Router Advice: Unifi Dream Machine or...?

Soldato
Joined
11 Jun 2003
Posts
10,795
Location
Hampshire
Hello gents,
Need advice for a new router / internet setup. First step is probably to buy a DrayTek Vigour 130 modem unless advised otherwise.

Plan to switch from Sky to Zen when contract ends. God knows what I'll do about TV and phone. Maybe FreeView / FreeSat and a VoIP solution? (Mrs insists on a landline).

I want:
  • VLANS to seperate IoT and guests
  • Strong IP handling
  • Robust security
  • Options for IP camera setups with remote access (Unifi or QNAP)
Originally decided on a Unifi Dream Machine, but there's reports of software that's still buggy, and machines that overheat or break. I'm considering:
  1. Unifi Dream Machine
  2. Unifi CloudKey V2 (plus?) + Unifi Router (USG?)
  3. LinkSys AC3200 + OpenWRT
  4. Some Mesh network solution
1. offers a great all in one solution, with some reliability concerns and no access to Protect / Unifi cameras.

2. Offers flexibility, and future camera upgrades, but will be costly and more bulky

3. Is an open, evolving solution I don't understand enough

4. Quick to setup but either lacking in features or very expensive. I have a small house

I could shift camera duties to the QNAP in the future, perhaps offloading the PiHole duties to a raspberry Pi.

Looking for product suggestions and advice lads. Anything at all is really appreciated. There's an intimidating amount of kit out there!

  • Sky Q router, wireless off
  • Unifi AC-Lite handling wireless
  • 8 port PoE switch - AV cabinet
  • Cat6 from AV cabinet to Office
  • 4 port switch - Office
  • QNAP TS-453 (PiHole Docker)
  • Wireless devices : phones, laptops, quite a few IoT devices
 
Last edited:
Soldato
Joined
29 Dec 2002
Posts
7,176
Let’s start with the basics, Sky TV is available by itself at the same price as you currently pay without broadband, if you don’t want that, then Freesat/Freeviee is an obvious choice, you can supplement it with NowTV (Sky in disguise) and/or other streaming services as required. Landline will be included by Zen if you ask for it, the standalone broadband service being sold uses the line anyway and the cost saving of not having it is minimal. We’ve had access to cheap mobiles for 25 years, the tariffs are now usually cheaper than a landline rental and include calls/texts/data, it’s really time to move on. If you want VoIP then Voipfone is inexpensive and the basic SNOM handsets are PoE and cheap/work well. Just remember that in the event of a power cut they aren’t powered by a line and your connection will be down without a UPS, so it’s back to mobiles anyway.

Connectivity wise what’s the Vigor 130 specifically going to do for you that an £10ish HG612/ECI won’t? For the vast majority of people it’s a waste of money, for a small minority on marginal lines it may be vaguely useful, but no guarantees and the long term gains aren’t usually life changing.

Router wise that’s quite a range of options. The UDM isn’t perfect, but it’s a decent bit of kit with reasonable warranty/support. Does the software have issues? Yes. Do parts feel like it’s still in beta? Yes, but it’s updated regularly and this is the future for Ubiquiti, the USG in its current form is a dead end and struggles to run packet inspection etc. at anything above mediocre FTTC speeds. Linksys running a *WRT firmware is a reasonable option, but I personally would go UDM or even consider self build with *sense/Untangle being the obvious choices, Sophos if you like being frustrated by glacial updates to key functions (sorry, you’re running a version of OpenVPN that’s how many years out of date?!).

Camera wise don’t buy into Unifi, it’s not great, use something that’s decent (Hikvision etc) with either a dedicated NVR or QNAP or a BluIris VM combined with quality cameras, they will be better and likely cheaper, stick to the products a company is good at, not the ones they bolted on because they could.
 
Soldato
Joined
13 Jul 2005
Posts
19,205
Location
Norfolk, South Scotland
Can I throw a total curveball in here and suggest the QNAP QGD-1600P Guardian? As well as being a QNAP NAS, it’s also a powerful router. It comes pre-loaded with a solution (Container Station) to let you run pfSense and/or Ubiquiti UniFi controller so that’s your security and WLAN covered and it’s a 16-port PoE switch with 8 camera licences for QNAPs excellent QVR Pro software. It quite literally does everything you want in one box. Obviously, it’s double the price of the UniFi Dream Machine and I would argue it’s worth it.

