware) " in-interface=Eastlink src-address-list=blacklist
add action=drop chain=input comment="Country Block" in-interface=Eastlink src-address-list=CountryBlock
add action=drop chain=input comment="INPUT Drop port scanners - TELNET" in-interface=Eastlink src-address-list="Port Scanners"
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2d chain=input comment="INPUT Telnet Port Scans" \
    dst-port=23 in-interface=Eastlink protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix="invalid connection"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix="invalid connection"
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface=Eastlink in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=xxxx  :-)
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

SECTION 2 DISCUSSION

Houston I have a problem. After you have managed to make sense of the above…
A PC on my homelan, downstairs, was not able to print to my homelan printer. Family member cheesed off.

I discovered why, it had acquired a HEX LAN IP address!!
ONLY possible because I have AP/switch in my room plugged into ether4 of the HEx router and my pc plugged into Ether3 (to access HOMELAN myself).

Somehow the slippery hex monster flexed its tentacles out onto the HOMELAN and invaded my homeland (and homelan LOL).
THis has to stop!!
Suggestions?

Okay, I re-created a separate bridge on the HEX, put ether3 and 4 on the different bridge and this effectively stopped comms between the two LANS. Great but not what I want.
So if they have to be on the same bridge for my PC to access the HOMELAN and yet access the HEX via WINBOX - what are my options?

after reading there may be three
a. USE FW rule maybe - use-ip-firewall (yes | no; Default: no) Force bridged traffic to also be processed by prerouting, forward and postrouting sections of IP routing (Packet Flow). This does not apply to routed traffic.

If the above means I can stop interLAN traffic great but it doesnt appear to be the case.

b. USE HORIZONS, not sure how this feature works and if its applicable in this case.

c. use other PORT submenu options, STP etc, no discovery and others may hold some promise.


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SECTION 3 DISCUSSION

Okay now I am thinking that there is no way to do this except going the other way, ie external…
on my WINBOX I would type in the public IP of the HEX ROuter?

Setting up a fw rule on the HEX ROUTER with following logic,

WAN to HEX LAN rule.
PUBLIC IP Of zyxel router ALLOW
Service port 8291 ALLOW
(protocol tcp? udp?)
Destination HEX LAN
(or should I specificy the gateway address192.168.88.1??)

The only question is do I have the service right? Yes its port 8291 but its probably encrypted in some fashion so not sure what I would do with a firewall rule to cover that as well?

In other words If I want to manage the hEX from my homelan the only way to do it is go external to the WAN and back in so to speak.

That there is no way with all the POWER of this hex router (which is seeming more like a POS every day) to do otherwise???

1. Your firewall

INPUT:

• Telnet blocking - The idea seem to be that nobody uses telnet today, so anyone connecting to telnet port is up to no good. I don’t think it helps you much, because you don’t allow any connections from internet to router anyway.
• Same goes for your blacklists at the beginning, there’s really no point, because the only thing you block is ping, everything else would be blocked anyway.
• The connection-state option is related to conntrack, which is something that tracks all connections and understands which packets belong together. “Established” means e.g. tcp connection, or replies for udp, or even stream of icmp pings. “Related” is something that belongs to other connection, e.g. data connection for FTP (which uses new connection for every single file transfer or directory listing). “Invalid” are strange packets that don’t seem to belong to any existing connection, nor start the new one.
• Difference for input rules 5 and 8 is that 5 is global filter for invalid packets and 8 prevents new connections from everywhere except LAN.

FORWARD:

• Established and related was already explained. Untracked is traffic excluded from conntrack, and it’s something you need to do first, so it’s ok.
• Last rule drops all new connections from WAN, unless they are forwarded ports.

2. The evil HEX

No, not really, just configuration mistake. If any device in HOMELAN got address from HEX, the port/bridge with DHCP server must have been plugged in HOMELAN. It didn’t do it by itself.

To access HEX from HOMELAN, add address from HOMELAN range to HEX. Easiest way is by adding DHCP client to the bridge (the one with ether3-4). Uncheck all those options with gateway and DNS, and it will receive only address.

There are two ways how different LANs can be connected. One is if you put ports in same bridge. Definitely don’t do that, you already had this and it didn’t go well. If you now have two distinct bridges, one for each LAN, router will still try to connect them (remember, it’s router, it exists to route). And for routing, it will see each bridge as interface. So if you want to block this communication, add new rules in /ip firewall filter chain=forward, select one bridge as in-interface and the other as out-interface (swap them in second rule) and drop/reject the traffic.

And no, use-ip-firewall is not for you.

3. Plan B

It’s not necessary, but yes, you could manage HEX from outside:

/ip firewall filter
add action=accept chain=input protocol=tcp dst-port=8291 src-address=<zyxel public>

Thanks Sob,

To summarize, the trouble occurred because there was only the one default bridge in place, but with ether4 connected to my homelan via cable to a switch in my room and my PC on ether3, I could connect to the net via my homelan and connect to the HEX via WINBOX, but you are correct, TWO DHCP Servers creating conflicts or at least the HEX server leaking into my HOME LAN..

I understand if I create a separate bridge, for ether3,4 then there will be no leakage and I can access the HOMELAN BUT NOT the hex router via winbox.

I am just not clear on why assigning the new bridge on the HEX, a DHCP client function, - will enable me to access the HEX router via winbox, but I am willing to give it a go.
[I am thinking that it may have two purposes:
a. will prevent the HEX from attempting to DHCP serve through the new bridge?
b. will allow me to connect to the HEX because it establishes a type of connection to the hex router]

On the new bridge interface, should I uncheck disable peer DNS and peer NTP? As well:
Under GENERAL

• disable ARP
• select IGMP snooping

UNDER STATUS

• uncheck Root Bridge

OKAY for Bridge POrts themselves ether3,4 should I
UNDER GENERAL

• ignore horizon ( i thought this one could have been useful )
• uncheck HW offload

UNDER STP

• Leave Edge as AUTO
• Leave unchecked auto isolate / restricted Role / restricted TCN

For ether3, 4 interface, should I also

• disable ARP

(of note, the new bridge (named homelan bridge does pull a zyxel lan IP address now))
(more testing to follow)

Don’t overthink it. All you need is to put ether3 and ether4 together. A bridge with default settings is fine. As a general rule, stay away from setting you don’t understand.

DHCP client on new bridge is just an easy and safe way to get the right IP address (from HOMELAN range, which you can then use for connecting from your PC to HEX).

One more thing, you’re right, it really can’t work now. Sorry I missed it before. It’s because unless you add the new bridge to LAN interface list, this rule blocks the connection to WinBox from your PC:

/ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

So either do that, or just use another rule to allow your WinBox accces:

/ip firewall filter
add action=accept chain=input protocol=tcp dst-port=8291 src-address=<PC address>

And the order of rules matters, so it needs to go before the mentioned blocking one.