Home Network Overhaul

Been watching the Tom’s videos for awhile, and like others, and got the spark to update my home network. Right now we have a 400/50 connection and usually average 300/30 on speedtests.

Wired Devices:
-3x PCs
-1 NAS (tbd)
-1x Apple TV
-1x smart tv (don’t use it much as a smart tv)
-Security cams (8-12 eventually but will be ran off switches in other locations) with a Lorex NVR for now

Wireless Devices:
-2x laptops
-2x phones
-1x Google Chrome
-1x Nest thermostat
-1x Nest hello doorbell/cam

The current plan is to run switches to locations where more than one camera will be located to ease wiring as well as put a switch in each garage with an access point.

My hardware plan is to get an SG-3100 or Protectli style box with some horsepower behind it, 48 port managed POE switch, patch panel, and run as much Cat6 as possible throughout the house. Ideally I want 4 ports in the current office and 4 ports in the current bedroom (when we add on the bedroom will become the new office). My wife will be doing a work at home job with medical information so I would like this as secure as possible and I would also like a way for her to VPN into our network for either data or security when she is at a client’s home. I am undecided on APs as I would like the ability to roam across them when I travel on my property (home, car garage, workshop garage) so I don’t have tons of networks to keep connecting to. I also would like a guest network for when we have friends/throw parties.

Am I way off-base and over-complicating it?

Sounds like a decent setup. I would just add the following from my experience.

Unless you are already familiar with Pfsense it takes a while to suss it all out. For me it was several months before I finally stopped tweaking it.

Cat6 is a fairly rigid, when it comes to terminating I had a hard time with ethernet jacks, I’d stick with punch down jacks on the patch panel and ports in the house. I doubled up on the ports with a LAGG and just put a switch in each room, if one cable was faulty then the other one can take the load, depends on your needs. You can also use these patch panels screwed into the wall to hook up say your cameras then have your cat6 coming out the other end to your main switch.

Like the idea of 48 Port PoE, wish I bought that, consider Netgear, awful GUI but not too expensive. Make sure the switch supports LACP for your bonded ports. Some have loud fans so it might make a difference.

Wow you use Nest that’s brave ! Put all that dodgy stuff on it’s own vlan and stop it dialing out. Same thing with IP cameras and IoT stuff.

I have a TP-LINK EAP245, works well but I especially like the Guest Network, I can give out vouchers to a guest and they can pay However ensure your AP supports multiple SSIDs / vLANS, if it has a second ethernet port you can daisy-chain another AP to further the range. Mine supports roaming but I only need one AP.

Pfsense has a good implementation of OpenVPN you can run as many as you want. I find it works well, I haven’t had any issues.

Personally I would run as much cable as you can, double up where you can, leave as much extra as you can in-case you balls up the termination.

Bone up on vlans, openvpn and pfsense in a vm so you get a feel for it.

If you buy a NAS, I have a QNAP, on my model I can connect 8 cameras, after that I have to buy a license, it can be cheaper to buy another NAS !

Costs can easily spiral out of control, I’d buy a new 48 port switch of amazon but consider ebay for additional locations.

That should be enough to get you going ! Enjoy !

Oh and on security, consider RADIUS and 802.1x especially on the external cameras it stops anyone just plugging into your network. Obviously I’m paranoid

Thank you for the advice! As of now all we have is a nest thermostat. The wife want’s a video doorbell for some reason.

The only thing I am unfamiliar with is how do I keep connectivity between IoT (IE to connect to my nest thermostat, apple tv, or chromecast) and my phone for “casting” capability with the different vlans? Is it as simple as saying “items on this vlan can communicate with IoT vlan but IoT vlan cannot go anywhere else”? This may get difficult with trying to run outdoor switches or switches in other locations (unless they are managed). For example, on part of my property I want to put 2x cameras on a tree. The plan is to run 1x PoE line out to an outdoor switch (been looking at Ubiquiti as they have some nice small PoE outdoor switches) that will then have both cams feeding it whereas that same mentality may end up with a switch in my workshop with an access point and a few cams. Am I thinking about this wrong?

The plan is to use punch down termination with a service loop at the patch panel end to make my life easier. I will be mounting all of the gear in a wall mounted rack in the basement so noise isn’t a major factor. I have no problem running extra cables throughout the house and would only prefer to do it once now and then again when we add on our master suite in 3-5 years.

I would like to get a better modem. I bought a Netgear CM700 when we bought our house in March without really digging into anything else. It seems to be fitting our needs now but my home can either have 100, 400, or 940mbit service. I feel we may eventually go to the 940 from the 400.

Just to echo the above, it sounds like you have a good grasp of what you need.

