Hi,

I have purchased the hEX refresh Routerboard product to be configured as a switch!

I was searching for a similar "switch" product that runs Router OS but seems that this is the most economic quality Cost effficient product.

do you agree? does anyone have any suggestions?

ciao,
Antonio

Any hex device makes a great little managed switch that works great in a home setting or even an office setting.
If one is in a corporate setting where, for example, the same vlan spans two or more ports on the switch, to users that will be sending huge amounts of data back and forth across the switch, a proper managed switch is better. Typically though users on home or office switches are sending stuff over the internet or the volume across switch port to switch port on the same vlan, is not significant. In most cases 98% you should be fine.

hi Guru thanks!!

i will be connecting the out to internet of my NVR router to this switch to manage my hgome camera system with the app!

One flat network or vlans? diagram will help understand

I was looking for the same thing some time ago and arrived at a conclusion that hEX is indeed the least expensive switch with RouterOS. There are some limitations to keep in mind though.

Look at the table here for what EN7562CT is missing (e.g. no IGMP Snooping):
https://help.mikrotik.com/docs/spaces/R ... Offloading

And another table here (no ACL rules in hEX):
https://help.mikrotik.com/docs/spaces/R ... p+Features

It appears that a $40 CSS106/RB260 supports most of the missing switch features:
https://help.mikrotik.com/docs/spaces/S ... ies+Manual

However, it runs SwOS, therefore, very limited in other areas. The CSS106 also has an SFP port that could be very useful if you have fiber.

I have purchased the hEX refresh Routerboard product to be configured as a switch!

As a pure switch, I think the original RB750Gr3 is better than the hEX refresh.

On the other hand, if it is being used as a router with one port connected to the internet source and the other 4 ports as a switch for the LAN side, then the hEX refresh may be better.

If you are going to use the hEX refresh as a 5 port switch, then it would be best to put the least used device on ether1, since traffic to/from ether1 will have to be relayed by the CPU with the software bridge to be able to connect to the other 4 ports on the switch.

As a pure switch, I think the original RB750Gr3 is better than the hEX refresh.

On the other hand, if it is being used as a router with one port connected to the internet source and the other 4 ports as a switch for the LAN side, then the hEX refresh may be better.

If you are going to use the hEX refresh as a 5 port switch, then it would be best to put the least used device on ether1, since traffic to/from ether1 will have to be relayed by the CPU with the software bridge to be able to connect to the other 4 ports on the switch.

Exactly my findings as well !
Especially that port1 oddity already surprised quite a few.

It appears that a $40 CSS106/RB260 supports most of the missing switch features:
https://help.mikrotik.com/docs/spaces/S ... ies+Manual

However, it runs SwOS, therefore, very limited in other areas. The CSS106 also has an SFP port that could be very useful if you have fiber.

While it supports ACLs, I was never able to understand how to make them work other than for extremely simple things. There is essentially no documentation for the ACLs in SwOS. See Is there any SwOS ACL documentation with example?

SwOS can't initiate outbound tcp connections. There is no default gateway. It just hijacks the request packet tcp/ip headers and swaps src and dst ip addresses, mac addresses, and ports. It makes it easy to configure, but it is one of the reasons that updating the firmware requires assistance from a PC browser that is the initiator.

One flat network or vlans? diagram will help understand

right now i have a range extender in the basement bringing my main network from my ISP to my NVR , therefore i want to get rid finally of the range extender, i will now run a cat 8 ethernet cable to the basement from my ISP router in the kitchen and connect directly to the NVR. but my ISP router has only only one spare port so will connect the hEX as switch to this last port to get more port availability from my isp network.

what is this story about issues with port 1 on the heX?? i was thinking of connecting my isp router out to hex port 1 in and connecting my 30 mt cable to the basement on port 2. so here is a diagram:

ISP router -> (port1)hex(port 2)-> NVR

so basically will just follow these basic steps to create a simple switch:

• 1) Factory reset device with no default config
• 2) Create a new bridge and all add all ports to bridge
• 3) Set dhcp client to bridge

I have a question concerning point 1) above should I reset the config at the beginning when i power on the hex? or should i let it get the original config and then go in and reset through the system menu?? what is best??can you suggest?

Look at the block diagram and then you should see what the potential issue is with port1.

