JensM
Occasional Visitor
I've moved to a new apartment. Unfortunately I have to change some bits of my network setup and I want to improve the network (in regards of isolation / vlans and VPN) at the same time. For that I'm still looking for a wifi solution that fits my needs. I read a lot in forums and blogs about routing in general but advanced wifi stuff is beyond my knowledge.
At the moment I own an Asus ac66u which runs Merlin (Johns Fork), with several SSIDs and VLANs as well as one OpenVPN Server. Unfortunately I also have to use a modem/router combo from my ISP so I'm double NAT but since I don't use a lot of port forwardings this is not an issue for me.
Overview about the current setup
Improvement Plan and actual appartment wifi coverage issue
Infracstructure / Router improvement
I want to increase the number of VLANs (iot, smart tvs etc) with more SSIDs and also do some experiments with wireguard instead of openvpn. To improve my networking ambitions I want to go with pfsense or opnsense and ordered a board with 4 NICs for it. Lets say opnsense for the next lines to improve readability.
My opnsense box will not have wifi so I also need new accesspoints (or maybe reuse the Asus for that).
The coverage issue in my new appartment
My Asus Router or most likely any modern AP will be able to cover the whole appartment when it is placed centraly. But The ISP connection is on the end of the appartment and the signal is too low then in many parts of the appartment. I also can't use cables and want to avoid using powerline. Since I also don't need a lot of wifi performance and have never experienced problems with low bandwith on wifi. I also used a repeater in the past without having problems regarding performance so I really don't need multiple wired APs with high througput or something like that. Wifi should be available everywhere but not super high speed and not hundreds of devices.
Trying to find a solution
If I only had one wifi SSID and LAN for everything I would use the existing / deprecated Asus router as AP in the room with ISP-connection and just buy a cheap repeater, connect it via wifi to my Asus and the repeater will cover the main area from the appartment center.
I don't know what those repeaters are able to do. Are there repeaters or APs that can connect to one wifi and open multiple SSIDs with VLANs and somehow VLAN-TAG the traffic it sends to my Asus Router/AP in the ohter room?
Since I don't need NAT acceleration anymore on the Asus it would be possible to switch to openwrt or tomato instead of Merlin.
Idea of a Solution - Variant 1
It would look like:
ISP Router -> opnsense box -> AP1 (broadcasting 1 SSID) -> AP2 (broadcasting all the needed networks)
AP1 or 2 would maybe be the Asus and the other a new one.
Do you have any idea of an alternative where I can get use of my existing Asus device or some other cheap solution that will fit my requirements for the moment?
Idea of a Solution - Variant 2
Alternatively I would also be ready to invest some money in new APs but if I do, it should be somehow ready for the future. So I would prefer having Mesh functionality so when I move in a bigger appartment or house, I could extend it. But from what I read, those Mesh APs require at least one AP to be connected with a wire. So I think I need at least two, one near my router and one central in my appartment.
Like this:
ISP Router -> opensense boy --wire-> Mesh AP1 --wireless-> Mesh AP2.
But I'm totally lost in research about all those vendors of APs and their marketing. I don't understand if those Mesh Wifis automatically host multple SSIDs and tag VLANs or if I need special devices and configurations for that. Do you have any recommendations for semiprofessional APs that allow my use cases without having to buy very expensive enterprise devices? I also don't need captive portals and too fancy multidevice central managing or firmwareupdate solutions.
At the moment I own an Asus ac66u which runs Merlin (Johns Fork), with several SSIDs and VLANs as well as one OpenVPN Server. Unfortunately I also have to use a modem/router combo from my ISP so I'm double NAT but since I don't use a lot of port forwardings this is not an issue for me.
Overview about the current setup
Code:
Internet (200 mbit currently, planned to upgrade to gigabit) -> Kabelmodem/router -NAT-> Asus RT-AC66U -NAT-> internal network
internal network:
VLAN 1: 192.168.1.X private network with internet access
VLAN 15: 192.168.211.X network for stuff from my workplace
WAN port: connected to ISP router
LAN ports: 1+2 = VLAN1, 3+4 = VLAN15
SSIDs:
- private -> VLAN1
- work -> VLAN 15
- guest -> isolated (asus standard guest functionality) but still in VLAN1, could be improved by creating another vlan
OpenVPN Server for my mobile devices (smartphone and tablet with always-on VPN) that connect from inside the network as well as from the internet to the openvpn server to gain internet access. They don't need internal network resources, just internet. The VPN is so that I can use other wifis on the go (even unencrypted) without exposing any traffic.
Improvement Plan and actual appartment wifi coverage issue
Infracstructure / Router improvement
I want to increase the number of VLANs (iot, smart tvs etc) with more SSIDs and also do some experiments with wireguard instead of openvpn. To improve my networking ambitions I want to go with pfsense or opnsense and ordered a board with 4 NICs for it. Lets say opnsense for the next lines to improve readability.
My opnsense box will not have wifi so I also need new accesspoints (or maybe reuse the Asus for that).
The coverage issue in my new appartment
My Asus Router or most likely any modern AP will be able to cover the whole appartment when it is placed centraly. But The ISP connection is on the end of the appartment and the signal is too low then in many parts of the appartment. I also can't use cables and want to avoid using powerline. Since I also don't need a lot of wifi performance and have never experienced problems with low bandwith on wifi. I also used a repeater in the past without having problems regarding performance so I really don't need multiple wired APs with high througput or something like that. Wifi should be available everywhere but not super high speed and not hundreds of devices.
Trying to find a solution
If I only had one wifi SSID and LAN for everything I would use the existing / deprecated Asus router as AP in the room with ISP-connection and just buy a cheap repeater, connect it via wifi to my Asus and the repeater will cover the main area from the appartment center.
I don't know what those repeaters are able to do. Are there repeaters or APs that can connect to one wifi and open multiple SSIDs with VLANs and somehow VLAN-TAG the traffic it sends to my Asus Router/AP in the ohter room?
Since I don't need NAT acceleration anymore on the Asus it would be possible to switch to openwrt or tomato instead of Merlin.
Idea of a Solution - Variant 1
It would look like:
ISP Router -> opnsense box -> AP1 (broadcasting 1 SSID) -> AP2 (broadcasting all the needed networks)
AP1 or 2 would maybe be the Asus and the other a new one.
Do you have any idea of an alternative where I can get use of my existing Asus device or some other cheap solution that will fit my requirements for the moment?
Idea of a Solution - Variant 2
Alternatively I would also be ready to invest some money in new APs but if I do, it should be somehow ready for the future. So I would prefer having Mesh functionality so when I move in a bigger appartment or house, I could extend it. But from what I read, those Mesh APs require at least one AP to be connected with a wire. So I think I need at least two, one near my router and one central in my appartment.
Like this:
ISP Router -> opensense boy --wire-> Mesh AP1 --wireless-> Mesh AP2.
But I'm totally lost in research about all those vendors of APs and their marketing. I don't understand if those Mesh Wifis automatically host multple SSIDs and tag VLANs or if I need special devices and configurations for that. Do you have any recommendations for semiprofessional APs that allow my use cases without having to buy very expensive enterprise devices? I also don't need captive portals and too fancy multidevice central managing or firmwareupdate solutions.