Hardware/software recommendations for home network

I am in the process of configuring a home network and could use some recommendations for network management hardware (routers, switches) and software (OPNSense, pfSense, etc) suitable to my needs. I’m not sure what specifics I should provide for this, so I will start with a few details and expand on that. The house is newly remodeled, with one or more Cat 6 cables provided to multiple interior locations, including all “habitable” rooms (3 bedrooms, a great room/living room, a media/home theater room), 3 bathrooms (Cat 6 for whole house audio keypads), and the garage. In addition, there are 2 Cat 6 cables to each corner of the house and the entry for security cameras and/or doorbell camera (entry). To house the network hardware, there is a powered and ventilated electronics closet attached to the media room where the Cat 6, WHA speaker and coax cables now terminate. Existing incoming network services include a 300M cable modem to be used for internet connectivity for several Macs, PCs and mobile devices, smart home devices and streaming (Netflix, etc) through multiple Apple TVs and/or smart TVs).

I would like to have both wired and wireless connectivity, with the assumption that wired connections will give me better results for certain services (streaming and up/downloading of data) but is not as critical for others (smart home device interconnectivity or email on an iPad, etc). I currently do not have a need for VPN for business reasons but would like to consider a “whole house” VPN capability for overall security reasons, although I admit that I only have a superficial understanding of this and would welcome any thoughts on whether or not that feature is something I need or not for my home network. Thanks in advance for any and all comments and recommendations!

FYI, current network hardware in use are two cable modems provided by Spectrum, our ISP provider (one for data, a second for VOIP phone) and an Apple Extreme Time Capsule base station-currently the only wired connection is a between the modem and the router, plus a temporary one from the back of the Time Capsule to my iMac; the remainder of the network connections are wireless (Macbook, iPhones, Apple TVs, Ring doorbell, Samsung TV). I own the following additional equipment that is not currently in use: two Ubiquiti Unifi AC-Pro WAPs (installed and wired by the electrician but not connected to the network), a Netgear 24 port switch (JGS524PE), and several D-link gigabit switches (4 to 8 port), two additional Apple Extreme base stations and a Netgear R8500 Nighthawk wireless router, none of which are connected or in use.

Since you have a lot of connections, and you have some Ubiquiti stuff, it kind of makes sense to buy a Ubiquiti switch and maybe another AP or two. Make sure to get a switch with POE+ (highest power budget you can afford) so you can power things like the AP’s and any cameras that you might end up installing.

Everything that can be wired should be wired. Every wifi device shares the same wifi (overly simplistic, but you get the idea) so leave the wifi for things that need it. TV and bluray don’t roam around the house, so wired is fine for them.

After all that, I’m not completely up to speed on the Ubiquiti equipment, so I’ll have to leave specifics to the people that are up to speed.

I can relay some of my experience of setting up a wired house over a year ago, just take what’s useful.

First damn 3 bathrooms, in the UK indoor toilets have just arrived !

The cable being laid is probably the most effort but the cheapest job, cat6 is what I laid too based on price and being 10G capable up to a certain distance. I’ll assume you have twin ethernet sockets in each room going back to your closet. At your closet you’ll probably need a patch panel of some type, rather than sticking in those end connections directly into a switch.

For sure go for a 48 Port switch I have a Netgear GS748T, it has a crappy GUI but the rest is good, it can create a LACP aggregation on the ports and has snmp which allows monitoring via zabbix. Hopefully you have 2 cables going from the closet to the rooms, if so, you can create a LACP between the main switch and secondary managed switches in the rooms, you have more bandwidth and redundancy. Probably an 8 port will do but already two are taken up with the LACP. I have this set up with Netgear GS110TP which has 2 SFP ports, the 1G modules are too expensive for me but is an option.

For the Switch I would also say investigate the cost of PoE 48 port, it might be the same price as a 48 port plus an 8 port poe.

I have a TP-Link AP EAP245, I think it’s great, it has 8+8 bands, these can align to your vlans, it’s PoE powered so you will need a switch somewhere. If you get more than 2 you can set up a mesh, with seamless roaming, I only have one so cannot confirm this. Secondly, the captive portal for guest is great, basically the same as you see in hotels and not difficult to set up.
It sounds like you will have more than one, in which case you’ll need to have the controller for the AP, this can be run on purchased hardware or in software in a vm as I have, it’s fairly straight forward.

As for the router, I’d go for PfSense because there are more resources on the web to solve any problem you might have. As for the unit, I have a chinese box with 6 ethernet ports, I would perhaps recommend a Protectli, they are pricey for me but they are also cheaper than Netgate.
When it comes to configuration, set up vlans

• MANAGEMENT
• ISP
• VPN
• IoT
• CAM
• GUEST

Even if you don’t have IP cams, when you setup the vlans it will take seconds, in 3 months when you decide you want cams it will take hours to work out how you did it before, trust me I’ve been there.

