Help me streamline

[NinjaTortuga]

Howdy all,

Been reading here on and off for years and greatly appreciate all the excellent info available. I have been running the Merlin firmware on my devices since my original 68u however, I don't feel like I'm using my devices to their potential. What I'm about to share is perfectly functional but I'd like to streamline the design. Surely I'll forget some info needed for proper suggestions but here we go.

All Asus devices have been updated this week to current release firmware 386.2_6
Netgear firmware was updated to current firmware upon installation but it's been a while.
The ac68u's are 2 different revisions one with a dual core 1Ghz and one 1.4Ghz
The Ubiquiti AP is an older 10\100 device and I have no control\admin privileges.

My location is the primary concern and ideally I'd like to isolate myself from the foreign devices that I have no control over. I've read about and even setup a triple router configuration a few years ago but I decided running all the equipment was overkill. I believe it's possible to trim energy use and heat production by running everything from the AC-86u with some sort of policy based routing but I'm not quite savvy enough to set it up (that I know of).
I don't have any actual network in my place. No NAS or PC streaming to TV just some standard smart bulbs and thermostat if this makes any difference.
Also there is no interest in any mesh wifi or repeaters. All 3 buildings have unique SSID's. However it wouldn't be a bad thing if the main house and shop were the same allowing phones to connect automatically (lowest priority). Only thing I may be interested in buying in the future would be an Rt-ax86u.

Being that I don't have control over an estimated half of the devices and that I'm on file with the ISP security and privacy are the top concerns.

Any assistance would be greatly appreciated!

 

[Tech9]

This "House - Not Me" part may eventually see all your unencrypted traffic. Looks like you're borrowing Internet from someone else.
You perhaps need only AC86U in Back House and one AC68U in the Shop:
Not Me --> AC86U AiMesh Router (Main SSID, VPN Client, Guest SSID) --> AC68U AiMesh Node wired (Main SSID, Guest SSID)
Sharing Internet with someone else through their router remains a concern, unless all your traffic goes through VPN tunnel.

 

[NinjaTortuga]

First of all, my apologies if I posted in the wrong place. I just figured that I’m running the firmware and I’d probably get the best info here.

I kind of see what you’re saying and appreciate the feedback. It may be better to tell you what I’m looking for rather than to correct what I have.

For the record, I’m not borrowing internet from anyone. Maybe I misinterpreted but just want to be clear. I am sharing my connection with a friend that lives on the same property because they had horrible DSL when I moved in. Said person isn’t tech savvy so I rather not have them, their guests, or their IoT devices to have access to my core network.

The rt-ac86u is the best device I have available; I want it to control the following:

Building A
ISP -> cable modem -> ac-86u:
VPN client -> multiple devices wired, static IP policy rules
Unique SSID -> Same vpn devices when websites block VPN
Unique guest SSID -> Iot devices


Building B
Ubiquiti AP wired to building A
Unique SSID
Various mobile devices + IoT devices
Not able to see unencrypted traffic of building A or C


Building C
Netgear wireless router used only as AP. Wired to building A
Unique SSID
Various mobile devices + IoT devices
Not able to see unencrypted traffic of building A or B


What I'd like to accomplish is something like the “triple router y config” in the document below. Is it possible with less hardware these days? I’d like similar results and I rather run less hardware due to space\energy\heat.

https://forums.tomshardware.com/threads/the-ultimate-modem-router-setup-thread.1303081/

 

[Tech9]

Before we continue:
- Is the ISP provided equipment a modem only or modem/router and do you have control/access to it?
- If two of the buildings are all your devices (A and C), why do you want unique SSIDs and isolated clients?

 

[heysoundude]

This is likely a good exercise in network topography/architecture: the link is 10y old and doesn't mention IPv6 though - that opens things up considerably.
AX86 is better suited as a main router, so if you're willing to buy one, go and do that - you could replace the Ubiquiti with the AC86.
It's possible to use the AX/AC86 to subnet the downstream routers/their traffic, and guide everything that needs to be through VPN.

 

[Tech9]

if you're willing to buy one, go and do that

I believe, the goal here is to use already available equipment. If we are talking about the right way, a new modern VLAN capable component system is the better approach, with no home routers involvement. It will cost >$1000 for proper firewall, switch and access points.

 

[NinjaTortuga]

Before we continue:
- Is the ISP provided equipment a modem only or modem/router and do you have control/access to it?
- If two of the buildings are all your devices (A and C), why do you want unique SSIDs and isolated clients?

