Home LAN equipment advice needed

[3Greens]

Hi, thanks in advance for your advice and guidance!

I am in the process of setting up IT equipment in my home and having researched the subject, find myself going around in circles and in need of some advice of what networking equipment I actually need. Hopefully someone here will be able to lend a hand/their opinion.

The general requirements/background info:

• 2500sqft house over 4 floors with reasonably thick walls
• The house has cat5e cabling throughout
• Internet access is via 100MB fiber
• The network needs to accommodate simultaneous streaming on multiple devices. I work from home and require a stable connection to my work network (which should be simple given the fiber connection!)
• Multiple smart-home/IoT devices will be connected and accessible within and outside the LAN: e.g. Nest Cameras, doorbell, Zigbee hubs & lighting throughout, alarm, thermostat - I will set up HomeAssistant on a RaspberryPi 4 to manage these devices
• For security, I would like to segregate IoT devices on their own LAN or VLAN (they will connect both via WiFi and Ethernet). If the set up has VLAN support, I would also want to set up a guest wifi network.
• When accessing the network from outside the home, e.g. to set thermostat, I would prefer to do this via VPN rather than port forwarding to various devices - I'm not against setting up a VPN server on the RPi or having this integrated in the router.
• As the house has Cat5e cabling, I will use this to connect some bandwidth hungry devices (Apple TV, etc.). It also makes sense to use this for wifi extenders/APs or Mesh router nodes if I go down that route.

Given all of the above, I think i need the following:

• Basic ethernet switch
• Router which supports VLAN (at least to some basic extent)
• router with VPN server capability (ideally and for convenience)
• Extendable wifi or mesh system supporting ethernet backhaul
• I would prefer local config rather than systems which force you to use cloud hosted services.

Based on all of the above, I have looked at the following:

• Google Nest Wifi - i liked the simplicity and supposedly good performance. I was ultimately put off by lack of more advanced features, inability to connect nodes via ethernet and the need to use google's cloud service for all config.
• Linksys Velop - again i liked the simplicity and reasonable feature set. I backed away from this as the "guest wifi" only represents very basic VLAN support which can't make use of ethernet connections, anecdotally wifi performance is so-so for the price. Again put off by the need to configure via cloud service
• Netgear Orbi - very impressed but given the high price tag, the focus seems to be on strong wifi and not a rich feature set (e.g. vlans and VPN).

My current front runner is the Netgear Orbi Pro as it provides all of the above features but i do have some reservations:

• This is obviously a business router and i appreciate much of the functionality is probably overkill for home use
• I like that it supports 4 VLANs for home users, IoT devices, guests and admin
• I think documentation could be better - I'm still struggling to determine if the VLANs include devices connected via ethernet and if the nodes support ethernet backhaul
• I like that it has a built in VPN server
• It's very expensive to use as a domestic router.

At this point, I feel like there must be a better/cheaper option, even if it means using additional devices and while the Orbi Pro probably would do a great job, I can achieve all of the above very comfortably using consumer grade equipment. I appreciate that within all of this, there is going to be a degree of over-kill/tinkering value which I do fully accept and and am happy to tone up/down as makes sense!

I do wonder also whether, given the cat5 cabling, it makes more sense to go down a more traditional router -> switch -> AP model... but I guess this would require an expensive managed switch for VLAN support...

Thank you for reading this far and any advice is very much appreciated.

 

[degrub]

Have you looked at the threads here with Tripp's responses for similar setups ?
We use small business grade equipment for stability and configuration options.
i use CISCO RV series router and APs. There are others - Omada for example.
i would plan on up to gigabit ISP service since you already have fiber. Should only affect the choice of router.

You absolutely want to use the wired back haul for the APs. You can use a level 2 or 3 (better, but either can work) managed switch to run the local network. POE powered APs are a good choice as these can be powered by the switch ports or with injectors at any point between the switch and the AP.

Any additional applications that you want to run in the router will affect the capability required beyond simple routing and vlans. The VPN service may be run there, but can be off of a VPN server on the lan, possibly in a NAS. If you have time to learn, pfsense or others can handle firewall duties in a small low power x86 cpu box and do much more than a typical consumer router and some SMB grade routers.

