Large Family Home - Router / Multiple WAPs Whole System Needed

[Jonnie Cache]

I am a big techie, but I am overwhelmed by the countless options that are available on the market for a nice, cohesive, system for my home that incorporates a capable router with multiple wired APs. I need some advice as to options that might be suitable for our needs...

Environment:

• ~5200 Sq Ft 2-Story Home
• COAX Cable entry point is in basement storage room
• Ethernet patch panel so router does not have to necessarily be in the storage room
• CAT 6 wired to many rooms in the house

Current Equipment:

• 1 Apple Airport Extreme as Router - Currently in storage room
• 4 Apple Airport Extremes as WAPs - All tied to one wireless SSID
• Netgear GS748Tv5 Smart Switch
• Synology 1817+ NAS - 4 Ports Bonded
• Arris SB8200 - Just getting upgraded to Gigabit Internet with Mediacom Cable

Devices:

• iPhones, iPads, MacBook Pros, AppleTV
• XBOX One
• 3 Nests and 10 Nest Protects
• Smart TVs
• Connected Blu-ray Players
• Sonos
• Printer
• I'm sure there are others, but I can't think of any right now

The setup works only "okay". I am frustrated by the lack of flexibility in the Apple configuration Airport Utility. I went with this setup originally because we are generally very Apple-centric (no haters, please). But, the performance is not what I would like in terms of throughput. I have had several battles with the Airports where they stop working together and I have to rebuild the wireless network from scratch by resetting each one individually and then adding them one-by-one.

Desired Features:

1. Fast, fast, fast - The Router and Access Points need to be performant both in terms of the WiFi and their Ethernet throughput. It does me no good to have Gigabit Internet if the router is a bottleneck.
2. The router itself does not have to have WiFi.
3. I don't want a "Mesh" system in that all APs will be almost certainly wired. (See also #1)
4. Configurable - I like to configure DHCP to my liking as well as make reservations for certain devices like the printer and NAS.
5. Firewall - I need to be able to control the firewall and forward necessary ports for the XBOX and NAS, for example.
6. Parental controls - I would really like to find a system that will support parental controls. My kids spend too much time on their devices and stay up too late. I really worry about this. I want to be able to effectively shut down the Internet for their devices at a certain time of day and also perhaps limit the total time they spend on the Internet each day.
7. Security and reliability - I do not want to sacrifice security and reliability for any of the above features. To me, the network must be secure first and foremost. It must be reliable so that I am not having to mess with it all the time.
8. Ideally, I want everything to work together seamlessly. I think it would be beneficial if all APs and the router could be considered from the same app, but that is not a deal breaker if there are multiple vendors involved.
9. I'm very tech savvy, but I don't want to have to learn to learn to be a network engineer in order to setup and maintain the equipment. That said, I would place all of these other desired features over simplicity and ease-of-use.
10. Guest WiFi is also important.

I know only enough to be dangerous about networking and the threats that can be posed. I was looking at some "security routers" like the Norton Core, for example. It's a nice selling proposition, but I can't imagine that the devices can perform well in terms of routing wired traffic. Maybe I'm wrong.

I'm completely open to suggestions. Cost is not the concern here.

Thank you in advance for any assistance!

Jonnie

 

[MichaelCG]

WiFi - Ubiquiti...you have wired back-haul and are tech savy...easy...UniFi product line will meet those needs easily.

Firewall - Well...that isn't so cut and dry. You have a lot of requirements that may not be easy to fulfill. I know very little about the UniFi firewalls...so no idea if they have any of the parental controls you are after. I personally run a pfSense Firewall for some of the very reasons you called out...performant, secure, configurable, and secure. I do not have any parental controls enabled...my kid is only 3 so I have a few more years before that is an issue I must address. But I do run an AV proxy on there as well as have firewall rules specific to individual PCs to restrict their outbound Internet.

You may be able to enforce the WiFi controls in UniFi...or maybe in the firewall. Depends on how you want to actually approach it and support it. So many options.

 

[degrub]

Ubiquitu APs, router are a possibility
Static IPs for all house devices by mac address
use VLANs to separate devices
simple firewall rules will control access times, block access to all except guest network

beyond that you can look at threat management boxes available by subscription for filtering, various levels of packet inspection, malware detection, antivirus, etc. May or may not be worth it to you. Definitely can slow down traffic if hardware is not up to it. And don't believe the published throughput numbers.

 

[abailey]

I also agree with Ubiquiti AP's. Since you are tech savvy you may want to look at Untangle for your firewall. It can do all you want and more. The catch is that it cost $50 a year. Did not know if you want an ongoing charge.

