Need a multi-AP system that (primarily) works

[Jure Erznožnik]

I am moving from a multi-router system to a centrally managed one. The main reason being that I need a guest network, that is properly isolated from my main home network. Second most-important is PoE due to space constraints where the APs are mounted.

My previous setup was composed of three Asus routers running Merlin firmware, connected by wire. I have bought a MikroTik router and access points about half a year ago to try and replace the Asus routers. I was SUPER HAPPY with MikroTik's RouterOS in terms of price, size and ease of configuration (text-based command line), but also super unhappy about how stuff worked. Basically, I'm now dumping MikroTik entirely because none of its WiFi stuff works half as expected. Wired works, with caveats (e.g. local DNS not working, each device needs to be named specifically in configuration), but WiFi just keeps breaking to the point where a simple Zoom session stutters and disconnects, even shortly after the access point reboot. I have semi-reliable operation only from mAP ax2, but it needs daily reboots.

Anyway, I have spent the holiday week for a bit of investigation, but can't seem to find something that would address my needs in full:

• 270 m2 house (2x 135m2), armored concrete & bricks. Three routers have so far worked well here providing good coverage throughout the house.
• I'm using PoE to power my access points (currently mAP lite)
• I'm super happy that mAP lite is so small so that I can hide it in electrical wiring box without mounting on the wall (5x5x1 cm only) - though this is not a requirement
• I'm also powering the main router with PoE (rewired eth1 on my hAP ax2 such that it it both PoE in and LAN out)
• I need an isolated guest network
• I need a main network where computers, printers, scanners and TVs will be found with broadcast queries
• I need a separate SSID for air conditioning / heat pump, running on 2.4 GHz only. Ideally this SSID should be on the same VLAN as main network if VLANs are necessary for guest network separation).
• There are smart TVs connected to this network over WiFi, so it needs to fully support streaming video (I have made no special provisions for this on the MikroTik routers, it just needs to be able to handle the bandwidth)
• Ideally I would also be able to block torrenting altogether.
• I need a robust, working solution with at least a half-decent configuration, but solid operation. Daily reboots are acceptable to maintain the solid operation.
• I would much prefer a known brand.

My weekly research turned up the following two options:

1. Ubiquiti
AP Unifi U6+ for access points
PoE router for microPoP applications (though I understand this one uses different configuration than the access points, so I'm not sure if I should use it at all)
Ubiquiti Networks ER-X Wired Router as an alternate router, but not sure about this one either.

2. TP-Link
TP-Link EAP650 AX3000 for access points
TP-LINK ER605 for router (though it's not PoE powered, so that's a minor minus)

I'm far from confident in either of these. Access points seem nice, but I can't seem to find the entire package that would give me what I need. There's not much leading to the best router that might be paired with the access points, so basically I found the routers by trying to match series (which didn't work at all for Ubiquiti).

I only mention the findings to show some research had been done. I'm in no way limiting myself to the above.

So, what should I get?

 

[coxhaus]

I use the Cisco 150ax Wi-Fi 6 wireless devices and they work well for me. They are Cisco small business APs so they require no special license. The last time I bought 1 it was $102. I run 3 of them.

I run them at home using a Cisco CBS350-8P POE+ switch using an APC battery backup, so they do not go offline. I use Pfsense for my router.

My system never goes down as it runs 24/7, only once maybe every 6 months for firmware updates for a reboot which takes minutes.

 

[Jure Erznožnik]

So basically, you have set up the network using a "third-party" router, then piggybacked the APs onto that? Any issues with VLAN IDs or something to that effect or does stuff just work like that?

 

[coxhaus]

Yes kind of. I run Pfsense fed into my Cisco switch which supplies POE power to Cisco APs through the Ethernet cable from my switch. No problems works, well 24/7.

