You can get this to work with your hEX S. At home I am using an ER-X with two UAP-AC-LR and a Raspberry Pi "UniPi" running the UniFi controller. I also have a hEX S in my home lab, and for the application you have, it can do what the ER-X can do, both are based on the same underlying SoC (system on a chip), the MediaTek MT7621A.2 WAP's, Unifi AC Lite, controlled by Unifi controller running on the Raspberry.
I assume by "vlan 1" you mean that the trunk port from the router to the PoE switches carries vlan 1 untagged (what cisco would call the native vlan), and vlan 20 is tagged.
Are those PoE switches managed or just vlan-transparent?
The switches won't be a problem. I have the exact setup in the drawing working, but with a different router flashed with Freshtomato. Reason for getting the hEX S is so I can power over POE, free a power socket that I need for another device that will be introduced in the router cabinet soon. So I don't need to add a power strip in the router cabinet, and keep things tidy. I guess you could say that the reason for switching from Freshtomato router (working setup) to hEX S (anybody's guess if I can get this to work, not without outside help that's for sure) is a combination of boredom, curiosity and a mild case of keeping-things-tidy-OCD.Are those PoE switches managed or just vlan-transparent? I ask because there are PoE switches that are not managed. If they are vlan-transparent but not managed, and the access points and the router are the only vlan-aware devices, using a trunk with native vlan will be a requirement.
# jan/02/1970 02:13:10 by RouterOS 7.6 # software id = 6QLC-S57X # # model = RB760iGS # serial number = H********** /interface bridge add admin-mac=18:FD:74:79:02:93 auto-mac=no comment=defconf name=bridge /interface ethernet set [ find default-name=ether2 ] name=ether2-WAN /interface vlan add interface=ether2-WAN name=vlan6_ISP vlan-id=6 /interface pppoe-client add add-default-route=yes disabled=no interface=ether2-WAN name=pppoe-out1 \ use-peer-dns=yes user=******** /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254 /ip dhcp-server add address-pool=default-dhcp interface=bridge name=defconf /port set 0 name=serial0 /interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 add bridge=bridge comment=defconf ingress-filtering=no interface=ether1 /ip neighbor discovery-settings set discover-interface-list=LAN /ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192 /interface list member add comment=defconf interface=bridge list=LAN add interface=pppoe-out1 list=WAN /interface ovpn-server server set auth=sha1,md5 /ip dhcp-client add disabled=yes interface=ether2-WAN /ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip dns static add address=192.168.88.1 comment=defconf name=router.lan /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yes add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN add action=masquerade chain=srcnat out-interface-list=WAN /system identity set name=RouterOS /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN
I have several Netgear GS908E switches I got at the EOS selloff on Amazon (it's over, it was Jan 2020).Only use I can think of for the other ports on the Hex S is that I could use ether1 for LAN (ground floor switch) and ether3 for LAN (switch on second floor), but I'm not sure about the switching bandwith of the HEX S. Might be better to leave the switching to the Netgears.