Suggestions for a home network

Hello folks.

I’ve been fiddling with my home and family network, taking control of our digital life and such. I am confidently and optimistically planning another stab at a solution and will appreciate your ideas.

My previous stab resulted in the following unintimidating mess of wire. I’d like to do significantly better and set up a network that I can lean on for the next 10 years.

tldr; Scroll down to “A new plan and a new budget”

Here goes my journey, I hope that you find my ignorance entertaining!

Current hardware, not very intimidating:

ISP -|
     EdgeRouter X SPF
        |- AC AP LITE
        |- 50ft of Cat5e to an unmanaged Netgear HUB

Ha! This is a modern household. There are devices of varying level of trust hanging off of that network. There is a Synology NAS, there are baby cams, IoTs, Pis, 3D printer, tree printer, just a whole lot of gadgetry and some firewall rules (on the ER-X) to match my level of paranoia.

The plan was to overlay VLANs on top of the physical network to get it all under control.

The astute among you will notice the gaping hole in my plan. The unmanaged hub cannot tag VLANs, it can’t even switch after all. I knew this, but that’s the equipment that I had on hand. The idea was to only put “crap” there, such as consoles, Apple TV, etc. It all went downhill from here friends…

I later purchased an EdgeRouter PoE, thinking I’d replace the hub with the ER-X, move some Raspberry Pis to the PoE router, vlan tag some WiFi networks, slap hands together, dust off, done. So clever I, saving monnneyyyy, connecting things togetttther.

Lessons learned and remembered:

  1. There is a bad taste in my mouth from running a switch, a router, and a firewall on the same low power device and working around the quirks of such a setup. I prefer to buy once, with ample room to grow.
  2. I have an utmost concern for both privacy and security. I would like to run an open source firewall.
  3. I don’t like having to run Unify Controller just to configure the AP.
  4. The EdgeRouter PoE has passive ports and raspi PoE hats require 48V active ports, duh! (You could technically drop a buck converter on there and it will probably not fry any of your equipment. Lame, dangerous, but very cheap.)
  5. I don’t trust some of my laptops and workstations, due to age, neglect, and negligence.

A new plan and a new budget:

ISP -|
     Netgate SG-5100 (utter overkill, by design) 
       ?- EdgeSwitch
           |- Synology NAS
           |- Up to 3 computers
           |- Up to 5 Pis over PoE
           ?- airCube Home Wi-Fi Access Point
              |- 3 iPhones
              |- 3 Laptops
              |- 3 Tablets
              |- Guests
              |- ~10 IoT devices (50+ in 5 years?) 
       |- 50ft of Cat5e to ER-X configured as a switch
           |- Media devices, consoles, Apple TV, etc

Questions:

  1. Should I hang the ER-X directly off the Netgate or daisy chain off the main switch?
  2. Should I hang the NAS directly off the Netgate or put it on the switch?
  3. I would like to setup offsite backups between my Synology and a Synology at different location. Is VPN the way to go? I could install my unused EdgeRouter PoE at the other location.
  4. Is the airCube a significant downgrade from AP LITE? I could always add more APs or upcycle some old hardware for low bandwidth IoT devices.
  5. I don’t want my workstations to have access to network configuration. What other options do I have for managing the various routers, switches, etc? I’m interested in maximum security, not a fancy dashboard. UNMS? Or a separate control network/plane?

P.S. Tom’s YouTube channel has been a tremendous resource on my journey. If you’re reading, thank you!

There’s obviously numerous permutations you can go through, however, like most other humans the main constraint will be budget. Having done something similar a while back I can share some of my experience.

I’ll make the assumption that you will run cable in your dwelling, I’d definitely stick with punch-down connections rather than terminating them with ethernet jacks where possible.

Personally I would consider a bigger 48-port Netgear switch with PoE, they have a horrible GUI but easy to set up. The cost of these are fairly reasonable. You also wanna consider heat and noise from the unit.

The netgate devices always seem pricey for what they are, there are various “chinese” boxes similar to the Protecli for half the price. I’d consider these given I can buy 2 for the same price as the netgate.

I’ve connected my pfsense to the main switch and everything either daisy-chains of the switch or connected directly.

If you wanna connect two NAS devices I’d set up a site-to-site OpenVPN, not difficult. It would be easier to sort out networking subnets first, personally I use the same network class at three sites.

With the AP I would stick with the same ones, or at least be able to set up roaming if you have multiple ones. If you have vlans then your AP will need to support multiple SSIDs and/or be vlan capable.