 

[3Greens]

Thanks for the response. Yes I have seen some of Tripp’s responses on similar threads and it makes a lot of sense. I guess there is an element of tinkering value in this but beyond that my only concern is that it ultimately needs to work and not leach too much of my time (I have 3 kids for that).

looking along these lines, it feels like the above sort of setup with equipment from someone like Ubiquiti provides the scalability/firepower but also in a reasonably intuitive/user friendly box. That said I haven’t actually seen their interface...

my current thinking if going along those lines is
Modem->Router->switch->2 or 3 APs and other wired devices.

in that setup I guess the router can be fairly simple but the switch would need some firepower.

i do take your point about running everything off pfsense etc and while I think I would have done this a few years ago, it’s probably more trouble than I want for now.

 

[L&LD]

Gentlemen, it is @Trip, not Tripp (which I pronounce 'trippy'). With the appropriate 'Sir', 'Mr.', or other prefixes as appropriate, beforehand.

Now that his proper name is mentioned, he may show up with additional information for @3Greens.

 

[3Greens]

My apologies and to Mr Trip!

thanks again for the advice so far... having done some more research. I feel like the following would work quite well without being overly complicated:

router:

Ubiquiti ER-10X EdgeRouter 10-Port Gigabit Broadband Router w/ 1 x Passive PoE Port

www.broadbandbuyer.com

On checking, i actually don't need more than 10 Ethernet ports so could even get away without a switch (for now)

and just pair with some access points, e.g,:

Ubiquiti UAP-AC-LITE UniFi GEN2 WiFi 5 PoE Access Point, Three Pack (1.2Gbps AC)

www.broadbandbuyer.com

Unless I'm missing something, that set up would give me ample support for setting up VLANs from the router and VPN, adding additional access points if needed (albeit would require a switch) and all using commercial grade equipment.

I haven't seen the ubiquiti UI but from what I've read i get the impression, it will let me configure all components as a single entity and potentailly is reasonably idiot proof...

Thoughts?

 

[Trip]

@3Greens - Welcome to SNB.

With Cat5e wired across all four floors, the battle for a solid network is 60% won right there. I would skip right over consumer gear, including any mesh systems (even Eero, which is the best of them) and go straight to SMB/community-grade, discrete components. Properly configured, you'll have a network that runs more like an appliance and less like a toy, and you won't need to touch the gear again, save for config changes.

Before going any further, where are you located (country/locality) and do you have a budget for this? No sense in recommending gear that's out of reach too costly in total.

Happy New Year!

 

[3Greens]

Thanks Trip. I’m in London. Budget obviously would prefer not to break the bank but had hoped to do for around £300 or less. Certainly under 500.
for what it’s worth, I don’t need more than 9 devices connected via Ethernet.

the UniFi gear looks interesting if a little complicated. I guess in their case the controller + gateway replaced what consumers would refer to as the router?

 

[Trip]

Got it, thanks. In your case, I'd run a combo of the following (under £500 total):

• Routing/Firewall - Netgate SG-1100 (£143, Amica Networks in Southampton)
• Switching - Ubiquiti UniFi US-8-60W (£120, Amazon)
• Wireless - At least two: UniFi UAP-AC-LR's (£90 ea, Amazon), perhaps three UAP-AC-LITE's (£70 ea, Amazon), or possibly UAP-AC-IW in-wall units (£90 ea, Amazon)
• UniFi Controller - Free, installed on your Raspberry Pi 4

Why pfSense, not an EdgeRouter or USG for gateway? Because EdgeRouter/UniFi gateway/WAN feature set and friendliness is severely lacking compared to pfSense, which exposes basically all features and configuration in GUI, including OpenVPN server setup, plus functionality can be extended with packages and documentation is much more complete. The SG-1100, while diminutive, would be plenty-powerful enough for 100Mb of fiber (not for a 1Gig future upgrade, though; you'd want an SG-3100 for that, at minimum).

Combining pfSense with UniFi would give you the best of both worlds: the rock-solid reliability, feature-richness and GUI-based configuration of pfSense with the easy LAN and WLAN control and configuration of UniFi. It would be two control planes versus one, and setup will be a bit nuanced, including getting VLANs mapped properly between pfSense and UniFi, plus the OpenVPN server setup on pfSense, but provided you can take your time building out the config offline (then dropping it into place when ready), it should be doable without too much fuss.

