Hi, I just got a hEX router and am trying to setup a VLAN with it.

my current network setup looks something like this

ISP fiberbox -> hEX -> unmanaged 8 port switch(basically port expander?) -> NAS,PC,gaming console, wifi,IOT stuff/etc

I want to assign each physical ethernet port(so 4 vlans?) seperate lan addresses for use with IOT(no access to wan) /// guest wifi,gaming console(no access to lan) /// family wifi, NAS,PC(no restriction) /// expreimental server linux stuff

I was reading up on VLAN manual(https://help.mikrotik.com/docs/display/ ... VLAN+Table) and was confused with vlan tagging.

All the diagrams showed a vlan aware switch in between which had untagged inputs and tagged output to router.

For my setup ,with only hEX being vlan aware, do i tag the ports coming in from devices(unmanaged switch) or untag them? and what about the WAN port(ether1)?

My config for two vlans, 10vlan and 200vlan.
10vlan on ports 2,3,4 and 200vlan(tagged) on port 5 only


model = RB750Gr3
# serial number = XXXXXX
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
/interface vlan
add interface=bridge name=10vlan vlan-id=10
add interface=bridge name=200vlan vlan-id=200
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=10pool ranges=192.168.10.100-192.168.10.200
add name=200pool ranges=192.168.200.100-192.168.200.200
/ip dhcp-server
add address-pool=10pool disabled=no interface=10vlan name=10dhcp
add address-pool=200pool disabled=no interface=200vlan name=200dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=10
add bridge=bridge comment=defconf interface=ether3 pvid=10
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 vlan-ids=200
/interface list member
add interface=ether1 list=WAN
add interface=200vlan list=LAN
add interface=10vlan list=LAN
/ip address
add address=192.168.10.10/24 interface=10vlan network=192.168.10.0
add address=192.168.200.10/24 interface=200vlan network=192.168.200.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.10
add address=192.168.200.0/24 gateway=192.168.200.10
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Pacific/

If the rest of LAN gear doesn't support VLANs, then quite probably introducing VLANs on hEX won't do any good.

If you want to separate devices into several LAN subnets, you can't have different subnets behind same unmanaged switch because that device alone will allow end devices to communicate directly and router can't prevent it.

Please explain your plans in plain English so we can advise you how to proceed towards your goal.

Topic more or less similar to your problem
viewtopic.php?p=982567#p982567

Good advice all around.
VLANS
1 trunk port can carry multiple vlans, heading towards another smart device that can read vlan tags
2 access port can carry only one vlan and its untagged, heading towards a dumb device that cannot reat vlan tags
3. hybrid port, can carry only one untagged vlan but as many tagged vlans as needed, heading to a smart device as in 1, or a device that requires hybrid incoming.

THus in your case you will have all your ports untagged and each port will only be able to carry untagged one vlan.
Therefore you could also configure the router by assigning subnets directly to each etherport for example.
Vlans are useful in terms of configuring firewall rules and because generally speaking, due to the cheap prices of managed switches most people gravitate to getting them to solve the issues you are trying to solve.........

@anav, didn't you mean
3. hybrid port, can carry one untagged vlan but as many tagged vlans as needed, heading to a smart device as in 1, or a device that requires hybrid incoming.

yes thanks much clearer.......

Sorry for late response, had a major outages here and there...

If the rest of LAN gear doesn't support VLANs, then quite probably introducing VLANs on hEX won't do any good.

If you want to separate devices into several LAN subnets, you can't have different subnets behind same unmanaged switch because that device alone will allow end devices to communicate directly and router can't prevent it.

Please explain your plans in plain English so we can advise you how to proceed towards your goal.

Sorry language is not my strong suite...
What I want to achieve is each non-WAN port on hEX having seperate lan address space, and I have several of these 'dumb' switches that I could connect to each of the non-wan ports to get more ports for each of the new lan spaces. Of course I will not try to interconnect the dumb switches to each other...

Good advice all around.
VLANS
1 trunk port can carry multiple vlans, heading towards another smart device that can read vlan tags
2 access port can carry only one vlan and its untagged, heading towards a dumb device that cannot reat vlan tags
3. hybrid port, can carry only one untagged vlan but as many tagged vlans as needed, heading to a smart device as in 1, or a device that requires hybrid incoming.

THus in your case you will have all your ports untagged and each port will only be able to carry untagged one vlan.
Therefore you could also configure the router by assigning subnets directly to each etherport for example.
Vlans are useful in terms of configuring firewall rules and because generally speaking, due to the cheap prices of managed switches most people gravitate to getting them to solve the issues you are trying to solve.........

If there is no major downsides of using only a untagged one vlan on each non-wan port I would not mind. what I was wondering was if it even was possible to seperate the lans without additional vlan-aware equipment.