It's not connected to switch chip, only to CPU.
Depending on your config and how you use that port, it may or may not become a bottleneck.

Look at the block diagram and then you should see what the potential issue is with port1.

It's not connected to switch chip, only to CPU.
Depending on your config and how you use that port, it may or may not become a bottleneck.

ah ok!! thanks!! therefore I should actually not use it , for my architecture i actaully have only the isp & the NVR to connect so i can easily exclude port 1!

can you suggest what is the best practice to reset a config on a routerboard?

ciao

As a router, ISP should be on ether1 since normally that port is not to be HW offloaded.
Unless you have an ISP connection going way above 500Mbs or so...

As a switch, you need to see what you want to connect to that port then. Preferably something with low traffic needs.

Reset:
When accessing the device, go to system / Reset configuration.
I typically tick
- Keep users
- no default config (this will make it completely clean)
- no backup
But that's your choice.

As a router, ISP should be on ether1 since normally that port is not to be HW offloaded.
Unless you have an ISP connection going way above 500Mbs or so...

As a switch, you need to see what you want to connect to that port then. Preferably something with low traffic needs.

Reset:
When accessing the device, go to system / Reset configuration.
I typically tick
- Keep users
- no default config (this will make it completely clean)
- no backup
But that's your choice.

Thanks Guru,

you answered my questions!

the full traffic of all my cameras will be on this device goping out towards internet therefore will absolutely avoid using port 1!

thanks for this heads up..

Mikrotik makes these really awesome devices but then seems to get lost in a glass of water

the full traffic of all my cameras will be on this device going out towards internet therefore will absolutely avoid using port 1!

While what you are doing will work perfectly well, how many cameras do you have? Their traffic rates are normally very low, a few Mb/s each, with no chance of overloading a Hex. For a while I was running viewing from my NVR through a Map lite, a theoretical 300 Mb/s WiFi but only 100 Mb/s on a single ethernet link to the NVR, trivial capacity compared with the Hex with its Gb links and 500 Mb/s routing. Now I too use a Hex R but routed rather than switched (security lockdown reasons). I changed over only because the Hex was spare while the Map is handy to have around for odd jobs, not because performance was ever an issue.

hEX refresh for a similar "switch"

1. if you want to use it as a simple switch, then it is not the best idea, because a) it is expensive b) it is of low quality
2. if you want to use it as a simple vlan switch, then it is also a bad idea, because there is tplink tl-sg105\108\1016e\de which a) is cheaper, for example, tl-sg108e costs only 34 dollars, that's 25 less than the hex b) also tplink has works well QoS functions which don't exist on hex
3. if you want to use as router or with the inclusion of additional functions, for example, dhcp server or vrrp, then hex better solution

the full traffic of all my cameras will be on this device going out towards internet therefore will absolutely avoid using port 1!

While what you are doing will work perfectly well, how many cameras do you have? Their traffic rates are normally very low, a few Mb/s each, with no chance of overloading a Hex. For a while I was running viewing from my NVR through a Map lite, a theoretical 300 Mb/s WiFi but only 100 Mb/s on a single ethernet link to the NVR, trivial capacity compared with the Hex with its Gb links and 500 Mb/s routing. Now I too use a Hex R but routed rather than switched (security lockdown reasons). I changed over only because the Hex was spare while the Map is handy to have around for odd jobs, not because performance was ever an issue.

I will have 4 PoE cameras connected to the NVR

hEX refresh for a similar "switch"

1. if you want to use it as a simple switch, then it is not the best idea, because a) it is expensive b) it is of low quality
2. if you want to use it as a simple vlan switch, then it is also a bad idea, because there is tplink tl-sg105\108\1016e\de which a) is cheaper, for example, tl-sg108e costs only 34 dollars, that's 25 less than the hex b) also tplink has works well QoS functions which don't exist on hex
3. if you want to use as router or with the inclusion of additional functions, for example, dhcp server or vrrp, then hex better solution

I can Agree with you, but I really like to test equipment, this is more of an experiment..

I have my home network connecting PC/TV/UPS in the kitchen actually through a cisco switch managed low end.

this hEX will be for my cameras traffic only towards my NVR. Currently i have a range extender in the basement with an ethernet out towards the NVR, which i want to replace

therefore:

ISP router -> Cisco switch

ISP Router->hEX ->NVR

Yes, it seems to me also that unless we are talking of tens of cameras, the actual used/needed bandwidth will be much less than what a hex refresh can handle.