Re- AP setup, if you went with the AC-LR's, you might put one on the first floor and one on the third floor, ideally ceiling-mounted (if you had to hide up-wall patch cords from wall outlets, you could use some cheap surface-mount raceway) or hide the cable behind a book shelf and place the AP on top, top-side down. Depending on how dense the walls are, and/or location of your wifi clients, three AC-LITE's may work better -- more, lower-power radios versus fewer high-power, for potentially more returnable signal, plus more total capacity. You might also consider the in-wall model here or there, or exclusively if wall port install is just cleaner or more appealing, but wifi range is meant more for a single room, so coverage would be even less than an AC-LITE, and you'd have to engineer your layout accordingly. Ultimately, you'd have to be the judge on the amount and form-factor of APs.

Setup - You'd wire the SG-1100 to your fiber ONT, one of the non-PoE ports of the US-8-60W to the SG-1100, then plug your Cat5e runs into the US-8-60W (either via patch panel, or directly), then patch in your APs and endpoint devices to the wall jacks. I'd setup pfSense before you setup UniFi, so you have a default gateway and local DNS active first.

So there you go. Any questions, feel free.

 

[3Greens]

Thanks Trip. I need to digest fully. I’m not too clear where pfsense lives. Does it ship with the router or does it go on the RPi (along with unifi and Hass)?

 

[Trip]

Very welcome. No problem. pfSense is the router (and firewall).

For a nice intro and basic primer on the actual interface and what pfSense can do, see this YouTube video from Lawrence Systems.

 

[L&LD]

pfSense baseline guide with VPN, Guest and VLAN support (nguvu.org)

Getting Started With pfSense Software

 

[3Greens]

Thanks again for the advice, blown away with the detail and generosity in offering up advice. Hopefully I can pass on the favour.

I’m going to research the above properly and clearly need to decide how best to move ahead.

thinking aloud, I like the idea of combining the 2 systems to maximise functionality. However, a part of me thinks that if I can keep the whole system to unifi or pfsense to provide the required functionality then why complicate things by having both?

Trip, if you don’t mind I’m going to drop you a private message with some further questions.

 

[Trip]

@3Greens - Sure thing, PM at your convenience.

I can understand the impetus to want to keep the overall stack inside of a single ecosystem. That said, pfSense is only built to be a discrete firewall/gateway/router/switch. It does not offer wireless. So, for a single-vendor stack, there are predominantly two choices: UniFi or Cisco Small Business (TP-Link is there, too, but their wired routers are not very good, so I'd pass on them).

For UniFi, you could run a USG gateway (£99) in place of the SG-1100, then all the same UniFi gear for switching and wifi. Or, run a UniFi Dream Machine (£320), plus the same UniFi switch and perhaps one less AP (the UDM would max out your budget, but wouldn't have to rely on your RPi for controller functionality, and you'd be gigabit-internet ready as well). Do keep in mind, though, that a VPN setup with UniFi, might not be as simple as hoped. I believe IPSec/L2TP is doable from the GUI, but OpenVPN is definitely not, and like I said, would required a fair amount of command-line-based workarounds.

Alternatively, there is Cisco Small-Business, which would give you everything you need in point-and-click form, albeit inside the Cisco "walled garden", so you'd be subject to their licensing and use of proprietary items for certain things like VPN (using Cisco AnyConnect), instead of being able to use more open-standards based options (OpenVPN, etc.). If that's OK, then you'd want an RV340 router/firewall (£162), SG250-08HP (£147) switch and two or three CBW140AC APs (£88 each). With CBW wifi, the controller is embedded into the AP firmware, so no discrete install or appliance is required.

So those are your "single-vendor stack" options.

 

[L&LD]

@Trip, being the curious type, could you 'sanitize' the responses you give in the private message and share with the rest here? Thank you (either way).

 

[3Greens]

As said I like the idea of building around a Ubiquity Dream Machine but it doesn’t make sense to have the wireless AP next to the modem and I don’t think I could make it work at a more sensible location using Ethernet cabling throughout the house...

regarding the unifi setup I don’t quite understand the relationship between controller and USG (in fact it looks like the USG has a controller integrated?). From what I can see anyway, I think I understand that all components store their config locally and the controller acts to host the UI and push settings to different components.