If you do decide to go with the UDM don’t get confused with all the issues around the UDM Pro. It’s completely different hardware and it’s now stable and it will do what you want it to.

As for @Avalon’s suggestion on the second-hand ECI or Huawei modems from eBay. Yes, they’re great. Buy two! Or you can buy the Draytek Vigor 130 and you’ll be just as happy. It depends how much you want a new one vs. one that someone got from Openreach and never used. Or you could use the Zen supplied Fritzbox modem/router in PPPoE Pass-through mode which would be free. And fully supported by Zen as well!
 
Soldato
OP
Joined
11 Jun 2003
Posts
10,795
Location
Hampshire
Blown away by the response chaps. Thank you. I'll clarify some details below, chuck some questions your way if that's alright, and lay out my revised options.

Budget
I am eternally skint :D The UDM and Vigour 130 is all I can stretch to for the internet side of things.

So about £400, preferably (much) lower.

Maintenance
One important aspect that probably should have occured to me sooner, is that this needs to be relatively bullet proof, not to mention set & forget if needed.

I'm not well, and whilst I love a project, sometimes I won't be in a place to faff about with it.

More importantly, if something happens to me, I don't want my wife to be stuck with a bunch of expensive paperweights, no internet, no TV, and no idea where to start.

My requirements

1. IoT devices on a separate VLAN which would only be able to talk to devices on my main VLAN when in use. I'd like this to be seamless. I'm confident the UDM does this, although I've read about some limitations on VLANS on the non-pro version?

2. Guest network with some parental / dodgy site restrictions. No access to IoT or NAS. Access to printer, and a splash screen, would be nice.

3. Functional & Secure; Basic static IP assignment, robust security / firewall, port forwarding & blocking, DNS server assignment. VPN would be nice too.

4. Future expansion into IP cameras. Doesn't have to be built into the router, just want to be able to remotely access live feeds / recordings, much like I do with my current Arlo setup.

@visibleman Great minds think alike fella, I'd been looking at the Draytek 2862ac. Could you advise if it can do all of the above?

Can I throw a total curveball in here and suggest the QNAP QGD-1600P Guardian? As well as being a QNAP NAS, it’s also a powerful router.

You certainly can mate, love a curveball! This looks like a phenomenal bit of kit. Exactly the sort of thing that gives me the nerd-tingles. Unfortunately, it's way out of my budget. Awesome suggestion though, thank you.

Question : Do you know if my TS-453 would be suitable for managing at least 4x 1080p cameras?

The NAS mainly handles backups in the wee hours, and stores my film library which I transcode and stream at 480p. It has a container running PiHole, and I'm in the middle of adding one for Canary. These could be moved to a Raspberry Pi I could spare 1-2gb of capacity on it.


Components

Modem
What’s the Vigor 130 specifically going to do for you that an £10ish HG612/ECI won’t?

As for Avalon’s suggestion on the second-hand ECI or Huawei modems from eBay. Yes, they’re great. Buy two!

Brilliant. I am all about second hand. Saves dosh, and it's good to re-use something rather than it go to landfill. If I choose a seperate modem solution, this is a no-brainer

you could use the Zen supplied Fritzbox modem/router in PPPoE Pass-through mode

Zen informed me they would supply a Technicolour router for this purpose, as the Fritzbox doesn't support it?

Another great option though. I could use the HG612 with Sky, and decide which to keep when Zen is installed.

Solution : HG612 second hand and/or Technicolour from Zen

Router
After all of your particularly sage advice, revised options are:
  • Unifi Dream Machine. Does everything I want. Looks great. Could integrate my AC-Lite for the garden / any dead spots. Pricey. Not perfect. Requires seperate modem. All in one solution means faults could be costly.
Thanks for setting my mind at rest @Avalon and @WJA96 :D

  • OpenWRT solution. Eg; Linksys WRT3200. Flexible, powerful, potentially cheap if I can get the right model, or pick one up second hand. Requires more setup, no tech support.
Question : Any other router suggestions?