I use AirVPN for my Linux ISO’s it’s straight forward to configure and then provide it to the rest of the house. With multiple VPN connections, it’s easy to put them in a gateway group, so if one fails you can still access via the VPN via the next instance.

Once you set up a VPN, then it’s easy enough to setup an OpenVPN server to access your home network remotely, you can even set up an OpenVPN that uses your paid for VPN that gets around the connection limits.

The other thing that is handy to have is a VM box, I have a Lenovo m900 with a quad NIC, which was cheap and runs various vms without issues.

Looking at your scenario it will cost a bit to get everything in place, I’d say with the switches stick to one brand, Netgear is cheaper on Amazon you can even buy some for the rooms off ebay, lots here like Unifi, but they are pricey and need a controller.

Yeah it’s all doable but man it took me ages to get my head around pfsense, due to this virus, I’ve spent a great deal of time on my network which I didn’t anticipate so there are loads you an do.

Go for it!!

Greg, thanks for the reply. Since my post I have learned a couple of things about my existing equipment, ie, that the Netgear and Apple routers can also be used as WAPs, so maybe there is a way for me to use those along with the two Unifi WAPs. FWIW, The Unifi WAPs were selected on mostly cosmetic reasons-since they are mounted to the ceiling, they look nicer than a wireless router or WAP like the Nighthawk or Apple base station sitting on a shelf. I have since learned that they are also reasonably good performing access points, so I hope to get good performance as well as a nice appearance. Also, I originally considered running my cameras with a PoE switch and a SW app called Security Spy on an extra Mac Mini, hence the Netgear switch - it has 12 PoE (not Poe+) ports, which I think is acceptable for the Unifi WAPs. I’m guessing that having a Unifi switch would help with respect to management since it is in the same “ecosystem” as the Unifi WAPs, so maybe I should also consider a Unifi firewall/router device to keep everything consistent.

Neogrid, thanks for the thoughts. Each room has at least 2 ethernet jacks, with the media type rooms (great room, home theater) with more, so I think I am covered there with regard to your recommendations regarding redundancy and LACP aggregation (had to look that up to understand what it was!). Since you have already implemented this in your place, where do you find that aggregation works best for you and/or is essential? I briefly looked at both Protectli and Netgate routers (and watched the excellent Lawrence Systems videos, but my level of knowledge was insufficient to make an informed decision for my specific needs, hence my posts here.

FWIW, all the B&Bs we stayed at on our trip to southern England several years ago had indoor loos, but some were down the hallway!

What I’ve discovered with Netgear is that some switches have more features than others but it’s impossible to know just by looking at the name. Their “better” switches have LACP their not as good switches use LAG, simply select the better switch if you go with Netgear.

I’m not an LACP / LAG guru, but I just found for piece of mind I wanted redundancy in case I messed up. My pfsense box has 4 ports on a LACP to my switch, do I need it probably not, but I can have it Though ethernet cables do go “bad” no idea why, but I know it would have happened to me without LACP.
Again I have by design setup LACP between master switch and remote switches, mainly again for redundancy, it will give you more bandwidth if you have many machines connecting but I don’t even saturate the one wire.

My thinking is do this once then come back to it in maybe 10 years.

I have this router off amazon barebones

https://www.amazon.co.uk/Kettop-Mi3865L6-Fanless-Firewall-Gateway/dp/B07SXTMCDG/ref=sr_1_2?dchild=1&keywords=kettop&qid=1600889820&sr=8-2

Just added my own hdd and ram, basically I just wanted a cheapish solution, when I looked at Netgate it just seemed like a lot of money for not much spec.

Incidentally I bought a second one as both backup and for a lab, so depending on your budget just take your pick.

Neogrid, thanks for the details. I’ll give the redundancy and aggregation question some thought-I was considering redundancy in the back of my mind when I ran multiple cables to each room, but beyond that I didn’t think about how to manage that redundancy. I am still considering link aggregation, but for the WAN connection, partly to address the ability to have a failover (fallback) for my primary WAN connection, something I recently learned about. I hadn’t thought about aggregation within the LAN itself, so I will have to give that some thought. I do have two Drobo NAS media servers I was planning to use for LAN streaming (one for music, the other for movies and TV shows), so that might be a good scenario for consideration of intra-LAN aggregation, at least for the video server. FYI, current incoming WAN bandwidth is rated at 300 Mb, but it typically tops out at closer to 450 in the off-hours.

I only have one WAN, but if you have two, then a multi port pfsense box is probably the way to go.

FYI when I started out I just wanted to replace my crappy 10 router wifi setup as I was fed-up of poor wifi access. I over-engineered mainly on the basis I had little confidence in my ability, however, I later stumbled on things like LACP / LAG when I bought a managed switch.

I don’t know for sure but I think my IP cams used up a lot of bandwidth as everything was on one LAN and 4 of them were recording 24x7.

So being able to add switches into your network allows you to grow without too much pain.

Segregating traffic will also bring benefits if you setup vlans.

Oh yes I see you have some IoT stuff, I would definitely put that on its own vlan and block WAN access.

Good luck !