How to Build a Secure Home Network with a MikroTik hEX

Introduction: Why Choose hEX for Home Network?

The MikroTik hEX (RB750Gr3) is the perfect router for tech-savvy homes and small offices. With its five Gigabit ports, powerful CPU, and affordable price, it outperforms consumer routers while offering enterprise-level features. In this guide, we'll configure it from scratch to create a secure, segmented home network.

Hardware Setup and Initial Connection

Physical Connections

1. Port Assignment:

   • ether1: WAN (Internet connection)
   • ether2: Trusted LAN
   • ether3: Guest WiFi
   • ether4: IoT Devices
   • ether5: Management

2. Initial Access:

   • Connect your computer to any port except ether1
   • Download WinBox from mikrotik.com
   • Use MAC discovery to find and connect to your hEX
   • Login with username admin and no password

Basic Configuration

System Identity and Password

# Set router identity
/system identity set name=hEX-HomeRouter

# Create secure admin user
/user add name=admin-full group=full password="YourStrongPassword123!"
/user disable admin

Interface Renaming

/interface ethernet
set ether1 name=WAN comment="Internet Connection"
set ether2 name=LAN-Trusted comment="Trusted Devices"
set ether3 name=LAN-Guest comment="Guest WiFi"
set ether4 name=LAN-IoT comment="IoT Devices"
set ether5 name=LAN-Mgmt comment="Management"

Network Segmentation with Bridges

Create Bridge Interfaces

# Trusted LAN Bridge
/interface bridge add name=bridge-trusted
/interface bridge port add interface=LAN-Trusted bridge=bridge-trusted
/interface bridge port add interface=LAN-Mgmt bridge=bridge-trusted

# Guest Network Bridge
/interface bridge add name=bridge-guest
/interface bridge port add interface=LAN-Guest bridge=bridge-guest

# IoT Network Bridge
/interface bridge add name=bridge-iot
/interface bridge port add interface=LAN-IoT bridge=bridge-iot

IP Address Configuration

/ip address
add address=192.168.88.1/24 interface=bridge-trusted comment="Trusted Network"
add address=192.168.89.1/24 interface=bridge-guest comment="Guest Network"
add address=192.168.90.1/24 interface=bridge-iot comment="IoT Network"

Internet Connection Setup

WAN Configuration

# For DHCP (most common)
/ip dhcp-client add interface=WAN disabled=no use-peer-dns=yes use-peer-ntp=yes

# For PPPoE (DSL connections)
/interface pppoe-client add name=pppoe-out1 interface=WAN user=your_username password=your_password disabled=no

NAT Configuration

/ip firewall nat add chain=srcnat out-interface=WAN action=masquerade comment="Masquerade all outgoing traffic"

Firewall Security Configuration

Basic Firewall Rules

/ip firewall filter
# Accept established connections
add chain=forward action=accept connection-state=established,related comment="Accept established connections"

# Block guest from accessing trusted network
add chain=forward action=drop in-bridge=bridge-guest out-bridge=bridge-trusted comment="Block guest from trusted"

# Block IoT from accessing trusted network
add chain=forward action=drop in-bridge=bridge-iot out-bridge=bridge-trusted comment="Block IoT from trusted"

# Allow guests and IoT to internet only
add chain=forward action=accept in-bridge=bridge-guest out-interface=WAN comment="Guest to internet"
add chain=forward action=accept in-bridge=bridge-iot out-interface=WAN comment="IoT to internet"

# Drop everything else between networks
add chain=forward action=drop in-bridge=bridge-guest out-bridge=bridge-iot comment="Block guest-IoT cross traffic"
add chain=forward action=drop in-bridge=bridge-iot out-bridge=bridge-guest comment="Block IoT-guest cross traffic"

Protect the Router Itself

/ip firewall filter
# Accept established connections to router
add chain=input action=accept connection-state=established,related comment="Accept established to router"

# Accept ICMP (ping)
add chain=input action=accept protocol=icmp comment="Allow ping"

# Accept WinBox and SSH from trusted network only
add chain=input action=accept in-bridge=bridge-trusted protocol=tcp dst-port=8291,22 comment="Management from trusted LAN"

# Drop everything else
add chain=input action=drop comment="Drop all other input"

DHCP Server Setup

Trusted Network DHCP

/ip pool add name=dhcp-trusted ranges=192.168.88.100-192.168.88.200

/ip dhcp-server add name=dhcp-trusted interface=bridge-trusted address-pool=dhcp-trusted disabled=no

/ip dhcp-server network add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=1.1.1.1,8.8.8.8

Guest Network DHCP

/ip pool add name=dhcp-guest ranges=192.168.89.100-192.168.89.200

/ip dhcp-server add name=dhcp-guest interface=bridge-guest address-pool=dhcp-guest disabled=no

/ip dhcp-server network add address=192.168.89.0/24 gateway=192.168.89.1 dns-server=1.1.1.1,8.8.8.8

DNS Configuration

/ip dns set servers=1.1.1.1,8.8.8.8 allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w

Optional: Advanced Features

Parental Controls

# Block specific websites
/ip firewall filter add chain=forward dst-address-list=blocked-sites action=drop comment="Block unwanted websites"

/ip firewall address-list add list=blocked-sites address=facebook.com
/ip firewall address-list add list=blocked-sites address=twitter.com
/ip firewall address-list add list=blocked-sites address=tiktok.com

Bandwidth Management

# Limit guest network to 10Mbps
/queue simple add name=guest-limit target=192.168.89.0/24 max-limit=10M/10M

# Limit IoT network to 5Mbps
/queue simple add name=iot-limit target=192.168.90.0/24 max-limit=5M/5M

Monitoring and Maintenance

Enable Logging

/system logging add action=memory topics=firewall,info

Create Configuration Backup

/system backup save name=initial-setup-backup

Update RouterOS

/system package update check-for-updates
/system package update download
/system reboot

Verification and Testing

Test Your Configuration

1. Connect devices to each network segment
2. Verify IP assignment from correct DHCP pools
3. Test internet access from all segments
4. Verify isolation between networks
5. Test management access from trusted network only

Useful Monitoring Commands

# Check traffic
/interface monitor-traffic WAN

# View DHCP leases
/ip dhcp-server lease print

# Check firewall hits
/ip firewall filter print stats

# Monitor system resources
/system resource monitor

Troubleshooting Common Issues

No Internet Access

• Check WAN interface status
• Verify NAT rule is correct
• Confirm DNS is working

Devices Can't Get IP Address

• Verify DHCP server is enabled
• Check bridge assignments
• Confirm IP pools are configured

Inter-network Communication Issues

• Review firewall filter rules
• Check bridge configurations
• Verify interface assignments

---

Follow for more networking guides: Connect on LinkedIn | Join our WhatsApp Channel

---