  • All-in-one solution. Eg; Draytek 2862ac. Lacks the continued development of the UDM, but second-hand is much cheaper. No modem needed. The Draytek doesn't look like a beautiful space alien suppository.
Question: Any other all-in-one recommendations?

  • Self built solution; pfSense / Untangle. Most flexible. Fun. Containers; PiHole, Canary, BluIris etc. Have parts, cheapest option? Bulky. No warranty or support.
Questions:
Is a 4790k, Z97M and 16gb of Ram suitable?
Should I get a separate Network card? Which one?
Any vulnerability concerns on older Intel hardware?



Note : I've removed the USG and Mesh solutions from the list.

Landline
@Avalon Don't get me started mate. The Mrs bought these (admittedly rather spanky) DECT Panasonic handsets, after deciding that we needed a landline, even though we've not used one for years. She is otherwise rational and awesome, so this is a concession I'll begrudgingly make.

I'll probably go Zen as you suggest once we switch. Was initially put off by their rates, and packages, but we'll never use it anyway.

Voipfone looks like an excellent solution. If I eventually use Zen it's still a good stopgap. Needs an adapter, Voipfone offers the Cisco SPA112 for £60 which seems about the going rate. Even better, I can get one second hand for about £30.

Question:
Any suggestions for a cheaper VoIP adapter?
Are these just plug and play?


Television Packages
In addition to changing TV package, the Mrs wants a kitchen TV so I've been looking at using a Chromecast. Could apply this to the main TV as well. I believe we could watch live channels, as well as catch-up and streaming services. I'm assuming we can pause and rewind, but no recording.

Question: Is the Chromecast a good choice for this?Any other suggestions?

  • Sky, TV Only package. We pay very little already, mainly just Freeview channels. Recording etc. No up front payment. Contract.
  • FreeView - Costs nothing per month. Same channels as now. Need aerial and box; £200 minimum. No contracts. 3 years to break even!
  • FreeSat - Have dish. Less channels & Box selection than FreeView. No contracts. 2 years to break even.
Question: Anyone have any experience with FreeSat they can share?
  • ChromeCast / NowTV - Flexible, streaming services and Live TV. Passes as needed. No contracts. No aerial costs. Small cost of entry. Big drawback is we can't record.
Question: As above. Is the Chromecast a good choice for this? Any other suggestions?


Conclusion

Seems there's about a dozen ways I could approach this, all with their pros and cons, and I can't reasonably ask any of you to definitively tell me what I should go for :p

That being said, I very much appreciate answers or advice you're willing to provide to any of the myriad questions I've posed. You've already been a massive help, thank you!

That's all for now. Sorry about the ridiculously long posts. Stay safe, have a fab Christmas, and may 2021 be a better year for us all!
 
Last edited:
Soldato
OP
Joined
11 Jun 2003
Posts
10,795
Location
Hampshire
Been looking at the pfSense solution and I'm rather taken with the idea. There'd be no discarding of my access point and I have most of the hardware already.

I also believe it could act as a print server, as well as run dockers / VMs for Unifi, PiHole, Canary etc ?

If this is the case then the only other solution with as much appeal would be the UDM. Given it's evolving, looks good and has support / warranty.

Parts I have:
  • Ubiquiti UAP-AC-LITE
  • i7 4790k & aftermarket cooler
  • MSI Z97M, mATX
  • 16GB DDR3 2400mhz
  • 256gb Sata SSD
  • Materials and fans to make a case
I believe l would need :
  • HG612 Modem
  • NIC - Intel Pro 1000 PT, Quad
  • Power Supply - 350W min, SFX
If I'm savvy I could get all three for around £80, more if I have to buy the PSU new. Another £30 for the Cisco SPA112, if I go with VoIP.

I could put together a quick and dirty case (acrylic & mesh) mounted behind my desk.

I'm feeling flush I could buy an m.2 SSD for cleaner wiring, and splash out on the Silverstone SX500-LG for a bigger fan, more power and modular cables. With all that I'd still be at half the cost of a UDM.

Really given me a lot to think about, cheers chaps!
 