 

[tgl]

I've been using a Ubiquiti WiFi setup for the last couple of months, and been pretty happy with it. I have 3 U6-Enterprise APs (which is way overkill for the number of devices I have, but I wanted APs with wifi 6E for future-proofing reasons), and a Cloud Key Gen2 for controller. Switches are mostly Cisco (again overkill), router is Verizon FiOS, so the UniFi controller is only running the APs. I do have separate guest and IoT SSIDs, isolated from the main LAN via VLANs. Now the weak spot in this setup is that the Verizon router, while remarkably nice kit hardware-wise, has amazingly dumbed-down, non-featureful software. It doesn't have any VLAN support nor any reasonable way to isolate guest/IoT from the main LAN. And the UniFi APs are just APs, they do not offer any routing or packet-filtering ability. So I am using an EdgeRouter-X that I had leftover from a previous network design to terminate the guest/IoT VLANs at. The ER-X provides NAT mapping of the guest and IoT nets into the address space of the main LAN, and it has packet filter rules to ensure that the main LAN isn't reachable from guest/IoT; they can only go out to the wider internet. This means double NAT for guest/IoT, but I don't care too much about that. At some point I will probably replace the Verizon router and the ER-X with something better-integrated, but this setup is adequate for now.

With that context, some review thoughts:
* I really like the UniFi controller; it provides a decent set of configuration options and lots of control over the radio setup. As an example, many wifi options such as minimum data rate can be set per-SSID, whereas other gear I've used only allows per-radio configuration.
* AFAIK, the configuration choices work across the entire line of UniFi APs; the differences in APs are things like whether there's a 6GHz radio, the number of MIMO streams, etc.
* Sadly, Ubiquiti seem to be struggling right now to deal with the complexity of their ecosystem. If you follow their community forums (as you should do if you buy into UniFi) you will see tons and tons of reports of assorted bugs with specific configurations, particularly with older APs which they apparently don't test as much. I've not hit any non-cosmetic problems myself, but I'd recommend that you only consider their "Gen 6" APs and not anything older. (Note that the U6+ is Gen 5!)
* It's kind of the same dance ASUS users are all too familiar with on these forums: pick your firmware version carefully. But at least the information is out there publicly, and it's clear that UI's engineers are listening to complaints and trying to fix them, unlike the way things have been with ASUS for years. Also, there's a moderately well-run public beta test system (they call it Early Access), which you can sign up for if you like.
* As long as you're not running into any bugs, the system is completely solid. I've not seen any unscheduled reboots, my client devices don't drop connections, etc.
* Note that the EdgeRouter-X, like other "UISP" Ubiquiti hardware, is not part of the UniFi ecosystem and can't be managed by the UniFi controller. I have to configure it via its own local web GUI.
* While I like the ER-X, it's kind of trailing-edge hardware: it can't do anything more than very simple NAT and packet filtering at 1Gbps rates. I don't care about that for my use-case, since max performance doesn't seem needed for my IoT or guest VLANs and other traffic doesn't pass through the ER-X. It might matter to you though.

 

[coxhaus]

I have all my VLANs defined to my Cisco L3 switch. The switch handles all the local routing for VLANs. I don't use any VLANs in my Pfsense router. Pfsense only handles the internet firewall.

The GUI in the Cisco small business switches and wireless APs are pretty easy to follow for setup even for complex setups like using layer 3 routing. The Cisco SMB APs do not require any outside controller as it is built-in to the AP. They run as 1 virtual AP without using a separate controller.

I have been doing this for around 15 years.

 

[Jure Erznožnik]

Thanks for all the great replies, guys.

All of this info led me to think that I might as well get my network working by using solely the hAP ax2 units. The wireless performance is good and their only notable drawback is that they require a daily reboot to continue functioning. I also have two of them already and new units cost less than access points of the competition. Additionally, by using just those, I can also take advantage of MikroTik's CAPsMAN which should ease the configuration, assuming it works...

