Ecosystem - guidance please

[SSri]

Dear all,

I am returning after more than 4 years. A lot struck me - good and bad - before the Pandemic played a hard ball on all of us. Long story short, happy to be in a "not too bad" moment!

I am sorry as the post will be repetitive (my old post and a lot of similar ones) and I cannot restrict it to one area.

Current State:

• Virgin 350 down / 20 up - business grade. Stuck with ISP router with wifi turned off.
• Had Pfsense on a used system. One of my close friends hijacked it. I did not replace it for a variety of reasons not relevant anymore.
• CAT 6 (in wall) all over the house (excluding integral garage).
• Cisco SG300-52 switch
• 2 UAP AC pro - PoE adaptors and connected via switch. Working very well indeed 4.5 years. Touch wood!
• Just reconfigured the 2 UAP AC pro. Created a guest wifi on 2.4 GHz and Wifi exclusivley for home and office use on 5GHz. Using the IPAD app to configure the UAPs. I did not bother to use my windows desktop to set up the UniFI controller.
• Both the APs are on two separate channels.

Planned

• A doorbell camera and 2 cameras (Backgarden and rear door)
• A wireless mesh for the back garden as the speed is just a 5th to 10th of the download speeds.
• Add at least 1 or 2 more wireless APs to cover the following : the master bedroom (signal is ok -61 dB), perhaps the living room (~60-64 dB) and garage (similar signals, but this will be a problem as we did not lay CAT6 here. I think a proper placement of mesh for the back garden may also cover the living room and master bed as both are on top of each other adjacent to the back garden. Otherwise, the plan is to install an AP just outside the master bedroom.
• Upgrade LED lightings to smart switch all over the house
• Want to use the IPAD or Apple 4KTV (planned) as a Home Kit.
• Install a back garden smart light or a smart switch with LEDs.
• Router - same ecosystem or ideally PfSense or Untangled or IPFire. I am thinking of some thing like Ryzen 3 3300x, 8/16 GB Ram (for IDS/IPS). Does Ryzen work please?
• Do I require a cloud key (UniFi)?

I would appreciate some guidance from experts here. I know @Trip is the forum wiki on these matters. If I go the Unifi way, it would make sense to get their ecosystem. I do like their Unifi ranges for cameras, APs, smart lights. Is there any views on these ranges please?

But, I am not convinced about their cloud key 2 plus (after reading a few negative views). I am also not sure, if I should buy their UDM Pro, given my leanings towards the DIY route.

I have not set myself a budget as I want to go one step at a time but want to be aware of what I am going to get into in terms of the planned work.

Thanks for your reading and help!

Cheers!

 

[Trip]

Welcome back @SSri

A couple initial thoughts regarding your planned changes and requirements. First, if you're focused more on throughput from the garden versus just some additional range, I'd try and run a wired AP; mesh uplink may not improve download speeds as much as you may expect. Second, for your gateway solution, I'd probably stick with x86 and a *nix distro. The UniFi choices are a bit of a mess right now (UDM/UDMP still flaky; UXG under-developed; USG/USGP old and underpowered).

Since it appears you want to do a fair amount of edge compute, you might consider a single hyper-converged, many-core box with a 2+ NIC cards (Supermicro chassis or similar), running something like Proxmox, then virtualizing both your firewall and UniFi controller. If that's a bit more cost/heat/power than you're thinking, then just do lower-power, cheaper boxes for each role -- a Qotom unit with Intel NICs for firewall, plus a Raspberry Pi or CloudKey Gen2 for the UniFi controller.

Hope that helps. Any questions, feel free.

 

[SSri]

Thank you @Trip. I appreciate your time and helpful comments.

I will address the second point before taking the first!

for your gateway solution, I'd probably stick with x86 and a *nix distro. The UniFi choices are a bit of a mess right now (UDM/UDMP still flaky; UXG under-developed; USG/USGP old and underpowered).

I definitely like the DIY route for the router/firewall. Although it is a little complicated, once it is configured and set, it can run smoothly until the hardware packs. The UniFi issues are a shame and is a no-go for us.

if you're focused more on throughput from the garden versus just some additional range, I'd try and run a wired AP; mesh uplink may not improve download speeds as much as you may expect.

Although we can live with the range inside the house, where we get 50% of our 350 Mbps bandwidth, where we have weaker signals, identification of weaker spots inside the house can help us add 1 or 2 APs inside the house to ensure a full coverage.

As far as the garden is concerned, thanks for your heads-up on the mesh. I believe the Flex HD can be mounted on the external wall? If this is not possible, it can also act like a table top AP in the living room overseeing the garden (solid wall, windows and a French door), which hopefully provide enough coverage in the garden. We have not run Ethernet on the living room ceiling, but have run a handful ( with an easy accesss) behind the wall-to-wall bookshelf.

UniFi Flex HD AP

If external wall mounting is not possible, the alternatives can be U6 LR or Nano HD - internal only.

Since it appears you want to do a fair amount of edge compute, you might consider a single hyper-converged, many-core box with a 2+ NIC cards (Supermicro chassis or similar), running something like Proxmox, then virtualizing both your firewall and UniFi controller. If that's a bit more cost/heat/power than you're thinking, then just do lower-power, cheaper boxes for each role -- a Qotom unit with Intel NICs for firewall, plus a Raspberry Pi or CloudKey Gen2 for the UniFi controller.