Soldato
Joined
24 Sep 2015
Posts
3,657
1. IoT devices on a separate VLAN which would only be able to talk to devices on my main VLAN when in use. I'd like this to be seamless. I'm confident the UDM does this, although I've read about some limitations on VLANS on the non-pro version?

What do you mean by the bit I've underlined? You can definitely setup VLANs on a UDM and can indeed restrict access from the IoT VLAN to your LAN, by default there's full access both ways but that's easy enough to restrict with firewall rules. I'm doing this in my UniFi setup and have only allowed my IOT VLAN to reach my Pi-Hole instances, everything else is blocked.

2. Guest network with some parental / dodgy site restrictions. No access to IoT or NAS. Access to printer, and a splash screen, would be nice.

I've been meaning to look at the Guest network stuff in UniFi but I believe a UDM will do what you're wanting.

3. Functional & Secure; Basic static IP assignment, robust security / firewall, port forwarding & blocking, DNS server assignment. VPN would be nice too.

I'm not a fan of assigning static IP addresses using DHCP. Set a static IP that's outside of the DHCP range on the device itself and then it's done. No need to faff aboout when you change router or if the router has a brain fart and wants to dish that IP address out elsewhere.

4. Future expansion into IP cameras. Doesn't have to be built into the router, just want to be able to remotely access live feeds / recordings, much like I do with my current Arlo setup.

No problem to do that with a UDM.

Question:
Any suggestions for a cheaper VoIP adapter?
Are these just plug and play?
Have a look at the Grandsteam HT-801, they're about £30. On the face of it the setup is a bit daunting as there's an enormous about of options that can be configured. Have a read of this and you'll find the settings that you need to change. On top of the settings there just enter the SIP account details and away you go.
 
Don
Joined
19 May 2012
Posts
17,057
Location
Spalding, Lincolnshire
All-in-one solution. Eg; Draytek 2862ac. Lacks the continued development of the UDM, but second-hand is much cheaper. No modem needed. The Draytek doesn't look like a beautiful space alien suppository.
Been looking at the pfSense solution and I'm rather taken with the idea. There'd be no discarding of my access point and I have most of the hardware already.

Despite running PFSense at work for 100+ Computers, it's not really something I'd want at home

Could always get the non-wifi Draytek 2862 or something similar and then not discard your existing AP.

Unifi controller, pihole etc can be run on a raspberry pi - a 4790k is overkill - even a Dell Micro/Lenovo Tiny/ HP Mini PC would be a better option - stick ESXi or Hyper-V on it and then host everything on that - could even dangle a couple of USB Hard drives off it for CCTV storage


EDIT: It may also worth considering a dedicated NVR for your CCTV - things like HiLook by Hikvision, or one of Uniview's dedicated NVRs can be had cheaply, and "will just work" - no fuss, no further licenses, and are then independent of whatever else you might want to mess around with on your router, VMs, etc.


I'm not a fan of assigning static IP addresses using DHCP. Set a static IP that's outside of the DHCP range on the device itself and then it's done. No need to faff aboout when you change router or if the router has a brain fart and wants to dish that IP address out elsewhere.
No faff here - 2 Clicks to export and import a DHCP MAC IP Bind list on Drayteks :)
 
Soldato
Joined
24 Sep 2015
Posts
3,657
No faff here - 2 Clicks to export and import a DHCP MAC IP Bind list on Drayteks :)

But what if you switch from Draytek to another brand?

I don't let my team assign 'static' IP addresses this way, we've had too many instances where an issue has blocked DHCP or similar which has resulted in something either having no IP address or not having the expected IP address. A pain if it's a PC or similar but a massive problem if it's a switch or somethign key to the infrastructure.
 
Don
Joined
19 May 2012
Posts
17,057
Location
Spalding, Lincolnshire
But what if you switch from Draytek to another brand?
At home it would be a slight inconvenience (although I can't see me changing from Draytek at home any time soon), but was a lot quicker to set up and organise rather than running around setting IPs on every device


At work everything is properly statically assigned and documented, as you'd expect (and necessary given the multiple IP ranges and separate networks we have)
 
Soldato
Joined
3 Jun 2005
Posts
3,047
Location
The South
@visibleman Great minds think alike fella, I'd been looking at the Draytek 2862ac. Could you advise if it can do all of the above?

