Please critique this home network plan

[Dan-H]

Hopefully a picture is worth a thousand words.

I just ordered a pair of TM-AC1900 (RT-AC68U) routers, and I'm planning the house rewiring to add ethernet, and had a few questions.

Does this look like a good layout?

A question. Are the home runs from each bedroom downstairs to the first floor switch worth it, or should I just connect them to the GigE ports on the second router setup as an access point?

Second, is there a reasonable use for an RT N66U in the picture?

Would it make sense to use the N66U for the slow devices, set it up with a SID just for the 2.4Ghz slowskis? or is it just another thing that isn't really needed.

Note the diagram is missing several wifi things" like sprinkler controllers and some remotes etc. These are slow 2.4 Ghz Wireless G.

Thanks and if you have any comments I appreciate it.

edit: PS. they will be reset to Asus firmware then upgraded to Merlin.

 

[sfx2000]

TM-AC1900 (RT-68U) router

Rest seems ok, but getting T-Mobile sponsored routers can and probably will cause more effort than the off-the-shelf stuff...

 

[Dan-H]

Rest seems ok, but getting T-Mobile sponsored routers can and probably will cause more effort than the off-the-shelf stuff...

I set one up for a friend and it works well. Once it is changed over to Asus firmware I could not tell the difference, well except for the pink logo on the front.

The price was about half of the best price I've seen for an AC68U

 

[TheButlerDidIt]

What did you end up using to create your diagram?

 

[CaptainSTX]

Hopefully a picture is worth a thousand words.

I just ordered a pair of TM-AC1900 (RT-AC68U) routers, and I'm planning the house rewiring to add ethernet, and had a few questions.

Does this look like a good layout?

A question. Are the home runs from each bedroom downstairs to the first floor switch worth it, or should I just connect them to the GigE ports on the second router setup as an access point?

Second, is there a reasonable use for an RT N66U in the picture?

Would it make sense to use the N66U for the slow devices, set it up with a SID just for the 2.4Ghz slowskis? or is it just another thing that isn't really needed.

Note the diagram is missing several wifi things" like sprinkler controllers and some remotes etc. These are slow 2.4 Ghz Wireless G.

Thanks and if you have any comments I appreciate it.

edit: PS. they will be reset to Asus firmware then upgraded to Merlin.

I would use the GigE ports on the router to avoid extra cable runs if it will be difficult costly to run them now, you are reasonably confident that you won't need/want to make major changes in your LAN that having the runs would facilitate and if your crystal ball tells you that sometime in the future you will have needs and applications that would saturate a single GigE run. But once you start down then that slope you can convince yourself to run fiber.

If the N66 can be situated somewhere that your Iot can receive a decent signal then I would set it up for G devices and consider double NATing it in front of your primary router to protect your primary network from the weak security many IoT devices have. Even if you double NAT behind your primary network and run the IoT on a guest network on the N66 you will gain some security.

 

[Dan-H]

What did you end up using to create your diagram?

I use creately. https://creately.com/ The free plan allows a few diagrams. You can download an image that is fairly hi-res, and large. I took a screen shot of the image to reduce it to a web-friendly size and posted that.

 

[Dan-H]

I would use the GigE ports on the router to avoid extra cable runs if it will be difficult costly to run them now, you are reasonably confident that you won't need/want to make major changes in your LAN that having the runs would facilitate and if your crystal ball tells you that sometime in the future you will have needs and applications that would saturate a single GigE run. But once you start down then that slope you can convince yourself to run fiber.

Thanks. I'll think this through a little more.

If the N66 can be situated somewhere that your Iot can receive a decent signal then I would set it up for G devices and consider double NATing it in front of your primary router to protect your primary network from the weak security many IoT devices have. Even if you double NAT behind your primary network and run the IoT on a guest network on the N66 you will gain some security.

I'm not sure I understand the double NATing. If this puts the N66 between the cable modem and the primary router, will that affect performance? or is the extra hop negligible? Will this affect VPN traffic adversely? I occasionally VPN inbound, and and remotely connect to a workstation.

The approach I was thinking about ( maybe this isn't a good idea ) is to setup the N66 as another AP on a separate SID and use this for the slow 2.4Ghz devices. Right now all the IoT are on guest Wifi, for the main router. I'm not sure how guest networks are handled through APs.

Anyway, the routers arrived, and have been flashed to latest merlin but are not yet in service. Hopefully in the next day or two I'll get the main router updated to the AC and can start experimenting with what the AP's can and cannot do.

If there is any suggested reading please point me in the right direction.

 

[sfx2000]

I set one up for a friend and it works well. Once it is changed over to Asus firmware I could not tell the difference, well except for the pink logo on the front.

The price was about half of the best price I've seen for an AC68U

Yeah - there's some ethics issues here as T-Mobile does intend for those TM-AC1900's to be used with their service... to do so otherwise, well, it's a bit fraudulent, however, this seems to be the current ethos of the country these days - grab 'em by the pussy, and still get elected...

But that's just me being me...

 

[Dan-H]

I guess I don't read it that TM expects these to be used with their service if they are selling them to both T-Mobile and non-T-Mobile customers.