 

[Jonnie Cache]

Thank you all for your replies so far. I have looked at the Ubiquiti APs and it definitely seems like a great way to go! Thanks! That was a brand that I was not aware of.

As for the router/firewall, @MichaelCG is right. It isn't cut and dry. Ubiquity router fits the bill when it comes to performance, but it is a little too complicated to configure on an ongoing basis. Yes, I understand services and rules, but I was hoping to find something a little easier to setup and maintain. I also don't want to mess with subnets or VLANs if I can avoid it, @degrub. A lot of our devices are wireless so it would be a challenge to set all those up, configure Static IPs, etc. Would prefer some sort of setup that can auto-detect the various devices and allow me to easily configure rules based on MAC.

I'll have to dig in a bit on pfSense, @MichaelCG. I've not heard of them. I see that they offer appliances and BYO. I'll also check out Untangle, @abailey. I'm not at all opposed to paying a monthly or yearly subscription for the security updates.

I have thought about using my Synology NAS as a router/firewall. It has that capability built-in, I believe. It just worries me having it connected directly to the modem. Anyone have any experience doing that? (A little off-topic, I understand.)

Thanks!

 

[MichaelCG]

Unlikely you will find much that will auto-detect and apply rules based on MAC....at least in the consumer space. If you find it...I will be interested to know/learn more about it. My guess is you will either need to have a specific SSID for the kids that shuts down at a specific time of day. Or mess with DHCP reservations and apply FW rules to those specific IPs.

Do NOT use your NAS as the router....let it be a NAS and utility box which is what it was designed for.

pfSense and OPNsense are from the same code base with similar features, although they may have different add-on packages available. I know at one time Sophos had a somewhat decent fancy pants home router software package available...not sure if that is still around or not. It has been a few years since I looked.

 

[degrub]

You just assign static IP addresses based on MAC in the router DHCP server and block when mismatched for the device MAC. Then use a VLAN assigned to that subnet range to segregate and control access periods . You don't have to set the static address in the device. All unknown MAC addresses go to the Guest VLAN with whatever access to other devices on your lan that you want to allow.

 

[abailey]

There are many ways to limit time on the internet. In Untangle it has list of all attached devices. You can filter on things like MAC, IP, Host Name, or even a common name you give the device. For example if your son is named Tom. You can have his devices named things like Tom ipad, Tom iphone, etc. Then you can tell the rules to filter all Tom* names for whatever, like time limits. It works with one VLAN or even across VLANs. For example I have a visitor SSID for wireless and a VLAN to keep that traffic away from my home traffic. Even if my kids try to attach to the visitor SSID to avoid the time filter, the Untangle firewall will recognize their device and apply the correct filters. To be honest, though, there is a learning curve simply because of the amount of things Untangle can do.

For an Untangle demo go here: http://demo.untangle.com/admin/index.do

 

[tannebil]

If your AirPort Extreme units are the latest generation units (802.11ac), they are as fast or faster than almost anything you’ll find out there. It sounds like you’ve created a wireless extended network which is likely to be the source of your problems. Reconfigure them to be stand-alone access points (except for the one acting as a router) with wired connections to your network and a common SSID instead. That may be all you need to do.

Don’t ignore “mesh” because you think it’s only relevant with wireless interconnections. Most mesh products work great with wired connections.

Ubiquiti UniFi gets a lot of love here but there are lots of products that can solve your problem. Personally, I started with AirPort, went to eero, and now use Plume. All with wired connections and all delivered similar results. The differences are little things like management and features. I like Plume the best so far but it’s not like the others were bad. They were just different.

 

[Jonnie Cache]

If your AirPort Extreme units are the latest generation units (802.11ac), they are as fast or faster than almost anything you’ll find out there. It sounds like you’ve created a wireless extended network which is likely to be the source of your problems. Reconfigure them to be stand-alone access points (except for the one acting as a router) with wired connections to your network and a common SSID instead. That may be all you need to do.

Don’t ignore “mesh” because you think it’s only relevant with wireless interconnections. Most mesh products work great with wired connections.

Ubiquiti UniFi gets a lot of love here but there are lots of products that can solve your problem. Personally, I started with AirPort, went to eero, and now use Plume. All with wired connections and all delivered similar results. The differences are little things like management and features. I like Plume the best so far but it’s not like the others were bad. They were just different.

Thanks! I don’t think there is a way to run the Airports as APs AND have a guest network, is there? I know I didn’t put that in my requirements above (will edit), but that is important to have also.