Yes to all, although built-in parental controls are limited. You can block sites/IP addresses (and ranges) and arguably you could subscribe to Draytek's "Web Content Filter" service but to be honest, as DNS can be set per subnet you could just forward to OpenDNS and the likes.

Regarding updates, typically Draytek will push out firmware for 3/4 years until the device is EOL. And I have seen them do "emergency" firmware for some of their kit when there's been critical vulnerabilities but critical vulnerabilities are rare (from my experience over the last 10 years or so) and the last was s fair few years back with OpenSSL.

The only real downside to Draytek is WiFi performance. It's a lot, lot better than yesteryears and arguably it'll be fine but this is about the one thing Ubiquiti does better.
As @Armageus says though, you could opt for the vanilla 2862 and then use whatever AP you wanted.

At work everything is properly statically assigned and documented,...

That's the key, as well as it being kept up-to-date.
 
Soldato
Joined
29 Dec 2002
Posts
7,176
If you need VoIP then a used SPA will do what you need perfectly, set-up on VoIPfone was a doddle, the advantage of VoIP is you can port an existing number out if needs be or take a 'new' number and if anyone rings it, it can route wherever you want in the world to any device that will do VoIP. That could be your home phone or mobile, the costs to do it are minimal and lets be honest, if you can make your significant other less miserable for £2/m you do it, it could be a lot, lot worse.

Router wise your hardware is overkill, thanks to intel's power gating technology it's not going to suck that much power, you could run bare metal or you could re-purpose the old hardware with something like ESXi or Porxmox and move all your dockers/VM's over and virtualise the router, it's not ideal as if you reboot or break the host, everything looses connectivity, but on FTTC it's going to be fine. If considering ESXi, NIC choice is important, HP NC365T is an Intel i340-T4 branded by HP, it's supported by ESXi 7, the older Pro's aren't officially, but can be worked around. However, you mention your concerns in terms of if something goes wrong and you aren't around to fix it, if you want simplicity, then the UDM/Linksys may be a better option, although I sometimes joke about it, Draytek have been the go-to for branch offices for almost two decades, they offer good long term support, a feature set that tends to allow you to integrate them easily and mediocrity in abundance, but it's a router, it won't do DPI/SPI, AV or be a full UTM etc. in the same way something like a UDM or pfsense/Untangle can/will. Even if you go UDM, you don't need to discard your AP, it can be adopted and managed by the UDM if you need it.

TV wise you can pick up E2 satellite kit cheaply new, ZGemma dominates the low end and the hardware is decent (it wasn't always), if your wife wants TV in the kitchen, consider a FireTV stick (£18 on offer last week, not sure if they still are) as that allows Plex/Kodi or whatever your chosen front end is to play back all sorts, you also get iPlayer/ITV/4OD/My5 etc. on demand and can add things like Netflix/NowTV/Prime Video/appleTV/Disney+ etc. if you want to, remote is simple, decent app store, capable hardware at a low price. Plex/emby can be fed by an E2 based box (amongst other things), has full EPG and can record ;)

CCTV wise, resolution is only part of the equation, frame rate needs to be factored in, you don't generally record in 30fps. I haven't used QNap in ages, but I wouldn't want my main NAS being slow due to constant CCTV writes to the pool slowing down any other R/W tasks, a cheap NVR covers PoE for the cameras and gives you a fire and forget system that isn't slowing anything else down. Ofcourse you could give it a dedicated drive on either the NAS or that virtualised host you're trying to talk yourself out of :D
 
Soldato
OP
Joined
11 Jun 2003
Posts
10,795
Location
Hampshire
What do you mean by the bit I've underlined?

I'm not a fan of assigning static IP addresses using DHCP. .

Have a look at the Grandsteam HT-801, they're about £30.

RE: VLANs I saw it covered in a UDM setup video from Crosstalk solutions iirc. IoT devices could not talk to those on the main VLAN. Devices on the main VLAN had to first start 'talking' to the IoT device, then they would communicate as normal. Was seamless.