Topic more or less similar to your problem
viewtopic.php?p=982567#p982567

I am guessing the 'Router-Switch-AP (all in one)' scenario is the closest to my situation from your link-recursion to vlan explanation post?
I did skim over that post before but was confused on whether the 'dumb' switches would cause any trouble in the link.

What I want to achieve is each non-WAN port on hEX having seperate lan address space, and I have several of these 'dumb' switches that I could connect to each of the non-wan ports to get more ports for each of the new lan spaces.

If this is so, then use router's ports as completely independent interfaces (no VLANs needed whatsoever):

1. decide which ethernet port will carry LAN which will be used for management. For sake of this exercise let's say it will be ether2.
2. connect to router via any of LAN ports except for the future management port, let's say you'll use ether3 this time
3. remove ether2 from bridge. Configure IP address (different subnet from what you currently have), add DHCP server (complete with pool etc.)
   Configure firewall filter rules. If your current firewall is still largely based on default, then add ether2 interface to interface list LAN
4. connect to router via ether2. Enter safe mode (google it if you don't know how to enter it)
5. remove all remaining ether ports from bridge. Remove IP address from bridge, remove any other IP setup (DHCP server, ...) which binds to bridge. Remove bridge from interface list LAN.
6. finally remove bridge.
7. if management connection didn't break (meaning you didn't do anything excessively wrong), exit safe mode.

Now you have etherX ports which can be configured as separate interfaces, each with different VLAN subnet.

Note that default firewall filter isn't exactly made for multiple LAN subnets, so you'll have to do something about it. E.g. by default, firewall lets all LAN subnets to communicate with each other. If that's not what you want, you'll have to add firewall filter rules (or firewall raw rules, but I suggest filter rules if you don't know exactly what you're doing) which will selectively block some of those communication. Etc. Also note that interface list LAN is slightly special in default firewall setup as it allows (unlimited) connectivity to router itself. You probably don't want to allow it from all of subnets, so don't blindly add all subnets to LAN interface list.

Using "physical subnets" approach, as outlined above, has its merits (more straight-forward physical infrastructure), but also lacks flexibility - leading to need for more physical infrastructure, e.g. need for multiple parallel cables towards "remote" switches, need for more switches (one per LAN), also more physical work when one wants to move a device from one LAN to other one. In today's world, using VLANs in such scenarios is more common.

1. decide which ethernet port will carry LAN which will be used for management. For sake of this exercise let's say it will be ether2.
2. connect to router via any of LAN ports except for the future management port, let's say you'll use ether3 this time
3. remove ether2 from bridge. Configure IP address (different subnet from what you currently have), add DHCP server (complete with pool etc.)
   Configure firewall filter rules. If your current firewall is still largely based on default, then add ether2 interface to interface list LAN
4. connect to router via ether2. Enter safe mode (google it if you don't know how to enter it)
5. remove all remaining ether ports from bridge. Remove IP address from bridge, remove any other IP setup (DHCP server, ...) which binds to bridge. Remove bridge from interface list LAN.
6. finally remove bridge.
7. if management connection didn't break (meaning you didn't do anything excessively wrong), exit safe mode.

Thank you for detailed guide steps!

Since I won't be needing to move the devices from one lan to another that often(if ever) this could be the solution i was looking for.

I will try them out over the weekend and see if I can get it to work.

Etc. Also note that interface list LAN is slightly special in default firewall setup as it allows (unlimited) connectivity to router itself. You probably don't want to allow it from all of subnets, so don't blindly add all subnets to LAN interface list.

Are these special settings all defined via the firewall filter rules that are default loaded into the router?

Are there any other settings besides the filter rules that make this LAN interface list special?

Special consideration of LAN interface list is only due to firewall settings (default) and tools mac-server. Otherwise LAN interface list is no magic. Well, perhaps the "detect internet" does something about it, this one is magic to everybody, it's just not clear if it's a good magic or black magic (many lean towards the later).

What I want to achieve is each non-WAN port on hEX having seperate lan address space, and I have several of these 'dumb' switches that I could connect to each of the non-wan ports to get more ports for each of the new lan spaces

You want to do something like this?

You want to do something like this?
rb750 vlans 4.jpg

Yes.

For this setup, you need "smart" switch, or simply put, switch that can separate VLANs.
When you get one, you can then assign VLANS on ports.

For the scenario that skelder talks about, where each phyiscal port will have its own subnet, the suggestion by mkx is the most straight forward.

It could also be done with a vlan-filtering bridge device where each bridge port was configured as an access port. This would be identical in functionality, the only difference being the naming of the interfaces.

The only time a vlan-aware switch would be needed is if you wanted to have access to two different subnets from the far end of a trunk link.

But connecting dumb switches to access ports is never a problem. And with most dumb switches made in the last 15 years, they are vlan-transparent. They just don't care what is in the ethertype field after the src mac address. So if you plug a dumb switch into a trunk port, you will get an identical trunk prot coming out of the other switch ports on the dumb switch. Not a recommendation, just an observation.