The cable modem is my own SB6141 and I do have access.

I always assumed that unique SSIDs would guarantee the traffic stays where it belongs and would be the easiest way to accomplish that. I don't want unknown users on my network just because they roamed closer to my AP. The property is fairly large maybe just over an acre. There isn't much frequency\channel interference. You can consider building C in the text example a business and treat the traffic like its public but password protected.

You are correct that the goal is to use current hardware. If and when I decide to buy the AX-86u I'd like to be able to insert it as the master router for building A, providing my devices with a WiFi 6 connection. That being said I do enjoy learning and would research other hardware should some be recommended at some point but really want to get current stuff setup best as possible.

 

[Tech9]

Keep in mind the following:
- If buildings B/C have own double-NATed routers behind your main AC86U, they have access to your devices in building A
- Guest Networks on Asus routers in Access Point mode don't provide separation from the main network
- Separate SSIDs may have different passwords, but devices connected may have access to each other, depending on configuration
Let me think a bit, I'll draw something for you.

 

[Tech9]

It's not very high-tech, but it does what you asked for with the equipment you have:

ISP -->    Modem -->     AC68U Router Only, Wi-Fi Disabled, wired

                        |                    |                    |
             
                  AC86U-A                WND3700-B             AC68U-C
             
                /    |    \              /      \                /    \
                 
            SSID1   VPN     GN1        SSID2    GN2          SSID3     GN3

- Biulding A gets own SSID1, VPN SSID, Guest Network for IoT (your place, Asuswrt-Merlin + VPN + YazFi)
- Building B gets own SSID2 and Guest Network for IoT (your friend, the slower N router, no need for UniFi AP)
- Building C gets own SSID3 and Guest Network for IoT (the shop, Asuswrt or Asuswrt-Merlin, your choice)

All 3 networks have no access to each other. You can make changes, depending on what devices are wired/wireless. Make sure you run the Wi-Fi on different channels to avoid unnecessary interference. The issue I see is you have no access between A-C, all devices in your control.

 

[Tech9]

Actually, this Netgear WNDR3700 is a Gigabit router. All buildings can have 2.4GHz N and 5GHz AC networks, if you switch the main router to Netgear and use the AC68U for Building B. Your friend will be happier with faster Wi-Fi connection. If you want more information about your network, like traffic stats to each network, keep the AC68U as main router. Traffic Analyzer in Asuswrt.

 

[NinjaTortuga]

I’ll have to look into YazFi. A quick glimpse of the add-on page here on SNB tells me it will allow a SSID for VPN with its proper DNS settings and a regular SSID with standard DNS too. I think I interpreted it correctly at least. Are there more reasons that apply to me for using it?

I know the ac-86u is best for the VPN client. Am I wrong about it being the best as the master router also (wired to modem)?

If the Netgear was the device directly connected to the modem, would its slower CPU be of any concern? I’m thinking not because it’s more of a passthrough and the only prerequisite here are the gigabit ports. Would that be correct? I prefer the traffic stats so it’s unlikely Netgear will be inserted here just curious really.

If an ax-86u gets added to building A and the ac-86u is moved directly behind the modem would finally enabling AI protection engine be a good idea? At this location is it possible for QoS to work properly? Am I thinking about this too much?

On another note, can you provide an example of the “proper” recommended hardware switch and firewall for a VLAN component system preferably with a GUI. Isn’t this what the Ubiquiti product lineup is good for?

Thank you for the feedback I’ve played this out in my head many times but can never settle on the best course of action.

 

[Tech9]

I’ll have to look into YazFi.

Yes, YazFi can create a Guest Network, going through VPN Client connection, in case you need that.

Am I wrong about it being the best as the master router also (wired to modem)?

Use it behind another router to separate it's network. Otherwise routers connected to it will have access to your devices.

If the Netgear was the device directly connected to the modem, would its slower CPU be of any concern?

I don't know how fast your ISP is, but all home routers use hardware acceleration for close to Gigabit wired speeds. You may have to test it and find out what it is capable of. There are many versions of this router (V1-V5), all using different CPUs and running different firmware. For more traffic info AC68U is the better choice indeed. Asuswrt Traffic Analyzer will see 3 clients only - the attached routers. You can run AiProtection and Adaptive QoS there for the entire network. All VPN traffic will be invisible for AiProtection though.