RE: Static IPs. In the past I've excluded say 20 IPs from the DHCP range, specifically for assigning them to devices via the router. Leaving plenty spare for expansion. Most devices assigned static IPs were left on DHCP. I keep a spreadsheet of assigned IPs. Love a good spreadsheet :D

@the-evaluator Never had an issue with this beforr. Is it bad practice?

RE: Grandsteam HT-801 recommendation. That's awesome thanks mate, if I can find one second-hand its a solid alternative to the SPA. I'd like to avoid VoIP entirely if I can though.

As Armageus says though, you could opt for the vanilla 2862 and then use whatever AP you wanted.

That's excellent thank you mate. Really useful info. The 2862 looks like a perfect alternative, as I already have the AC-LITE. Significant saving over the wireless version and no need for a seperate modem!

Despite running PFSense at work for 100+ Computers, it's not really something I'd want at home

4790k is overkill - even a Dell Micro/Lenovo Tiny/ HP Mini PC would be a better option

EDIT: It may also worth considering a dedicated NVR for your CCTV - things like HiLook by Hikvision, or one of Uniview's dedicated NVRs can be had cheaply, and "will just work" - no fuss, no further licenses, and are then independent of whatever else you might want to mess around with on your router, VMs, etc.

RE: CCTV, ah that's great thank you mate. Really surprised by how cheap that HiLook is. Got any cheap camera recommendations that would be better than Arlo cameras,?

RE: pfSense. How interesting. Why wouldn't you want it at home ?

RE: The hardware. What makes those mini-PCs the better option?

For the record I appreciate the 4790k is excessive, but the parts are literally just gathering dust, and for £80ish would give me a complete build. Wouldn't it be more than capable of doing everything I need and more?

My thinking was it also gives me more options for VMs etc, as I'll be able to assign resources with reckless abandon :p

Router wise your hardware is overkill, thanks to intel's power gating technology it's not going to suck that much power, you could run bare metal or you could re-purpose the old hardware

if you want simplicity, then the UDM/Linksys may be a better option, they offer mediocrity in abundance, but it's a router

TV wise consider a FireTV stick that allows Plex/Kodi or whatever your chosen front end is to play back all sorts, Plex/emby can be fed by an E2 based box (amongst other things), has full EPG and can record ;)

CCTV wise, I wouldn't want my main NAS being slow due to constant CCTV writes

A cheap NVR covers PoE for the cameras and gives you a fire and forget system that isn't slowing anything else down.

Ofcourse you could give it a dedicated drive on either the NAS or that virtualised host you're trying to talk yourself out of :D

Talking myself out of it is getting more difficult by the second :D Incredibly useful stuff, thank you mate. I can't lie, it's prompted a considerable amount of googling and the addition of many new acronyms to my vocabulary.

That VoIP info was immensely informative as well. Thanks for confirming the SPA choice. I feel quite confident going for it if needed. That's VoIOP ticked off the list!

That's a lot of my questions answered, and plenty of new information too. So after reading everyone's comments I've decided it's either the DrayTek non-ac, UDM & Modem, or the rather tantalising / immensely daunting task of deploying my own hardware, again with a cheapy modem.

@the-evaluator , @Armageus any more light you can shed on the above is really appreciated!
@Avalon Thanks so much again mate. Could you shed any more light on where to start with the self-build?

Going to swat up on DrayTek, the UDM, and my options for the self-build, and wait for your responses so I can feel out of my depth again :D
 
Last edited:
Associate
Joined
31 Aug 2017
Posts
2,209
I have an ebay vigor 150 going to a edgerouter x, total cost 100 quid between em.
I also have a 10 port switch with fsc for about 80 quid, giga speeds and poe ect.

Dont need to spend an arm and a leg, get the edgerouter, add a pihole and enjoy
 
Soldato
OP
Joined
11 Jun 2003
Posts
10,795
Location
Hampshire
I have an ebay vigor 150 going to a edgerouter x, total cost 100 quid between em.
I also have a 10 port switch with fsc for about 80 quid, giga speeds and poe ect.