When it comes to security just set up a management vlan with adequate firewall rules. You can also setup RADIUS to authenticate every device on your vlan too with 802.11x no problem. Use an IoT vlan for dodgy stuff and a guest vlan for guests.

1 Like

Thank you sharing your experience. For my needs, I can’t imagine needing 48 ports at one physical location, however noise and, to the extent that it matters to the equipment, heat do matter. I lean toward Ubiquity products precisely because the UI. I look at the Netgate as an investment, both into the hardware itself and into the longevity of the project.

Is there any practical difference between having the NAS, for example, connected directly to the pfsense versus having it connected to the switch?

Yea, I’m having doubts about the airCube, I’m not sure if you can roam between multiple ones.

VPN does sound like the ticket, since I’ll want to remote manage the other site too. Is it possible to setup multiple VPNs with this equipment? Say if I wanted to access multiple, unrelated sites from my home.

802.11x looks interesting, thank you, I will keep things simple for now though.

According to this discussion, airCubes do indeed roam.

I suppose it depends on the layout of your dwelling etc. my NAS has 4 ports, pfsense has 4 ports, proxmox has 5, that’s already 13 going into the switch ! My point was really just shop around for a combined switch and PoE, mine are separate because I assumed it would be more expensive, that wasn’t the case.

The pfsense doesn’t really work as a switch, so it doesn’t make much sense to plug in the NAS. Perhaps you can but I don’t. If your switch supports LAGG then plug in all the ports on the pfsense into the switch.

You can set up any number of VPNs, I’ve set-up site-to-site to my sites, have my home vpn, backup home VPN and my paid for VPN which I can access on the go if I want. Further to that I have also set-up OpenVPN servers that I only use when I connect to home wifi so I have an additional layer of security, WPA2 is a bit crappy.

It took me ages to suss out pfsense, the other networking aspects were easy in comparison.

1 Like
|- ISP 1 ATT Fiber
|- ISP 2 ATT LTE (failover)
Protecli (pfSense) DNSoTLS, DNSSEC, DHCP, NTP, IPSec VPN, etc
|- 16 port PoE+ GB business class unmanaged switch
   |- anything I can physically wire Cat5e to, especially streaming devices
   |- WRT3200ACM AP (OpenWRT)
      |- mobile/portable clients
      |- IoT
      |- NAS 1
         |
      |- NAS 2
         |- External USB 3 drive in 45 min fire rated safe

Wired both NAS units to AP since mobile/portable clients are the largest users.
Wired both NAS units directly together using spare LAN ports for backups/rsync

Thank you for the education @neogrid I took your advice and shopped around. The 48-port Netgear PoE units are indeed very cost effective. However, I’m still learning toward a 24-port EdgeSwitch, since I really like the Ubiquity devices that I already own.

I forgot that the NAS supports link aggregation. I doubt that my spinning rust can even saturate gigabit. On the other hand, I’m sure it will all be solid state in a matter of few short years. There is also an m2 cache option on the Synology.

All this to say, you’re right, I will need more ports than I thought.

Did you mean that you connect all four ports of the pfsense into the switch? Why?

Thanks for sharing. An interesting idea… The airCube does have four ports.

I’m leaning toward simplicity over sheer performance at the moment, to match my level of commitment.

That sounds like a grand idea. Past initial configuration, will doing this require extra steps to connect to WiFi or will clients establish a VPN link automatically?

Initially it was because I could, then it’s clear if there is a failure in the cable or port I have some redundancy, then if my network ever get so busy (it won’t) the traffic will be spread across the connections, make sure the switch supports LACP standard, there are different standards which I won’t claim to fully understand but this is the higher standard so to speak.

1 Like

Nope. I connect to home wifi over 802.11x then manually connect to the OpenVPN Server with the client on my phone or tablet, in the client there is a setting to reconnect on reboot, now it’s just running. You can just as easily just have one OpenVPN server that you establish for connecting to your home network externally and use that. I only did this after I read about the Kr00k vulnerability, wasn’t affected by it but noted using the OpenVPN encryption offered some level of protection.

I’ve seen that OpenVPN packages have updates from time to time on pfsense so you don’t have to wait for a firmware update, by contrast my TP-Link AP will no longer be supported in a year or two.

These are easy steps for a home network so I figure may as well do them, I’ve always hated that equipment I buy soon becomes unsupported even though they still work, one of the reasons I moved to pfsense.

1 Like