@antonio
which NVR is that?

Only to give you an idea of the amount of traffic, a "professional" NVR, this one:
https://www.elmospa.com/it/linee-di-pro ... nvr32xrpki
is declared to have 160 Mbps of Network access bandwidth, and it supports 16-32 cameras.

So you should have no issue even if you use ether1 and/or need anyway routing instead of bridging.

Yes, it seems to me also that unless we are talking of tens of cameras, the actual used/needed bandwidth will be much less than what a hex refresh can handle.

@antonio
which NVR is that?

Only to give you an idea of the amount of traffic, a "professional" NVR, this one:
https://www.elmospa.com/it/linee-di-pro ... nvr32xrpki
is declared to have 160 Mbps of Network access bandwidth, and it supports 16-32 cameras.

So you should have no issue even if you use ether1 and/or need anyway routing instead of bridging.

Hi Guru,

I'll tell you the truth I'm here in the mountains and my ISP is via FWA, max BW is around 80 Mbps

this is the NVR :

https://reolink.com/product/rln8-410/?s ... VIEj94X8gj

I prefer to have the hEX just as switch.

Yep, which confirms that the hex refresh is largely over-dimensioned for the task at hand.

Likely a 100 Mbit device like (say) a hap lite or a hex lite would have been enough and not become a bottleneck (not that it makes much sense to buy a 16 Mb device, and one with 10/100 interface new nowadays, but probably an old, replaced because too slow for its current use device would have been enough in the intended role).

That NVR has 10/100Mbps ethernet interfaces ... both for cameras and LAN. So hEX will have to handle 100Mbps full duplex at most. It'll do it without a sweat. Even if L2 HW offload for some reason doesn't kick in.

That NVR has 10/100Mbps ethernet interfaces ... both for cameras and LAN. So hEX will have to handle 100Mbps full duplex at most. It'll do it without a sweat. Even if L2 HW offload for some reason doesn't kick in.

ok thanks! i can easily anyhow test what happens when i connect the ISP on port 1 and NVR on port 2 . should not have any issues at this point

@antoniocerasuolo have you ever checked whether your Reolink phones home? Firewall functions can be useful for locking down as well as for blocking out.

To clarify, are you accessing your NVR from outside your network? If so, are you relying on NATting in with its password or using a VPN?

@antoniocerasuolo have you ever checked whether your Reolink phones home? Firewall functions can be useful for locking down as well as for blocking out.

To clarify, are you accessing your NVR from outside your network? If so, are you relying on NATting in with its password or using a VPN?

hi , yes of course am accessing the cameras both on premise and through the Reolink APP when i', not home, therefore yes through Internet.

at the moment i have the NVR connected to a range extender with LAN cable.

Maybe the question was more like three of them:
1) can the NVR be accessed from the internet?
2) if yes, how exactly are you accessing it? (plain public IP or via a VPN)
3) and if not VPN, then, are you really-really sure that you are the only one that can access it via internet?

Same questions I had. I believe the NVR talks to the reolink cloud server.
User, via their reolink app, reach the cloud server and then down to their NVR.

The NVR should have no ports forwarded to it, that would be bad, if the OP was thinking of port forwarding to view direclty by IP or something.
Absolutely if wanting to access the NVR directly a VPN should be used to reach the router.

I will have 4 PoE cameras connected to the NVR

In this case, I'd actually be tempted to get a hEX PoE instead. You get 5 gigabit ports wired up to the internal switch chip instead of 4 on the hEX refresh (plus an SFP port which isn't wired to switch), so you won't have to worry about your uplink port being bottlenecked by CPU/software bridging, and 4 of those switch ports are PoE out. If you throw out the 24v power brick included with hEX PoE and replace it with a beefy 48v one instead (such as the 48V2A96W), then it can also do standards-based 802.3at PoE out on all 4 ports.

