Hello,

I have the following network configuration: Were both the router and the switch have more devices attached to them. The switch is a non-managed PoE+ one and I wanted to create a VLAN for the IoT devices, but since the switch is not managed and I have several other devices that I don't want to add to the same VLAN, I suppose I'll need another device at that level to just configure the VLAN for the AP connection port, right?

The thing is that I don't need anything fancy or with more than 5 ports, but I do need the PoE+ if possible, since I don't quite like having passive PoE with devices that don't support PoE connected to the same device. I've checked and Mikrotik has the hEX PoE router that seems to have the PoE+, but I don't know if I'm able to configure it like a switch, so its able to also see the devices connected to the first router as well as internet access. Will this work or should I get a switch instead? Any other suggestion or recomendation?

If AP can add/remove VLAN tags as needed, then the switch in between doesn't have to know about VLAN tags at all. The only (minimum) requirement for that switch is that is supports using "baby jumbo frames" ... that is ethernet frames with payload size of 1504 bytes (VLAN header adds 4 bytes to "normal" ethernet payload, which is IP packet with gross size of 1500 bytes).

The issue when using non-manged switch in VLAN environment is that VLAN frames can then leak into wrong ports. Similarly to how frames with "yet unknown" destination port will be transmitted through all ports and connected devices can "hear" fragments of traffic. Further more, a rogue device can actively attach to random VLAN and communicate with other devices in same VLAN. When using managed switch this is prevented by assigning ports to correct VLANs and rogue device connected can not force itself into a VLAN which is not allowed on given port.

If you're not concerned about such misbehaviour, then you can keep that non-managed switch in place. And plan to replace it with managed switch when need arises (or opportunity shows).

If you're talking about RB960PGS when writing "hEX PoE", then it can be configured as a nice 1Gbps switch. But beware that it's not really a PoE+ device (output is limited to 450mA or roughly 21.6W) and you need to purchase 48V power adapter (it ships with 24V PA and it doesn't do voltage conversion internally ... whatever voltage gets in, is available on out).

Regarding unmanaged switch, especially when it does not handle VLAN tagged frames correctly:
one thing I have already done in the past to circumvent such an issue is using EOIP link between router and AP to virtually bypass unmanaged switch.
EOIP link is then used as trunk for VLAN traffic.
Ofcourse, both router and AP should be able to use EOIP (if both are Tik, that's not a problem).

Might be an option to consider ?

In the mean time I already replaced that switch by a properly managed switch. Ultimately it is the best option.

If you only need 5 ports then you might as well use a small tik as the switch because they are usually cheaper than a small vlan aware switch.

@dwosky

I've checked and Mikrotik has the hEX PoE router that seems to have the PoE+, but I don't know if I'm able to configure it like a switch, so its able to also see the devices connected to the first router as well as internet access. Will this work or should I get a switch instead? Any other suggestion or recomendation?

a switch and a router - generally speaking, are the same devices except that a router has specific advance features on routing, and limited on small numbers of ports.
while switch has more feature in switching, and has larger port numbers.

there's probably not much of price differences between both.

you can configure your limited port router to be a vlan switch as well - similar to that in switch.

or you can directly create vlan on your iot devices - if they are support it. then connect to your unmanageable transparent switch - let the vlan router do the tag-untag communication.

good luck

a switch and a router - generally speaking, are the same devices ...

While we're generally speaking, switch and router are very different devices. (Ethernet) Switch does ethernet frame forwarding between ethernet ports based on SRC and DST MAC addresses and FDB (Forwarding DataBase). And router does IP packet routing between IP interfaces based on SRC and DST IP addresses and IP routing table.

In reality many devices can do both ... some with help of software bridges (e.g. if it wasn't for software bridge, hEX refresh couldn't pass ethernet frames between ether1 and the rest of ether ports, it could only route between ether1 and the rest of ports). Not all SoHo devices support software bridges (hence designated WAN functionality which can't be moved to another port). And not all switches can do routing (think CSS devices).

@mkx,

can we route something without knowing where to go for the frame? and vice versa - can we forward a frame if there is different ip sa-da without router?

so, i guess basic functionality only limited by which part of the osi or tcp/ip stack we want a device operates.

as for the hex and css, hahaha... i guess mt starts doing products diversification and specialization as to differentiate a switch and router functionality. which i think all having the pros and cons. nevertheless - i like mt.

When doing L2 stuff, it's responsibility of device sending frame (can be originating host, can be router) to find out destination MAC address. And L2 entity (switch) then passes frame to correct port. If sender doesn't know destination MAC address, it can send it to broadcast MAC address. Both when destination MAC address is broadcast or if switch/bridge doesn't know exact port where destination is, it forwards frame via all ports (minus ingress port).

When doing L3 stuff, sender (and intermediate devices) need to determine how to deliver packet over L2 network. If destination IP address is within same network as sender is, then packet will be delivered directly (and sender looks up MAC address of final destination). If destination IP address is outside own network, then it has to consult routing table (which ever applies) and selects best next hop. Then it looks up MAC address of next hop and sends frame to next hop. More or less the same happens on router (it receives frame with own MAC address, looks at destination IP address and decides how to forward it toward final destination; in case egress interface is ethernet it also performs discovery of next hop MAC address).
If sender doesn't know destination IP address, then it may decide to send it to broadcast IP address or multicast IP address. These two are then directly mapped to broadcast MAC addess.

So for sensible network operation it should always be possible to send data to correct MAC address and for that all devices have to properly support ARP protocol, without it modern local area networks simply die.

Hi, I just recently got a hEx PoE, I needed a router giving power with PoE to a switch in another room over a trunk link, and to an AP directly connected to the router. Well, I'm new in MikroTik's world, and I'm really loving RouterOS and the features included in it. But honestly I'm very disappointed on its capacities as a router. The documentation is full of "but" and "not on this switch chip".
So yeah for me it's more like a L3 switch, it might be what you need but don't expect high performance or enough PoE out.