Home network overhaul

robj20 · 8 Feb 2024 at 10:08

Been wanting to overhaul my network for ages now. Main things i want to acheive is increased security especially concerning IOT/Smart Devices, ditch the ISP routers, im often changing ISP and constantly changing everything is annoying, and make use of the 2.5Gbe some of my devices can now do. Plus i like to tinker just never done much networking since my college days.

Router i have my eyes set on Opnsens running on one of these https://eu.protectli.com/product/vp2420/

Wifi i was thinking maybe a Unifi U7 Pro.

I have a POE switch so that will do the U7 Pro, plus another standard 1Gb switch, so at the least ill need to either replace or add a 2.5Gb switch.

VLANs are where it gets complicated for me. I want to put all the cheap smart switches and what not on one so they have zero access to the internet or my main LAN, but i still want my phones and speakers to be able to control them.

Do i need a managed switch for this? I also have a Philips Hue bridge but thats a physical connection so how to i do VLAN with that, could i do it via a physical port on the router with two cables to the switch?

Just because it different i was thinking of 10.10.1.0/24 for my main LAN full access to everything router set to 10.10.1.1, 10.10.2.0/24 for IOT stuff with no access to internet, 10.10.3.0/24 for LAN only access. Does this sound right?

ChrisD. · 8 Feb 2024 at 10:37

robj20 said:
Do i need a managed switch for this?

Short answer is yes.

But it can be done with unmanaged switches if the OPNsense router has multiple physical interfaces. As an example, LAN 1 on the OPNsense box connects to switch 1. LAN 2 connects to switch 2 and so on. It's obviously not very practical or scalable.

But it's far easier just to use a managed switch and then tag the ports of the switches depending on what's connected to the port.

Wi-Fi wise, with UniFi you can use PPSK, but it think it would need a UniFi gateway to work. I haven't done it with a non-UniFi gateway without using PSK but I'm sure it's possible.

robj20 · 8 Feb 2024 at 10:45

It was in another thread someone said it's best to leave any switching to switches and not the router.

I guess a large managed 1gb switch and a smaller 2.5gb managed is the way to go.
Briefly looked at the Unifi Pro Max or what ever it's called. It would certainly work but it's like £750.

What's the point of VLAN tags, is it not enough to have the different subnets IE 10.10.#.0. 1, 2 and 3?

I can see in going to have to do a lot of research before getting any equipment.

paradigm · 8 Feb 2024 at 10:55

robj20 said:
What's the point of VLAN tags, is it not enough to have the different subnets IE 10.10.#.0. 1, 2 and 3

Subnetting splits a network into multiple segments, that may or may not have routing between them. VLAN tagging defines what VLAN a port (or device, if the device supports tagging) is on, essentially splitting the physical network into multiple virtual networks. Typically you'd uplink between switches using trunking (multiple allowed VLAN tags, and a default "native" VLAN that untagged traffic will use), so all VLANs can traverse the physical network, but potentially never interconnect at an IP level.

Over-simplification I know.

robj20 · 8 Feb 2024 at 11:03

So yes to managed switches. So what does the managed part enable you to do regards VLANs.

I see with Opnsense you make the VLANS and assign that tag.
Then on the Unifi AP you can have the multiple SSIDs with the same tags. So anything WiFi should be fine on an unmanaged switch I think.
Then I just need a small managed one for anything that uses a cable, or do all switches need to be managed?

ChrisD. · 8 Feb 2024 at 11:05

robj20 said:
It was in another thread someone said it's best to leave any switching to switches and not the router.

Switches switch in ASIC, not a CPU, so it's usually much faster than having a router do the work. That's why L3 switching is great, because you can switch at line speeds. But L3 switching is really not necessary for home use.

ChrisD. · 8 Feb 2024 at 11:07

robj20 said:
So yes to managed switches. So what does the managed part enable you to do regards VLANs.

I see with Opnsense you make the VLANS and assign that tag.
Then on the Unifi AP you can have the multiple SSIDs with the same tags. So anything WiFi should be fine on an unmanaged switch I think.
Then I just need a small managed one for anything that uses a cable, or do all switches need to be managed?

To do that with the AP you need to trunk, or tag the necessary uplinks to the AP. An unmanaged switch will usually ignore the VLAN header or drop the traffic, and only pass untagged traffic.

robj20 · 8 Feb 2024 at 11:11

Trunking, something else to look up. One of those things you wished you'd never started. Shouldn't be this hard or costly to have a more secure network.

Cheaper to bin all the smart stuff.

