AHA now we are getting to the real requirements!!
For this exercise assuming you are getting a lan subnet from the starlink of 192.168.2.0/24 and LANIPs like 192.168.2.5 and the starlink lan gateway IP is 192.168.2.1
[By the way the stupid WANIP one gets from bypassing the router (gen1) or bridge mode (gen2) is carrier grade NAT, or basically useless bastardized nat where the public IP is not useable for much I think.]
In any case to use the hex:
This is what you need to do
....
/interface bridge
add name=bridgehex
/interface ethernet
set [ find default-name=ether5 ] name=emergaccess-5
/interface list
add name=management
/interface bridge port
add bridge=bridgehex interface=ether1 { to starlink }
add bridge=bridgehex interface=ether2 {to switch }
add bridge=bridgehex interface=ether3 { to whatever }
add bridge=bridgehex interface=ether4 { to whatever }
/ip neighbor discovery-settings
set discover-interface-list=management
/interface list member
add interface=bridgehex list=management
add interface=emergaccess-5 list=management
/ip address
add address=192.168.2.X comment="address of hex on starlink lan subnet"
add address=192.168.5.1/24 interface=emergaccess network=192.168.5.0 comment="ether5 access off bridge"
/ip firewall filter
add chain=input action=accept in-interface=emergaccess-5 src-address=192.168.5.0/24
add chain=input action=accept src-address=192.168.2.X comment="allow admin to router for config"
add chain=input action=accept src-address=192.168.2.Y comment="allow admin to router for config"
add chain=input action=drop src-address=192.168.2.0/24 dst-port=winboxport protocol=udp comment="drop rest of LAN from access tor router"
add chain=forward action=drop dst-port=8000-8010 protocol=tcp
add chain=forward action=drop dst-port=8000-8010 protocol=ucp
/ip dns
set allow-remote-requests=yes servers=192.168.2.1 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set winbox address=192.168.2.X,192.168.2.Y,192.168.5.0/24 etc. *****
/tool mac-server mac-winbox
set allowed-interface-list=management
.....
/ip service
set winbox address=192.168.2.
X, 192.168.2.
y,
192.168.5.0/24 etc.
*****
***** Where
X and
Y are your (ADMIN IP) addresses for your desktop, laptop, smartphone, ipad on the starlink lan subnet. In this way although anyone could theoretically access the Hex from the starlink lan for config purposes, this winbox service setting ensures only you can (besides username and password protection of course). I will add firewall rules to also ensure this is true.
If for example you always would use 192.168.5.5 to set on ipv4 computer settings, when attaching your laptop to ether5 for emergency access to the router you could narrow down the input chain firewall rule and the winbox settings to that specific IP, but not necessary.
For the IP address of the hex, suggesting using a number not likely to be used by the starlink.
If it starts giving out IP addressess 192.168.2.2 and up then give the hex an address of 192.168.2.220 for example.
+++++++++++++++++++
Feel free to ask any questions. The idea here is the ether ports (except 5) are on the same bridge and getting dhcp from the starlink.
The extras added allow you to access the hex while connected to the lan or directly via ether5. Ether 5 for extra backup is not on the bridge so if the bridge gets screwed you can still access the hex. The hex is in this mode basically a switch with a few router like functions in the mix.