Perhaps we agree to disagree and move on.

 

[sfx2000]

Perhaps we agree to disagree and move on.

I'll agree to disagree...

Remember, when it blows up, the only guarantee there is that you get to keep all the pieces...

FWIW - it also supports my argument that most AC1900 class vendors have been keeping prices high... if T-Mo and Asus can sell this for $99USD, why are people paying 200 dollars for the same thing in a different box?

 

[CaptainSTX]

Thanks. I'll think this through a little more.



I'm not sure I understand the double NATing. If this puts the N66 between the cable modem and the primary router, will that affect performance? or is the extra hop negligible? Will this affect VPN traffic adversely? I occasionally VPN inbound, and and remotely connect to a workstation.

The approach I was thinking about ( maybe this isn't a good idea ) is to setup the N66 as another AP on a separate SID and use this for the slow 2.4Ghz devices. Right now all the IoT are on guest Wifi, for the main router. I'm not sure how guest networks are handled through APs.

Anyway, the routers arrived, and have been flashed to latest merlin but are not yet in service. Hopefully in the next day or two I'll get the main router updated to the AC and can start experimenting with what the AP's can and cannot do.

If there is any suggested reading please point me in the right direction.

Based on my experience with two ISPs double NATing two routers doesn't not noticeable impact your speed, but it does make setting up certain features. Port forwarding, VPN Server (no problem using router as VPN client for a network). Most of the issues can be dealt with. If your Iot is connected to your first router and your second router is set so admin access from the WAN is not allowed all devices connected to the second double NATed router are more secure than doing it the other way and hoping that your guest network will isolate your NAS, PCs, etc.

 

[Dan-H]

Based on my experience with two ISPs double NATing two routers doesn't not noticeable impact your speed, but it does make setting up certain features. Port forwarding, VPN Server (no problem using router as VPN client for a network). Most of the issues can be dealt with. If your Iot is connected to your first router and your second router is set so admin access from the WAN is not allowed all devices connected to the second double NATed router are more secure than doing it the other way and hoping that your guest network will isolate your NAS, PCs, etc.

Ok. thanks. I'm not sure I get the config.

I presume it would be cabled up like this.

Cable modem <- cat5e -> WAN port (N66) GigE port <- cat5e -> WAN port (AC68)

If this is correct, I presume the operational mode of the N66 is "wireless router mode"

What "operational mode" is the N66 set to? I'm not sure which setting to NAT this through to.

I don't have a static IP from my ISP. DDNS is used. Is this set on the N66 or the AC68?

And forgive me for being dense. I don't understand why this approach is more secure than just having the IoT devices on their own Guest Wifi.

Also, Admin access from WAN is disabled. In fact it is white listed to two wired static IP addresses.

 

[CaptainSTX]

Ok. thanks. I'm not sure I get the config.

I presume it would be cabled up like this.

Cable modem <- cat5e -> WAN port (N66) GigE port <- cat5e -> WAN port (AC68)

If this is correct, I presume the operational mode of the N66 is "wireless router mode"

What "operational mode" is the N66 set to? I'm not sure which setting to NAT this through to.

I don't have a static IP from my ISP. DDNS is used. Is this set on the N66 or the AC68?

And forgive me for being dense. I don't understand why this approach is more secure than just having the IoT devices on their own Guest Wifi.

Also, Admin access from WAN is disabled. In fact it is white listed to two wired static IP addresses.

Your cabling plan is correct.

You would set both routers as routers using different subnets i.e 192.168.1.1 and the second could be 192.168.2.1

It is more secure because when you set both routers not to allow not to allow admin access from the WAN. If your IoT is run off the first router it makes it difficult if not impossible for any device on that LAN to gain access to your LAN running off the second router.

While a guest network offers some protection all devices both guest and regular are on the same LAN so the possibiliy that a device on the guest network can cause problems, and compromise the LAN is much greater.

 

[Dan-H]

Your cabling plan is correct.

You would set both routers as routers using different subnets i.e 192.168.1.1 and the second could be 192.168.2.1
<snip>

Thanks. I'll give this a try.

 

[Dan-H]

So far so good. I have a a question about configuring inbound openVPN server.

Setup ( IPs are made up, I run a different range )

Cable modem <- cat5e -> WAN port (N66) GigE port <---------- cat5e -> WAN port (AC68)
------------------------------- (ISP IP) ---(N66) --192.168.1.0/24 <- cat5e -> 192.168.1.5 (AC68) 192.168.2/24

N66 runs DDNS and I think this should stay.

I need to work out moving the openVPN server from the N66 to the AC68, but I'm not quite sure I have this right.

Is it as easy as turning off the VPN server on the N66 and port forwarding 1194 to the static IP of the AC68?

Once that is done, the rest is minor details.

tnx in advance.

 

[Dan-H]

The more I think about it I'd like to keep the minecraft server on the outer network, but it is headless started with WOL.

Can the AC68 broadcast a WOL packet up the WAN port ?

edit: what I mean is can I broadcast a WOL packet on the 192.168.2.x/24 side of the AC68 and have it propogate this to the 192.168.1.x subnet?