ChrisD. · 8 Feb 2024 at 11:18

robj20 said:
Trunking, something else to look up. One of those things you wished you'd never started. Shouldn't be this hard or costly to have a more secure network.

Cheaper to bin all the smart stuff.

This is why UniFi is so popular, the SDN/Network Application element of it makes it all a breeze even for beginners.

robj20 · 8 Feb 2024 at 11:20

So if I do get the U7Pro the Pro Max 24 would work nicely with it.
Then it's getting it working nicely with Opnsense.
Definitely cheaper to use an injector for the U7Pro rather than get the Pro Max poe

paradigm · 8 Feb 2024 at 11:28

I find it very hard to reccomend Unifi to people if they aren't going to get a UDM or other central device to manage the routing. If you want the most functionality from your APs you're going to have to configure most of the same things using the controller software anyway, and if you are residing yourself to doing that why not just go all-in? (Assuming you can afford a UDM or similar).

ChrisD. · 8 Feb 2024 at 11:32

paradigm said:
I find it very hard to reccomend Unifi to people if they aren't going to get a UDM or other central device to manage the routing. If you want the most functionality from your APs you're going to have to configure most of the same things using the controller software anyway, and if you are residing yourself to doing that why not just go all-in? (Assuming you can afford a UDM or similar).

Yeah, this is my point. If you have 3rd party devices anywhere in the chain, that requires manual configuration. I did it for a number of years and in the end I got fed up and got the SE, and tbh I've been very happy with it.

robj20 · 8 Feb 2024 at 11:37

paradigm said:
I find it very hard to reccomend Unifi to people if they aren't going to get a UDM or other central device to manage the routing. If you want the most functionality from your APs you're going to have to configure most of the same things using the controller software anyway, and if you are residing yourself to doing that why not just go all-in? (Assuming you can afford a UDM or similar).

Is the UDM fast enough, I'm sure I read some reviews that said it struggled with 1gb routing.
But no increased price just means I'd save up longer.

The SE seems almost perfect it's missing 2.5gb Lan ports though.

paradigm · 8 Feb 2024 at 11:43

robj20 said:
Is the UDM fast enough, I'm sure I read some reviews that said it struggled with 1gb routing.
But no increased price just means I'd save up longer.

UDM might not be, but UDM PRO or SE probably would be. I've got Virgin's Gig1 service on my UDM Pro, and whilst the sync rate is around 1.15Gbps, I'm happy with the 960Mbps I can get through the 1Gbps WAN port.

ChrisD. · 8 Feb 2024 at 11:49

robj20 said:
The SE seems almost perfect it's missing 2.5gb Lan ports though.

You do however have two assignable SFP+ ports, and you can run a UniFi switch downlink from it.

robj20 · 8 Feb 2024 at 11:49

So if I got the SE, I'd still need the Pro Max 24 but could connect it to the SE with SFP.
And the U7Pro.
I think that would work.

And then it'll make doing all the VLAN stuff much easier?

ChrisD. · 8 Feb 2024 at 11:55

robj20 said:
So if I got the SE, I'd still need the Pro Max 24 but could connect it to the SE with SFP.
And the U7Pro.
I think that would work.

And then it'll make doing all the VLAN stuff much easier?

Correct. The Pro Max 24 is a nice switch, but it's expensive. Are you sure you need that specific switch?

robj20 · 8 Feb 2024 at 11:57

ChrisD. said:
Correct. The Pro Max 24 is a nice switch, but it's expensive. Are you sure you need that specific switch?

2.5Gb for 2 pcs and the NAS, i move lots of 4k video around, lots of photos. Its more a form want than need. U7 Pro is 2.5Gb but i dont mind that running at 1Gb.

ChrisD. · 8 Feb 2024 at 12:00

robj20 said:
2.5Gb for 2 pcs and the NAS, i move lots of 4k video around, lots of photos. Its more a form want than need.

If you don't need PoE++, rack mount, or 24 ports, or Etherlighting then the USW-Enterprise-8-PoE is a fair bit cheaper.

robj20 · 8 Feb 2024 at 12:03

ChrisD. said:
If you don't need PoE++, rack mount, or 24 ports, or Etherlighting then the USW-Enterprise-8-PoE is a fair bit cheaper.

Thanks. Ill have to see if 8 plus the SE is enough ports.

Unless the Unifi store pricing is way off the Pro Max 24 is £430 and that USW-Enterprise 8 POE is £390. I see you mentioned the POE++ i was thinking the none POE Pro Max is best, i will only have 1 device that requires POE at 2.5gb so that can use an injector. Cameras and such can be ran off the DM SE at 1Gb.