Wow. I was wondering if you are going to suggest this. . I am setting out thoughts and concerns here below.

• Considering the issues with UniFi and if a single hyper-box, should we stop investing in additional UniFI APs and look at Cisco's or used Ruckus please? The 2 UAP AC Pros are doing a great job. We are looking at 2 to 3 APs including one for the garden coverage. So, a single controller for all the APs through the key or via RP will be good. I have not heard any stability issues with their APs, have you ?
• I always thought running a router/firewall as a standalone piece rather than inside the hyper-box is the best and safe practice. I know, you would not have suggested it otherwise.
• With a single hyper machine, we can deploy a NAS server certainly, a home media server (if required), home lab, etc.
• Would you then advise using this for monitoring the security cameras please? We prefer Apple Home Kit for all these purposes - security camera, smart lights / smart switch, etc. This will be very convenient for my wife and family. Otherwise, they won't bother using them. I do not know how good and stable the UniFi camera ranges are.
• We have an ADT monitored security kit (except security camera).
• For the server, what do you think of something like this please? Used server (24 X 7 power hungry cost inefficient) or a couple of them is a compelling proposition or better still (if new) Ryzen 7 3700X at £250.00. Perhaps, start with one to run a 2-3 virtualisations and get another machine. going forward. T

I wonder if this thread should move to LAN/WAN or NAS. Alternatively, I will open a new thread, once I resolve the current high-level pointers.

Thanks again Trip!

 

[Trip]

Very welcome @SSri. I'll address your follow-up questions below:

Regarding placing a FlexHD outside, as long as it's under a roof overhang/eve, I don't think it would be too much of an issue. Make no mistake, though; it isn't waterproof or really IP-rated, so if there's any concern about the elements, I would probably avoid, and instead do something more like a UAP-AC-M or UAP-AC-M-PRO, both of which are a bit more weather-sealed.

As for whether or not to continue investing in UniFi, I think it just comes down to limiting scope creep into areas where it's not really that great (ie. everything other than switching and wifi). Stick with APs and switches, and you'll probably be fine. Other areas, though, are probably best handled by other gear at this point.

Considering the multiple home components relying on your network, it may make the most sense to use discrete hardware for your router/firewall and wifi controller, for reliability's sake. You can then standup a separate "lab" box on which to run all other items that sit on the network, but don't provide the network.

As for how applicable newer AMD stuff is, it certainly is nice for regular desktop/server use, but depending on what distro's and/or hardware you're looking to run for your network stack, the Intel equivalent may still be the better choice when it comes assurance of driver/platform support, especially for certain hypervisors and or network card drivers. Make sure you do your due diligence there, and confirm not just "yes, it's supported", but that there's a track record of proven stability for all of the components.

Hope those thoughts help.

 

[SSri]

Thank you @Trip! Your advise and help are greatly appreciated.

Yes, we agree that a separate firewall is a better and a safer outcome for our use cases at home. We haven’t run an ethernet for the external AP. But, it should not be a challenge as we can easily run one from the attic. The UAP AP M and Pro are good recommendations. Thank you again.

We will definitely look at non-UniFi options for the security cameras, run the UniFi controller thru‘ Rasberry Pi and connect it directly with the ethernet adapter (static IP). We are not really convinced about the stability of the cloud key Gen2, which is a challenge.

You can then standup a separate "lab" box on which to run all other items that sit on the network, but don't provide the network.

Sure. I think you meant the lab server will be connected to the LAN (intranet) but will not have an internet connection. This further means any security patches / updates for the server will have to be manually managed, is it not ?

One question though! how does one scan for signal strengths on iPAD, if I do not have access to a laptop to carry it around the house please? The netspot for ios requires WiPry 2500x, though.

In summary, I will advise you by PM or here how I got on with the firewall, APs, etc.



Cheers!

 

[Trip]

I think you meant the lab server will be connected to the LAN (intranet) but will not have an internet connection.

No, I was referring to providing dedicated, discrete hardware for items that are key to your network's ability to run (ex: router/firewall), versus running less-crucial items (whose uptime/downtime doesn't impact the availability of your network at large) virtualized on a hyper-converged or lab box (ex: NAS, possibly the wifi controller, etc.).

On the iPad, I would download a free wifi signal analyzer app, of which there are many.

 

[SSri]

No, I was referring to providing dedicated, discrete hardware for items that are key to your network's ability to run (ex: router/firewall), versus running less-crucial items (whose uptime/downtime doesn't impact the availability of your network at large) virtualized on a hyper-converged or lab box (ex: NAS, possibly the wifi controller, etc.).

On the iPad, I would download a free wifi signal analyzer app, of which there are many.

Understood. Thanks @Trip.

I think I misunderstood the below

separate "lab" box on which to run all other items that sit on the network, but don't provide the network.

and hence my earlier comment

you meant the lab server will be connected to the LAN (intranet) but will not have an internet connection.

On the iPad, I would download a free wifi signal analyzer app, of which there are many.

Thank you for the recommendations and also taking time out to provide helpful comments and suggestions. Have a good week end Trip!

 

[Trip]

Very welcome @SSri. Best of luck with the build-out. Do keep us updated of your progress and/or further questions.

 

[SSri]

Definitely @Trip. Thanks again.