I love these freaking things. Yes, they are $30 MSRP more than the hEX, and the fact that you have to also buy an additional $30-40 power supply to do 48v PoE out is not great either (I would prefer they just increase MSRP a little and include the 48v supply in the box as standard equipment...either that, or ship without power supply and drop the price a little, so that at least you aren't wasting a bunch of 24v supplies that you'll never use), but they are nice and small, and it makes for a very nice, tidy, and compact set-up. If you have a beefy central PoE switch somewhere (racked in a telco closet or whatever) and just need to multiply PoE ports downstream, you can also power them via PoE and have them pass power onto the devices plugged into them...awesome!

The Reolink has PoE ports for the cameras, and a single LAN line to the Hex or whatever. The Hex does not deal with cameras, only the traffic selected to be obtained from the NVR.

On the connections, my personal view is that I would not use a cloud server for Chinese cameras/NVR. That is exactly why I have a router in front of mine (Dahua). The NVR is locked down. It can get the correct time of day from the Hex and that is it. Further, it is accessible solely from my 'safe' LAN which includes my VPN access to home. There are no open ports on the edge router to the NVR.

I have observed that the Dahua attempts to phone home every couple of minutes, looking for one of a few optional cloud servers. The fact I block that does not curtail its normal operations. The only inconvenience is that any firmware updates are manual, download to a USB then update locally.

the fact that you have to also buy an additional $30-40 power supply to do 48v PoE out is not great either (I would prefer they just increase MSRP a little and include the 48v supply in the box as standard equipment...either that, or ship without power supply and drop the price a little, so that at least you aren't wasting a bunch of 24v supplies that you'll never use)

I agree, this is a weird decision to sell a PoE device that doesn't work out of the box without an additional purchase. I mean, who would buy a hEX PoE without intending to use PoE? Especially when there is the non-PoE hEX. I suppose it does support passive PoE.
I wonder if they plan to release a refresh version, this time hopefully with the right power adapter.

I was looking was a small PoE+ switch some time ago, and the extra $30-40 just for the power brick was a deal-breaker when one can get a Zyxel for $50-60 (5 or 8 ports). I would definitely prefer the hEX if it came with the adapter.

Cameras should be local, use like Home Assistant and Frigate and you free from spy's and cloud services.
And of course local VPN.

It would seem that the ether1 renders this device useless compared to older versions of hex ( except arm core of course and thus BTH etc. )

Yes and no.

Even with the odd ether-1 setup, it's faster then old Hex when used as a normal router.
As a switch however, that's another story.

I'm sure they made it in accordance to what's needed for majority of their customers.
We only see a fraction of that population here (and only the most savvy part of it, I would think).

Yes and no.

Even with the odd ether-1 setup, it's faster then old Hex when used as a normal router.
As a switch however, that's another story.

I'm sure they made it in accordance to what's needed for majority of their customers.
We only see a fraction of that population here (and only the most savvy part of it, I would think).

So used as as switch, one cannot use ether1 as the trunk port from the upstream router or not use the port at all???

When I was still having it in my lab setup, I used it as an access port for a printer.
But certainly not as trunk port (it 100% passes CPU without any HW offload possible).

Danke!!

The Reolink has PoE ports for the cameras, and a single LAN line to the Hex or whatever. The Hex does not deal with cameras, only the traffic selected to be obtained from the NVR.

Ahh. I allowed myself to jump to conclusions when it was mentioned that there were 4 cameras, and then people started talking about how only 4 of the 5 ports were actually physically wired to the switch.

I agree, this is a weird decision to sell a PoE device that doesn't work out of the box without an additional purchase. [...] I suppose it does support passive PoE.

Right: to be absolutely clear, it DOES work just fine out of the box...as a 24v, passive PoE switch. Just not a 48v one, since it has no on-board voltage converter, and will only output on the ethernet ports whatever voltage it is fed.

The main problem is just that this doesn't make it a very useful multi-port PoE device, unless all you are planning to do is power other MTs with it (or select UBNT gear). Most other PoE hardware on the market requires 48v and adheres to 3af/3at/3bt/etc.

Ahh. I allowed myself to jump to conclusions ....

I did the same myself the way it was discussed, until I paused to remember how my own system works.

I am using the powerbox pro to power a couple of the cameras and yes that is connected diectly to the nvr. had to struggle a bit because the reolink nvr is not a dhcp server therefore had to assign a static ip to the bridge on the same net as the locan nvr net and the cameras work perfectly after that! power us supplied to port one of the powerbox pro!! the hex refresh will be the access towards internet for the whole system