Trip, as you pointed out it does look like the VPN functionality in unifi is lacking. From a quick google it looks like OVPN can be installed on the USG via CLI which seems to behave like a Linux box (maybe it is?!). I think I need to understand pfsense better now and determine whether it’s going to be more of a headache to add that to the mix or the CLI setup of OVPN...

...or I could just buy that Linksys Velop

 

[3Greens]

Thanks again for all the advice. I've settled on an all Unifi system due to:

• 1 vs 2 interfaces to learn
• Seems to have all of the functionality I need
• Can be done without costs going crazy (ish)

I've prepared a rough diagram for what I'm hoping to achieve:

The things I'm not totally clear on:

• The relationship between different SSIDs and VLANs - originally I thought these were 1:1 but i now get the impression they're independent and it's a case of slaving the right SSID to the right VLAN where the intention is to segregate traffic
• The relationship between different LANs. In the above example, the position/purpose of the IoT VLAN and Guest VLAN (just accessible via wifi) are clear. What's less clear is if the rest of the network needs to sit on another "catch all" VLAN or whether the actual LAN still sits as an entity above all of this.
• Where the VPN should be pointed. Again, my understanding is I could point the VPN just at the IoT VLAN for maximum security in which case connecting to the VPN just provides access to that IoT VLAN (which is the desired setup). I'm less clear on how it might be possible to give the VPN user visibility of the entire network - perhaps by connecting to the LAN vs VLAN?

There are a few other logistic niggles but I think those are just for me to work out myself and more to do with the smart home elements. e.g.:

• Should apple devices - Homepods, Apple TV - connect to the LAN or VLAN? VLAN makes it more straight forward to use siri, e.g. to control hue lights, but with HASS in the loop, this is less of an issue - perhaps the easier option here is to open these devices up to access via the internet, bypassing the need for the VPN.

Finally, while I can see UniFi does have some L2P VPN support, I understand from Trip's reply that the functionality is much less sophisticated than if using OVPN. I'm not too clear on what the specific limitation is - perhaps just a slightly less secure connection and I wonder if I can make allowances for this by adding in other security options (e.g. mac address whitelisting). I could use some advice here.


Trip (and others!), I can't make a setup with a dream machine make sense due to the layout of the house but given all of the above, would your shopping list remain the same or would you recommend any other equipment? The diagram above represents all wired devices.
In this case, I would also opt to host the controller (if needed at all as i wasn't clear whether it was integrated into the router/USG) on an ubiquiti device as I'd rather reserve the RPi just for HASS.

 

[Cheoah]

Hi @3Greens, did you implement this? Or another?

cheers-

 

[3Greens]

Not yet as the house renovation has been delayed.

I haven’t bought the kit yet but I’m fairly sure I will get a unifi setup with:

-USG modem/firewall
-POE switch
-Controller
-Inwall wifi APs (only because my Ethernet jacks are already at floor level and I don’t want to have to refinish walls to move to ceiling level).

 

[3Greens]

Just an update - I will be setting up all of the above this weekend.
Partly because i couldn't get a cloud key controller for now and partly to economise...

...I will have a Raspberry Pi 4 running Home Assistant connected to the network. I've just seen that Home Assistant has a fairly good "plug and play" integration with Unifi controller.

Does anyone see anything problematic with having the two applications running on the same device? Two considerations which occur to me:

1. As Home Assistant will be to control mutliple IoT devices, my intention was it would sit on a VLAN with those devices (maybe I'm wrong in thinking it should be set up this way?). Will it be problematic to have Unifi controller on a VLAN? Will this restrict its view of the entire network as I guess it would?
2. I will set up the RPi4 to run everything from a SSD instead of the standard SD Card to improve performance and reliability.

 

[3Greens]

Since some have asked, this is now up and running and delivering solid performance.
I think I will need another AP but that’s easily solved.

For some reason I can’t understand, I got an 8 port switch (despite clearly knowing as above that I needed at least 10!).

can anyone tell me if I would degrade performance by getting a second 8 port switch and daisy chaining them as opposed to getting a single 16 port switch. Strong argument against 16 port switch is it won’t fit in my 10in data cabinet