A 49 port PoE switch sounds great. Do keep in mind that PoE can officially only travel so far down a cable before there is too much of a voltage drop. Not a problem on a small property, but on a larger one it is worth keeping in mind. As above Netgear switches are solid for the price, but have a poor interface.

For a NAS I personally use a Synology unit as I prefer the interface over the QNAP I use at work. So far it’s been a good reliable bit of equipment and is straightforward to configure. Both seem reliable.

As I’m sure you’re aware having watched Tom’s videos, Ubiquiti gets a lot of love around here. I use it at home with three access points and it just works. I can easily roam around the house, garden or garage without dropping traffic. I’ve even done WiFi calling while moving about without issue, obviously in areas with lower signal/greater interference it won’t be as good but that’s the same with all systems. The downside is you do need a controller to configure it. Which you can do with either the official cloud key or using the controller software. Personally I use the software running in Docker on my Synology, which may sound daunting but it really is quite easy to setup. Remember, the more SSIDs you run the more interference you create, so try and keep the number low. I have 3, secure, insecure and guest.

Just noticed you’ve replied while I’m typing this… for items on different VLANs, yes it is possible to make the secure VLAN talk to the insecure VLAN but not the other way around, provided a good firewall, such as pfSense is doing the routing. Getting things like casting to work can be difficult, but not impossible.

Well if your wife wants something best to give immediately !

However, if you have an IP camera you can set a trigger for an email. Personally I don’t trust NEST et al they sell your data then they no longer support your device.

Yes on the vlan, you can basically setup the vlanCAM to not go anywhere and your vlanMAIN to go everywhere.
You ought to be able to run a cable from your Poe 48 port switch to your tree without any issues, there is a limit maybe 100m (best to check).

If you run bonded links (LAGG/LACP) between switches you can access all vlans from all switches.

Think I had the same Negear modem, I switched over to a Draytek Vigor 130, seems to work ok.

as @Acestes says Ubiquiti looks good but kinda pricey for me, nothing wrong with them. Agree with the NAS, don’t think there is much in it, price is the main thing. I have noticed QNAP have upped their prices in the last couple of years.

I like the Ubiquiti APs and I only plan on having 2 or 3 SSIDs like you mentioned. I don’t know if I need the insecure SSID but who knows.

My property is ~1acre. If I run a switch in the garage we park in (would be between the house and the workshop) there shouldn’t be a problem at keeping the voltages up (IIRC its what, 300ft?)

I am all aboard the Synology train after playing with a friend’s NAS. The NAS will not be the recording device for my IP cams, that will be handled with the Lorex NVR for now. If the Lorex NVR is working fine and meeting my needs I would be using the NAS as a backup and storage location. If the Lorex NVR doesn’t suit my needs I will end up building a server running blue iris. I would likely buy the official cloudkey as I feel like it will provide a better solution in the event of a power failure if I am not home since my wife isn’t tech savvy and get’s frustrated quickly UNLESS the software is only needed to configure.

The issue Neogrid isn’t so much as running the wire to the tree (maybe 60-70ft once routed) its that I would like to only run one cable if possible or run two for backup to the outdoor switch. The longer runs will be ~150-200ft if I were to run them all separately. The hardest run would be to the cam I want to install at the front edge of the property, not due to distance but due to the concrete I would have to somehow tunnel under. If I run the cams off switches I will be able to have nicer cable runs at the cost of more interfaces. Will I have to run managed switches in the other buildings or is there a way to tag the IP/MAC of the item (access point or camera etc)?

My house in the UK is tiny in comparison ! There are rating for the length of cable runs you can have best to double check. I’d stick with managed switches in general as it gives more flexibility. Once you set up your vlans they will be on separate subnets say 192.168.10.0 - 192.168.20.0 so anything with the same subnet will be a member of that vlan. Doesn’t matter where you plug it to (as long as it’s a managed switch), the port on the switch will need to be tagged with the required vlan.

It’s not as complicated as it sounds.

Once you have your kit I would just play around with it, you need to set up the vlans and rules in pfsense, then on the switch disconnected to the network configure your ports for the vlans then connect the two.

Setting up everything is definitely the plan before I turn off the Nighthawk router/access point I have now from ~2014. I can deal with issues as long as my main network functions (IE I have no issue still using my current connection until I verify everything is playing nice on the new system).

It would likely be easier then to get small managed PoE switches and a waterproof enclosure if I wanted to mount switches outside. It may be easier to just mount the switch in the nearest building to the camera and run individual wires to each camera.