 

[Tech9]

On another note, can you provide an example of the “proper” recommended hardware

Good price/performance example in Small Business segment is TP-Link Omada. You need a network controller like Omada OC200, JetStream switch with PoE like TL-SG2008P with Omada SDN support, access points like EAP245V3 (3x3 N, 3x3 AC, PoE) and a router/firewall. The matching routers from TP-Link are SafeStream TL-R605 (ER605), TL-ER7206 etc. with Omada SDN support (easy setup, almost like home routers), but you can use any other router/firewall with native VLAN support, like x86 appliance running Untangle/pfSense (hard for beginners, an entire OS). What Omada software looks like you can see here:

Omada Controller

emulator.tp-link.com

This is far more advanced system compared to home routers. The advantages are central network management, flexibility, scalability, stability, high throughput, better roaming, true multi-WAN, VLAN support, etc. The disadvantages are higher price and networking knowledge required to setup.

I don't know how @Trip writes his recommendations with multiple different options. This is perhaps my longer post ever on SNB. Look for @Trip posts around, if you are interested in more serious equipment. He is going to laugh at my diagram in post #9, for sure.

 

[NinjaTortuga]

Again, my apologies if this is starting down a path not relevant to Asuswrt-Merlin anymore but I think it’s better to keep it all in one place.

FWIW my connection is 150\10 and your diagram was perfect.

For now, I’m definitely going to get YazFi going and get working on the other changes.

I’ve been looking at pfSense on and off for some time now and think maybe it’s time to seriously consider purchasing a x86 box or maybe the Netgate 2100. I’ve looked at some tutorial videos and believe I’m capable of tackling the project.

I built out the Omada system pretty much as described except for using one of the ax APs. The pricing was very reasonable starting with just 1 ax AP. A video review of the AP shows and atrociously large design though compared to the Unifi APs much cleaner design. Functionally though looks good. There does seem to be some recent security concerns surrounding the Unifi environment and I imagine similar possibilities for the Omada stuff considering that it’s extremely similar to Unifi. Anyhow I digress…

From my perspective it doesn’t look like my modem\gateway area is going to have any less devices no matter what I do. This is a slight bummer considering the equipment isn’t tucked away in a closet somewhere out of sight but not the end of the world I suppose.

Is it more trouble than it’s worth to just run pfSense, router, and a switch all of my choice? I should be able to get the info\logs from the separate LANs through pfSense right? I’m sure Unifi or Omada makes all the updating easier so maybe better to compromise... pfSense with Omada controller and switch?

Currently my ac86u provides enough horsepower to max out my connection as a VPN client. I’m afraid if I don’t spend more money than the Netgate 2100, that my VPN speeds will take a hit or be capped by this particular unit. Same for the Omada firewall (even slower?). The specs on both devices rate IPsec VPN throughput. I believe OpenVPN would be slower so it seems that the ac86u would still be involved for my place.

Decisions…

 

[Tech9]

With 150/10 ISP the routers you already have will do the job. There is always something better, but if you can't use the extra performance it offers, the update is more waste of money than real benefit. I use different gear according to specific requirements. In my house - firewall, switch and access points. In my apartment - one home router. In my office places - all the same setup for easy support. There is no best recommended setup or brand.

 

[NinjaTortuga]

Well that doesn't help!

I hear you though. I wanted a project because I'm bored. I was hoping to sell some of the equipment and other crap to pay for upgrades. 150\10 is the slowest I've been in years I cut back the connection during COVID furlough time for budget reasons and haven't upgraded again. Cable gigabit is max now around me but I don't know if I'll actually upgrade again. Multi device 4k streaming works perfectly fine @ 150. I do want a Wi-Fi 6 AP though so if I'm going to spend the money it seems better to reconfigure it right rather than just paying $250 for the ax-86u.

 

[NinjaTortuga]

Appreciate the assistance Tech9 I went ahead and made the changes. Now I'm having a little difficulty applying the proper YazFi setting so I posted over there.

 

[Tech9]

Folks will definitely help you with YazFi settings. I can't, I don't use Asus routers. I only have some around for testing purposes.

 

[NinjaTortuga]

I do have one last question if you will. I believe this is considered a double NAT configuration from reading elsewhere (correct me if I'm wrong).

The master router is set to Cloudflare DNS with DoT enabled. The router behind it WAN DNS settings point to the main router. Is this proper or should I just leave the master set to auto DNS and use the custom DNS settings on the secondary devices?

 

[Tech9]

The way you want it. You can leave the master on Auto, use your preferred DNS on your routers, let your friend use his preferred service on his router. If everyone is happy with Cloudflare and DoT, you can use it as global network setting, even enforced with DNSFilter on main router, if you like.