I am doing the best I can -- and will continue to try as hard as possible to make it easier for you to help me. I am grateful.
"what role the GS3100 plays."
The G3100 is the Verizon router. It provides data (such as TV listings) to the set top boxes. It connects using TCP/IP to the STBs via coax. It needs to have Internet access to get the data needed by the STBs, and therefore has an ethernet connection on one of its switch ports (not a WAN port). I gave it a static IP of 192.168.2.1 (for the LAN or switch side).
It does not need to be on the same subnet, nor does it need any communication with any other device on my LAN (except for management purposes which would be nice). It only needs Internet access.
"So what problem are you trying to fix?"
With the G3100 on the same subnet as all my other devices (and no VLANs set up), all broadcast/multicast traffic is heard by all devices. Further, all traffic between the G3100 and the Internet is going through the same CSS326 switch as all other Internet-bound traffic. My thinking is that isolating the broadcast/multicast traffic, and removing from the CSS326 the traffic between the G3100 and the Internet might improve performance a little.
On the back burner is still creating VLANs for media/entertainment devices such as TVs, Rokus, etc. in order to reduce the broadcast/multicast traffic and improve security.
"I also don't generally recommend using your primary router to learn with."
That makes perfect sense. I actually bought the Hex as an interim router until the RB5009s are available.
I was thinking about buying a HAP ax3 to experiment with and then deploy as an AP (I'm not clear if it also runs RouterOS and functions as a router).
I understand how it looks like I haven't tried to learn this, but I have. I've watched a ton of videos.
"Since I am evidently not communicating clearly, perhaps there is someone else that is a better mind reader than I am that can assist you."
I apologize for it feeling like you have to read my mind. I will work harder to be clearer.
I attach the hex export and various CSS326 screen shots, as well as a current diagram.
# oct/28/2022 07:56:11 by RouterOS 6.49.7
# software id = C3RH-692B
#
# model = RB750Gr3
# serial number =
/interface bridge
add name=Bridge-Port3
add admin-mac=111111111 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1w3d name=\
defconf
/ppp profile
set *FFFFFFFE bridge-learning=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
192.168.2.0
add address=192.168.30.2/24 interface=ether3 network=192.168.30.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.2.2 comment=defconf name=router.lan
/ip firewall address-list
add address=11111.dyndns.org list=WAN
add address=192.168.2.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
"NEW defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="NEW defconf: accept ICMP" protocol=\
icmp
add action=drop chain=input comment="NEW defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment=NEW in-interface-list=LAN
add action=drop chain=input comment="NEW drop all else"
add action=fasttrack-connection chain=forward comment=\
"NEW defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
"NEW defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="NEW allow port forwarding" \
connection-nat-state=dstnat log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="NEW defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=NEW
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
"Mark connection for hairpin NAT" dst-address-list=WAN \
new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT"
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=192.168.2.176 dst-port=8123 log=\
yes protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 8123" disabled=yes dst-address=\
192.168.2.176 dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 5800" disabled=yes dst-port=5800 \
protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat comment="new 5900" disabled=yes dst-port=5900 \
protocol=tcp to-addresses=192.168.2.22
add action=dst-nat chain=dstnat comment="PORT FWD: 8123" dst-address-list=\
WAN dst-port=8123 protocol=tcp to-addresses=192.168.2.176 to-ports=8123
/ip route
add disabled=yes distance=1 gateway=192.168.2.1
/system clock
set time-zone-name=America/New_York
/system identity
set name=RouterOS
/system ntp client
set enabled=yes primary-ntp=216.239.35.4 secondary-ntp=104.16.132.229
/system scheduler
add interval=1h name=Daily on-event=dyndns policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=oct/18/2022 start-time=02:00:00
/system script
add dont-require-permissions=no name=DynDNS owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_Set needed variables\r\
\n\t:local username \"11111r\"\r\
\n\t:local clientkey \"111118bc3\"\r\
\n\t:local hostname \"11111.dyndns.org\"\r\
\n\r\
\n\t:global dyndnsForce\r\
\n\t:global previousIP\r\
\n\r\
\n# get the current IP address from the internet (in case of double-nat)\r\
\n\t/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" ds\
t-path=\"/dyndns.checkip.html\"\r\
\n\t:delay 1\r\
\n\t:local result [/file get dyndns.checkip.html contents]\r\
\n\r\
\n# parse the current IP result\r\
\n\t:local resultLen [:len \$result]\r\
\n\t:local startLoc [:find \$result \": \" -1]\r\
\n\t:set startLoc (\$startLoc + 2)\r\
\n\t:local endLoc [:find \$result \"</body>\" -1]\r\
\n\t:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
\n\t:log info \"UpdateDynDNS: currentIP = \$currentIP\"\r\
\n\r\
\n# Remove the # on next line to force an update every single time - usefu\
l for debugging,\r\
\n# but you could end up getting blacklisted by DynDNS!\r\
\n\r\
\n#:set dyndnsForce true\r\
\n\r\
\n# Determine if dyndns update is needed\r\
\n# more dyndns updater request details https://help.dyn.com/remote-access\
-api/perform-update/\r\
\n\t:log info \"UpdateDynDNS: previousIP = \$previousIP\"\r\
\n\t:if (\$dyndnsForce = true) do={ :log warning \"UpdateDynDNS: Forced up\
date on\" }\r\
\n\r\
\n\t:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\r\
\n\t\t:set dyndnsForce false\r\
\n\t\t:set previousIP \$currentIP\r\
\n\r\
\n\t\t/tool fetch mode=https \\\r\
\n\t\turl=\"https://\$username:\$clientkey@members.dyndns.org/v3/update\?h\
ostname=\$hostname&myip=\$currentIP\" \\ \r\
\n\t\tdst-path=\"/dyndns.txt\"\r\
\n\r\
\n\t\t:delay 1\r\
\n\t\t:local result [/file get dyndns.txt contents]\r\
\n\t\t:log info (\"UpdateDynDNS: Dyndns update needed\")\r\
\n\t\t:log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\r\
\n\t\t:put (\"Dyndns Update Result: \".\$result)\r\
\n\t} else={\r\
\n\t\t:log info (\"UpdateDynDNS: No dyndns update needed\")\r\
\n\t}"
/tool graphing interface
add interface=bridge
add interface=bridge
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=ether1 name=tmon1
network-diagram.jpg
css326-link.jpg
css326-igmp.jpg
You do not have the required permissions to view the files attached to this post.