I am new to the networking world for home use. My fiance and I just closed on our home and I am going to geek the space out with my own home network. I plan to use the following pieces of kit and wire them as shown. If this isn’t the correct forum area please let me know so I may go to the correct area. This will be my first build-out and I’m hesitant to just go ordering a bunch of parts without some validation that my set up will play well together. I am mainly concerned with the ability to create VLANS using two different brand managed switches.
My goals for this set up were simple. Provide each room with 2 RJ45 jacks, have the ability to create VLANS, secure the perimeter with 5 POE cameras, have network storage, WAPs, and the ability to add in some home automation down the road. I started watching a lot of Lawrence’s youtube videos and they have helped tremendously in creating this list, as well as creating a diagram of how the network will be connected. Below is the hardware I plan to use in the install.
- Standard 8U Wall Mounted Server Rack
- Netgate SG1100 gateway/firewall
- NewYork Cables Cat6 48 Port Patch Panel
- Zyxel 8-Port Gigabit PoE Switch | Smart Managed
- TP-Link 16-Port Gigabit Ethernet Easy Smart Managed Switch
- Unifi AP AC Lite
- CAT6 cable
- Synology 2 Bay NAS DiskStation DS220j
- (6) Reolink 5MP Bullet Cams
I have included below a diagram that I drew up of the network. This is the first diagram I’ve drawn (go easy on me lol) and any feedback on better ways to make it all work would be greatly appreciated.
I am excited to get involved on this forum and soak in all of the knowledge I can!
Like most things it’s trial and error, you’ll find out that you need things that you never even heard of! Some points that I encountered when setting up the nth iteration of my network that might also be relevant to you or you might want to consider:
- I know those netgate devices just work, but they are kinda expensive. I have a dodgy chinese box but the great thing is it has 7 Intel ethernet ports, I use all of them. To buy a similar box from netgate would be just too expensive for me plus I would not be able to repurpose it.
- Go for a main Switch that has more ports than you need, 48, it might sound crazy but you will soon find out that you can do things like mirroring, trunking with LAG, you suddenly want to add additional lines in the house etc.
- I like netgear switches, they have a terrible interface but they are not so expensive and some units have a 3 year replacement warranty, plus loads of people have them so someone will have the same issues you face.
- read the manual of the switches you buy to make sure they do what you want, for example, you might want to set up Zabbix so you can see everything is working but your switch doesn’t support SNMP! You can even run Zabbix on a Raspberry Pi for cheap !
- For some reason when I terminated my own ethernet cables not all of them worked 100%, so I had to do these multiple times, when I reused the ends they tended not to work. No idea what was the real problem. Other people seem to just get the crimping right first time.
- Check how many camera licenses you get with the NAS, if you have to buy more the cost will add up. I have a QNAP 8 bay which have two IP camera applications one has 4 free licenses and the other has 8 free licenses. The apps just work, I have not found any decent open source / free apps that work as well for me.
- Run as much cable as you can afford, once it’s all done, you won’t want phase 2 of running more cable. I’ve added additional switches in rooms for devices instead of running extra cables because I simply don’t have the space. It all works nicely. However, daisy-chaining switches isn’t the done thing.
- You should consider running a pc with just Proxmox installed, then you can run applications for not much money. I’ve got a tiny Lenovo M900 running 20+ vms, no noise and not expensive. Though I wish I could add more ethernet ports.
- vLans are easy to set up but the firewall rules are tricky and I had issues with DNS when using a paid for VPN.
- It took me about 2 months to work out how to use PfSense, previously I used an Asus router with multiple access points and extenders, I gave up on it when to use some of the features I had to hand over my data, f-that. So if you are new to PfSense it will take a while to work things out.
- You will defintiely want to set up an OpenVPN server so that you can connect to your IP cams when you are away from home, that is the hardest but not impossible, the tricky bit is to know which cyphers and encryptions to use, some are known to be weak like SHA so you need to get some of the basics right first.
- then you might get a bit paranoid and want to use a paid for VPN. It’s endless the things you can do.
- Give yourself 6 months to get it in place but plan on your scope exploding !!!
Stick with PfSense, you will at least get updates. When I inspect my logs I see ip addresses have been blocked every second from all over the world. Good luck you will need it !
Oh yeah forgot to mention, set up a guest vlan, I don’t know your AP but if you can issue vouchers that’s a really neat feature. Then you don’t have to worry about passwords and people having access to your network . i use a TP-Link EAP245 and I really like its captive portal.
Thank you for all of these tips! A few questions if you don’t mind.
- Do you have a link to this Chinese box you refer to? What is the advantage to having more ports on the gateway if I’m going to have a switch that holds a bulk of the connections?
- Interesting you mention that their are licenses for each camera on the NAS. I didn’t know this was a thing!
11/12. That was one of my main concerns, trying to find a way to monitor cams while away from the home. I watched a video from Lawrence about VPN’s causing the gateway to become sluggish if they are not powerful enough. Do you experience this issue with your box?
Guest VLAN is a must. Not sure if I will go with the voucher route, probably just going to do a password for now. We don’t plan on having many visitors lol.
I bought this box from Amazon I noticed sometimes it comes from Amazon and sometimes from China. It’s more expensive than a consumer router but cheaper than a Netgate. You can bond multiple ports for redundancy / increased bandwidth, ok for a home network it might be overkill but since it’s there I just set it up.
I have my 4 cams recording 24hr, when I connect remotely it’s fine as long as I have a good connection. I’ve never noticed PfSense sluggish, my OpenVPN servers are set up with 256 bit encryption, however, I’m unsure what the optimal settings should be.
When I’m transferring data over my site-to-site OpenVPN connection I can saturate my 50Mbit line, the router has no issues. Perhaps over faster connections it might be an issue but I would doubt it’s noticeable.
If you are worried about the OpenVPN performance, you can always buy a Raspberry Pi 4, set up OpenVPN and use that as a back up connection to home for cheap.
If you are coming from a consumer router, with PfSense you can easily set up WPA2 Enterprise, so basically users have their own password instead of sharing the same one.
If you have a PC with dual NICs you can just test out PfSense for no money. Trust me it will be trial and error but it’s best to avoid wasting money on kit you can’t re-purpose.
I’ve been using three of the 8-port TP-Link “Smart Switch” boxes that Tom mentioned in one or two of his videos. I’ve had zero problems with them. I use them in various parts of the house to split the “trunk” line into different VLANs.
My house didn’t have Cat-5 pre-wired unfortunately. And it would require too much pain to run it now. BUT the builder put RG-6 coax everywhere. I use these little Motorola boxes in three rooms that run 1G+ over coax. These things work great. I hook one of the TP-Link switches into each of these.
And I will agree with @neogrid to use pfSense. I started with a simple setup, but now I have four domains coming into it, with my main LAN and a separate DMZ network. I have HA set up between my main router and a backup so it fails over seamlessly. I just finished getting the HAProxy and ACME plugins set up and working (previously used Traefik in a docker container for that on a separate box). And with all that, pfSense just works!