I’ll check out Plume also. Haven’t heard of that one!

 

[Jonnie Cache]

There are many ways to limit time on the internet. In Untangle it has list of all attached devices. You can filter on things like MAC, IP, Host Name, or even a common name you give the device. For example if your son is named Tom. You can have his devices named things like Tom ipad, Tom iphone, etc. Then you can tell the rules to filter all Tom* names for whatever, like time limits. It works with one VLAN or even across VLANs. For example I have a visitor SSID for wireless and a VLAN to keep that traffic away from my home traffic. Even if my kids try to attach to the visitor SSID to avoid the time filter, the Untangle firewall will recognize their device and apply the correct filters. To be honest, though, there is a learning curve simply because of the amount of things Untangle can do.

For an Untangle demo go here: http://demo.untangle.com/admin/index.do

This sounds like a very interesting approach. I have realized as I’m researching and learning that there is no practical way to avoid a VLAN to set up a guest WiFI network. So, I’m researching that a bit more.

 

[abailey]

This sounds like a very interesting approach. I have realized as I’m researching and learning that there is no practical way to avoid a VLAN to set up a guest WiFI network. So, I’m researching that a bit more.

Ubiquity APs are able to do a guest network without a separate VLAN.

 

[MichaelCG]

Ubiquiti UniFi gets a lot of love here but there are lots of products that can solve your problem.

Truth.

Ubiquity APs are able to do a guest network without a separate VLAN.

This I did not know? I need to go read up on this some more. My Guest VLAN just drops to the ISP modem/router outside my FW. But I have a managed switch so using VLAN isolation was easy.

 

[Jonnie Cache]

Ubiquity APs are able to do a guest network without a separate VLAN.

I didn’t know that. That makes it a more compelling choice then. Thanks!

 

[Jonnie Cache]

Truth.

This I did not know? I need to go read up on this some more. My Guest VLAN just drops to the ISP modem/router outside my FW. But I have a managed switch so using VLAN isolation was easy.

What are some other brands I should consider other than Ubiquity? I DO get the sense that there is strong support for Ubiquity here...

 

[pege63]

There is also TP-Link EAP245 a bit cheaper that Ubiquity AP -PRO (both are 1 750 Mbit/s, 450+1300 Mbps).

 

[System Error Message]

if you really want speed for router i suggest mikrotik. For the same hardware mikrotik is faster and comes with cool stuff. Pfsense is also a good router too for speed but much better with features though requires you to provide your own hardware. Ubiquiti does not have speed when you use QoS. For mikrotik speed depends on the hardware you use (dont look at the speed charts as they arent relevant).

MIPS based platforms will do 300Mb/s software, RB3011 will do 500Mb/s software, RB1102AHx2 will do 1Gb/s software NAT. So this means that with QoS you will still have good speeds. They can do selective hardware acceleration too.

For wifi, plenty of choices that many have suggested.

 

[avtella]

If your AirPort Extreme units are the latest generation units (802.11ac), they are as fast or faster than almost anything you’ll find out there. It sounds like you’ve created a wireless extended network which is likely to be the source of your problems. Reconfigure them to be stand-alone access points (except for the one acting as a router) with wired connections to your network and a common SSID instead. That may be all you need to do.

Don’t ignore “mesh” because you think it’s only relevant with wireless interconnections. Most mesh products work great with wired connections.

Ubiquiti UniFi gets a lot of love here but there are lots of products that can solve your problem. Personally, I started with AirPort, went to eero, and now use Plume. All with wired connections and all delivered similar results. The differences are little things like management and features. I like Plume the best so far but it’s not like the others were bad. They were just different.

I think Mesh or an Orbi type unit is the answer for him, but as for the AirPort Extreme, it's from the same gen as the R7000/AC68U (similar hardware) but worse in performance and range, not better. I replaced an Apple AE recently for a family friend who had range issues, with an R7800. Difference at one floor above/below the router was night and day.

 

[Jonnie Cache]

I think Mesh or Orbi is the answer for him, but as for the AirPort Extreme, it's from the same gen as the R7000/AC68U (similar hardware) but worse in performance and range, not better.

Does Orbi support wired backhaul? Everything I've read so far says that it doesn't support it yet.

 

[avtella]

Yes you seem to be right I just checked, it's supposedly in the works according to a Netgear moderator (wired option) but I wouldn't hold my breath. As for mesh Asus also released "Lyra", take a look at that too, Asus does have a good reputation for updates.

Since you have a central Ethernet panel can't you just use one AE as a router and the rest as wired APs as somone mentioned above. Will save you a ton of money over replacing them.