To be honest I don’t actually run the insecure SSID at the moment as I like to wire where I can

As stated by @neogrid check the specifications for the PoE standard your equipment requires. It can be surprising just how long a cable run gets once it’s gone up walls and around the edge of the garden. I used 1000ft of the stuff in no time, albeit not in one run!

The software only needs to run when you’re configuring the UniFi gear, unless you want the stats. Even in Docker though I have it set to start with the NAS, so if it goes down due to a lack of power it starts back up when the NAS is powered back on, no human is required! You could always give it a go and get a cloud key if you find it doesn’t work or is too complicated, but I understand your fear.

I would use managed switches for everything. I’ve bought unmanaged in the past and then found I needed a VLAN going to that location and had to replace the thing. It’s just not worth it.

I think I’ve got it squared away! Now to just start picking up the pieces. The thing that makes me want to buy the SG-3100 vs an aftermarket box is support. I don’t know how much of an issue that is but something that just works is worth a little extra cash. I figure I will saturate all the ports on the SG-3100 or other firewall box to help with routing capability and bandwidth.

I doubt you need any support, if any device is faulty return it. You can install pfsense on virtually any multi NIC device, however, the great thing is you can save the config and restore it when its messed up. It’s handy when you are testing things out, trust me.

I doubt you will saturate your connection under normal use, however always worth setting up a LAGG group between your switch and pfsense, if one connection fails then the others will kick in.

Personally I would weigh up the pros / cons of having two cheaper devices for the same price as one expensive device. I have this box it’s been running for a year with no issues.

I would save the extra cash and use it for a paid for VPN

Like I said, I have zero issue with the aftermarket boxes. I’ve been looking at them. The only thing I haven’t determined is if I need the processing power for Suricata/Snort or not.

Yeah I’m not sold on wifi security at all, however I do have wireless only devices tablets/phones and after the Kr00k vulnerability I connect over OpenVPN on my internal wifi with 802.1x.

In fact I think Security Onion running independently of pfsense is a better option. However, that product is the devils own work and I can’t say I am getting very far with it. I really like the idea of having a mirrored port and SO inspecting what’s going on but this is a lot of effort.

I’ve been looking at an HP T620 Plus with a 4 port NIC as a network appliance. I think it is one heck of a bang for the buck. Seems like I could pick one up for ~$150 with a NIC. Quad core processor, 16gb SSD, 4gb ram, 5 total ports. If I saturate the NIC to the switch it should never have an issue routing, even when I get a ton of people here and it should also handle Suricata/Snort.

Sounds like you’re doing a build out for a small company!

Personally, I like the hub and spoke model of small switches connected to a main switch. Reduces the amount of cable I have to run. Ideally like to have two runs per room as a backup with the option to bond two ports for additional throughput to said room. That said, I’ve never really had call to need it. I have 4 rooms with 5 or 8-port switches all connecting into the network closet which has a nearly full 16-port switch (all Netgear ProSafe E-series, which lets me do a couple of VLANs for IOT separation). All rooms are currently running over a single cat6 without issue.

Internet is gigabit AT&T Fiber (938/938), which is mighty nice given my wife lives on Zoom and I have two YouTube and Minecraft-addicted kids. Firewall is pfSense on a small Protectli (8GB/64GB), running unbound & dnsbl without a sweat. Five hardlined Plume mesh WAPs, which is overkill, but I live in a noisy neighborhood, provide secure WiFi.

I like it because it’s simple and inexpensive and easy to troubleshoot. I haven’t gotten into Security cams yet, so PoE isn’t a requirement for me.

Next up is finishing off my XCP-NG build on an old HP MicroServer Gen8 to run Docker: a syslog server, Zabbix, Cacti or some other monitoring tool. Finally, a Synology for Plex and local backups when I can stomach dropping $5 large plus…

With my wife and I both working from home (she wants to open her own business from home) I want this network as safe as I can get it while not killing all my luxuries like casting from my phone to my Chromecast or AppleTV. I’m thinking I’ll have to run a few lines out to each switch if I want to do tagged ports but I’m also not very educated in how setting up VLANs goes.

The only VLANs I need to bring out on the network to other locations would be for the PoE cams and the access points. Luckily the only spot that needs both PoE and APs would be in the garage which is an easy run of 2x cables which will make using managed switches an absolute dream.

Vlans aren’t that difficult, you just need to be familiar with our to do it on your switch but I imagine the principle is the same across the board. I’d say you ought to consider the following vlans,

1. ISP
2. Business
3. Guest
4. CAMS
5. IoT

Your AP will span all of those if you want to have wifi. You can make the network “safer” with more complex passwords, 802.1x and good firewall rules. Personally I connect to my wifi over an OpenVPN connection with 802.1x, I’d say it’s safer than my neighbours !