*Use at own risk*
I'm a novice at this stuff so,
do not know if firewall rules are right, they are just default*,
do not know if lans are isolated.
someone else may know better.

Four subnets
Gives 4 networks, networks default, 30, 40 amd 50, one on each lan port, dhcp 253 addresses each network.

This is tested and works with dumb switch.

Connect to router using ether2
Reset with default config
login in and remove ethers 3, 4 and 5 from Bridge>Ports

***Router is only accessible by connecting through ether 2
after the below is pasted into terminal.***

/interface bridge
add name=bridge30_network
add name=bridge40_network
add name=bridge50_network
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool3 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool4 ranges=192.168.40.2-192.168.40.254
add name=dhcp_pool5 ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=no interface=bridge30_network name=dhcp30_network
add address-pool=dhcp_pool4 disabled=no interface=bridge40_network name=dhcp40_network
add address-pool=dhcp_pool5 disabled=no interface=bridge50_network name=dhcp50_network
/interface bridge port
add bridge=bridge30_network interface=ether3
add bridge=bridge40_network interface=ether4
add bridge=bridge50_network interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.30.1/24 interface=bridge30_network network=192.168.30.0
add address=192.168.40.1/24 interface=bridge40_network network=192.168.40.0
add address=192.168.50.1/24 interface=bridge50_network network=192.168.50.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Pacific/Auckland

I think I did manage to achieve what I wanted by following the mkx's instructions.

Had to try few times due to fat fingering some settings, but I think I got it to "work". For now at least.

Config for four vlan on hex

Four dhcp servers.

Wan ether1

ether 2 100vlan
ether 3 150vlan
ether 4 200vlan
ether 5 250vlan

Can use dumb switch from any lan ether and clients will all get address from corresponding pool.

[admin@MikroTik] > export
# mar/09/2023 00:24:18 by RouterOS 6.49.7
# software id = Uxxxxx
#
# model = RB750Gr3
# serial number = xxxxx
/interface bridge
add name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=100vlan vlan-id=100
add interface=bridge name=150vlan vlan-id=150
add interface=bridge name=200vlan vlan-id=200
add interface=bridge name=250vlan vlan-id=250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=100pool ranges=192.168.100.20-192.168.100.49
add name=150pool ranges=192.168.150.20-192.168.150.54
add name=200pool ranges=192.168.200.10-192.168.200.34
add name=250pool ranges=192.168.250.20-192.168.250.29
/ip dhcp-server
add address-pool=100pool disabled=no interface=100vlan name=100dhcp
add address-pool=150pool disabled=no interface=150vlan name=150dhcp
add address-pool=200pool disabled=no interface=200vlan name=200dhcp
add address-pool=250pool disabled=no interface=250vlan name=250dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=100
add bridge=bridge comment=defconf interface=ether3 pvid=150
add bridge=bridge comment=defconf interface=ether4 pvid=200
add bridge=bridge comment=defconf interface=ether5 pvid=250
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=100
add bridge=bridge tagged=bridge vlan-ids=150
add bridge=bridge tagged=bridge vlan-ids=200
add bridge=bridge tagged=bridge vlan-ids=250
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=100vlan list=LAN
add interface=150vlan list=LAN
add interface=200vlan list=LAN
add interface=250vlan list=LAN
/ip address
add address=192.168.100.1/24 interface=100vlan network=192.168.100.0
add address=192.168.150.1/24 interface=150vlan network=192.168.150.0
add address=192.168.200.1/24 interface=200vlan network=192.168.200.0
add address=192.168.250.1/24 interface=250vlan network=192.168.250.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1
add address=192.168.150.0/24 dns-server=8.8.8.8 gateway=192.168.150.1
add address=192.168.200.0/24 dns-server=8.8.8.8 gateway=192.168.200.1
add address=192.168.250.0/24 dns-server=8.8.8.8 gateway=192.168.250.1
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Pacific/Auckland
[admin@MikroTik] >

YES, you can attach a dumb switch to any of the ports.
You have set it up such that ether2 will tag all data coming from the switch with vlan100 and then UNTAG all the traffic coming out of the router back to the switch.
Therefore it works just fine. All devices on ether2 behind the switch will get dhcp on vlan100.

Rinse and repeat for each port 3-150, 4-200, 5-250

Just a note that since you are running v6.49.x and not v7.2+ the vlan-filtering bridge is all software based. So you will see a performance degradation compared to using ether2 - ether5 directly. But since you have only one port per vlan, you probably won't be able to measure the difference because all inter-vlan traffic will have to pass through the CPU anyway to be routed. If you had two ports that were members of the same vlan, and traffic was being "bridged" at layer 2, that is where you would notice the difference.