My home network currently looks a bit like this:
As you can see I have an x86 router running Arch Linux. This runs AdGuard Home (network wide adblocking plus DNS over HTTPS and DNS over TLS server), with DHCP and Shorewall. I have two physical unmanaged switches, one for each local network/subnet. There's an 8 port Netgear ProSafe GS108 for LAN devices, and a TP-Link TL-SG1008P 8 port PoE switch powering the cameras. I've got *just* enough ports (for now).
The diagram is simplified/flattened, and doesn't show the network upstairs. This runs from a single solid-core external grade cat5e trunk line from the main switch downstairs, up the brickwork and back into a wall box in my room, attached to another TP-Link SG108 basic unmanaged gigabit switch. This serves my MacBook Pro, TiVO and FireTV etc.
I keep the CCTV (which is barred by the router's firewall from accessing the Internet) and NAS segregated from my local trusted devices, hence the separate subnet. If the NAS is ever compromised then at least my 'real' devices aren't able to be reached. It does run a separate firewall and IP jailing of its own, however, with random usernames and SSH keys for access, to be safe. Everything (Docker configs, Diskstation config, Unifi configs etc) backs up by rsync to Git overnight.
Our visitors connect to the wireless AP's guest network by scanning a QR code (handy to stick on a wall/door during gatherings), and get segregated from the 'real' network and into a local jail network by the AP itself. There's no VLAN as such.
I've been looking to simplify things. Rather than shove everything back on one network and lose the security advantage of segregating the NAS, I was thinking of getting a managed PoE switch and running VLANs. That way I can offload the whole 'two physical subnets and two switches' rigmarole onto a single managed switch with separate VLANs, and have one router and one switch in a nice tidy cabinet/rack on the wall. At the moment there's just a pile of gear in a corner - modem, Dell Optiplex 7020 router, two switches, NAS...
Since I already run the controller for the UAP-AC-PRO on the NAS I figured a Ubiquiti switch would fit in easily, plus it's fanless which is a bonus (networking stuff's in the corner of the living room). I hear the reliability isn't that good though and they're literally twice the price of something similar from Netgear, Cisco etc. Are there any recommendations for something solid, that isn't a pain to configure and manage? As I said Ubiquiti would have been nice but I begrudge paying double for something just because it's white and trendy.
As you can see I have an x86 router running Arch Linux. This runs AdGuard Home (network wide adblocking plus DNS over HTTPS and DNS over TLS server), with DHCP and Shorewall. I have two physical unmanaged switches, one for each local network/subnet. There's an 8 port Netgear ProSafe GS108 for LAN devices, and a TP-Link TL-SG1008P 8 port PoE switch powering the cameras. I've got *just* enough ports (for now).
The diagram is simplified/flattened, and doesn't show the network upstairs. This runs from a single solid-core external grade cat5e trunk line from the main switch downstairs, up the brickwork and back into a wall box in my room, attached to another TP-Link SG108 basic unmanaged gigabit switch. This serves my MacBook Pro, TiVO and FireTV etc.
I keep the CCTV (which is barred by the router's firewall from accessing the Internet) and NAS segregated from my local trusted devices, hence the separate subnet. If the NAS is ever compromised then at least my 'real' devices aren't able to be reached. It does run a separate firewall and IP jailing of its own, however, with random usernames and SSH keys for access, to be safe. Everything (Docker configs, Diskstation config, Unifi configs etc) backs up by rsync to Git overnight.
Our visitors connect to the wireless AP's guest network by scanning a QR code (handy to stick on a wall/door during gatherings), and get segregated from the 'real' network and into a local jail network by the AP itself. There's no VLAN as such.
I've been looking to simplify things. Rather than shove everything back on one network and lose the security advantage of segregating the NAS, I was thinking of getting a managed PoE switch and running VLANs. That way I can offload the whole 'two physical subnets and two switches' rigmarole onto a single managed switch with separate VLANs, and have one router and one switch in a nice tidy cabinet/rack on the wall. At the moment there's just a pile of gear in a corner - modem, Dell Optiplex 7020 router, two switches, NAS...
Since I already run the controller for the UAP-AC-PRO on the NAS I figured a Ubiquiti switch would fit in easily, plus it's fanless which is a bonus (networking stuff's in the corner of the living room). I hear the reliability isn't that good though and they're literally twice the price of something similar from Netgear, Cisco etc. Are there any recommendations for something solid, that isn't a pain to configure and manage? As I said Ubiquiti would have been nice but I begrudge paying double for something just because it's white and trendy.
Last edited:
I've been looking at the Netgear GS724TP-200EUS and TP-Link TL-SG1218MPE, but I don't know how good (or not) they are. For around £150 they're worth a punt? If it wasn't for the CCTV I wouldn't even need a managed switch I don't think. Since I have an x86/Linux router I can set VLAN tags directly in iproute2, but while the Synology NAS is able to accept a VLAN tag in its config, the cameras can't - so they'd need port based VLANs on a switch. 