Man, home networking is harder than one would hope

 

[glens]

No, it's funner. Though necessitated daily reboots negates a shirt-ton of fun...

 

[Jure Erznožnik]

Well, can't do much about the reboots. RouterOS went two minor versions forward since I initially set up the stuff, so hopefully they have fixed the issue with SSIDs freezing after a while. That would be very helpful. But the remaining advantages stand, especially the price and power of configuration of this setup. Remember, I already have half of what I need and getting hAP ax2 units costs me less than getting just the APs from Ubiquiti or TP-Link.

Not particularly happy about this, but is seems the sensible way to go? Alternatively I'm diving into a whole new ecosystem with a whole new set of problems I don't even know about yet. I've seen good stuff said about my two findings as well as bad stuff. Seems like daily reboots are taking the lesser risk.

 

[coxhaus]

My networking equipment either works 24/7 or I get rid of it. It is one of the reasons I run Cisco.
I could never use equipment I had to reboot. It is just wrong.

I got rid of a Synology NAS because it gave me a false failing reading on my hard drive. I decided the power supplies for Dell PCs were better built so I switched to a Dell PC for my NAS. I have SmartAPC battery backup so power was not an issue. So, any little thing can cause me to change hardware. Life is too short. Rebooting network equipment is a big one for me as it is not going to happen.

 

[DominikHoffmann]

Yes kind of. I run Pfsense fed into my Cisco switch which supplies POE power to Cisco APs through the Ethernet cable from my switch. No problems works, well 24/7.

I have a very similar setup, only I use EnGenius APs. If you want to manage your APs through a web interface, you’ll have to use the models with the “FIT” suffix. I don’t like having to use a phone app for setting up network equipment. I do believe that Ethernet backhauls for each AP is the way to go.

 

[coxhaus]

I am not much on using my iPhone either, so I use a Windows 11 PC. The Cisco 150ax APs have a GUI that allows access to all the APs rather than having to login to each AP. It is a global GUI for the Cisco 150ax APs.
It works the same with software updates. You update one AP and it updates all the others behind the scenes.

 

[tgl]

My networking equipment either works 24/7 or I get rid of it.

Yeah, I'm with that, not only for network gear but all computing gear. If it needs regular reboots just to keep working, it's junk that you should not trust. I have exactly no machines that get rebooted for anything except system software updates.

 

[sfx2000]

I'm a bit surprised that nobody has brought up the Omada stuff...

TP-Link

www.tp-link.com

They've been doing a lot of work on that platform, and it's not that bad, to be honest...

 

[Tech9]

I'm a bit surprised that nobody has brought up the Omada

The best price/performance system, actually.

 

[Jure Erznožnik]

I didn't find a suitable router to go with those APs, though. I would have preferred a single system to configure everything, not just the APs. That's why I was asking the question here.

 

[Tech9]

I didn't find a suitable router to go with those APs, though.

There is a new Omada router ER707-M2 with 2x 2.5GbE ports and 4x Gigabit ports.

Omada Multi-Gigabit VPN Router

ER707-M2 supports two 2.5G ports, as well as multiple VPN protocols and high-security, high-performance VPN capabilities, making sure that employees' remote connections to their main offices are just as safe as if they were there in person.

www.tp-link.com

 

[coxhaus]

I didn't find a suitable router to go with those APs, though. I would have preferred a single system to configure everything, not just the APs. That's why I was asking the question here.

Pfsense is probably going to be your best router.

 

[Jure Erznožnik]

I took a look at this pfsense. They look like a mini PC. Seems to me, they are defined by software, not a particular brand of router? Not sure if I dare go this way? Is there a site explaining basic operation of this?

 

[coxhaus]

I consider firewall, routing, switching and wireless separate functions. Sometimes some of them will be combined but mostly not. When I think of building networks, I think of them as separate parts.
If you combine all of the above, then there will be limitations not something I would be interested in.

I can't help you with learning. I have been doing networking too long, over 40 years.