Dont need to spend an arm and a leg, get the edgerouter, add a pihole and enjoy

Thanks for this man, I did actually look at the EdgeRouter but dismissed it early on. Perhaps it needs a revisit.

After doing some research I realise why I was advised running pfSense on the 4790k was overkill.
It's a complete OS, so running it virtualized on Ubuntu server, would be a right pain. Plus internet goes down any time the server needs restarting, as I was told.

Looks like it's between the UDM and DrayTek, maybe an EdgeRouter. If I get a cheaper solution I could stilk build a server with the 4790k.
 
Soldato
Joined
29 Dec 2002
Posts
7,176
If you are considering the ERX, look at a used USG, single pane management with your Unifi AP, ticks all the other boxes off the top of my head, the only thing is the packet inspection side of things (if enabled) struggles on faster FTTC connections.
 
Soldato
Joined
24 Sep 2015
Posts
3,657
RE: VLANs I saw it covered in a UDM setup video from Crosstalk solutions iirc. IoT devices could not talk to those on the main VLAN. Devices on the main VLAN had to first start 'talking' to the IoT device, then they would communicate as normal. Was seamless.

It doesn't necessarily work like that. In my setup I am serving DNS to my IoT VLAN from 2 Pi-Hole instances in my main LAN (VLAN 1) so there's a firewall rule in place that lets the IoT VLAN reach port 53/udp on 2 IP address in VLAN 1. The communication is kicked off by the devices in the IoT VLAN. If it were reliant on the DNS servers starting the communication then the IoT VLAN wouldn't have working DNS.

Do you actually need communication from IoT to the main LAN? If you're just wanting to control a smart light (for example) that's in IoT then as long as the LAN is allowed to reach the IoT VLAN then it should work without there being any rules to allow communication the other way. It gets a bit more complicated if you have Sonos speakers in the IoT VLAN and want them to be controlled from a device on the LAN.

RE: Static IPs. In the past I've excluded say 20 IPs from the DHCP range, specifically for assigning them to devices via the router. Leaving plenty spare for expansion. Most devices assigned static IPs were left on DHCP. I keep a spreadsheet of assigned IPs. Love a good spreadsheet :D

@the-evaluator Never had an issue with this beforr. Is it bad practice?

It's definitely not how I would do it, but if it's working and you're happy with it then keep on doing it. In an enterprise envionment that'd be extremely bad practice but this isn't an enterprise environment :)

That's a lot of my questions answered, and plenty of new information too. So after reading everyone's comments I've decided it's either the DrayTek non-ac, UDM & Modem, or the rather tantalising / immensely daunting task of deploying my own hardware, again with a cheapy modem.

@the-evaluator , @Armageus any more light you can shed on the above is really appreciated!

I'm not a fan of Draytek stuff (though I used a Vigor 130 as my FTTC modem and that was rock solid, I'd still be using it it I hadn't moved to FTTP) and can't be bothered with a bare metal install so out of the 3 options I'd go with a UDM. Either option would work though.
 
Soldato
OP
Joined
11 Jun 2003
Posts
10,795
Location
Hampshire
It doesn't necessarily work like that. In my setup I am serving DNS to my IoT VLAN from 2 Pi-Hole instances in my main LAN (VLAN 1) so there's a firewall rule in place that lets the IoT VLAN reach port 53/udp on 2 IP address in VLAN 1. The communication is kicked off by the devices in the IoT VLAN. If it were reliant on the DNS servers starting the communication then the IoT VLAN wouldn't have working DNS.

Do you actually need communication from IoT to the main LAN? If you're just wanting to control a smart light (for example) that's in IoT then as long as the LAN is allowed to reach the IoT VLAN then it should work without there being any rules to allow communication the other way. It gets a bit more complicated if you have Sonos speakers in the IoT VLAN and want them to be controlled from a device on the LAN.



It's definitely not how I would do it, but if it's working and you're happy with it then keep on doing it. In an enterprise envionment that'd be extremely bad practice but this isn't an enterprise environment :)



I'm not a fan of Draytek stuff (though I used a Vigor 130 as my FTTC modem and that was rock solid, I'd still be using it it I hadn't moved to FTTP) and can't be bothered with a bare metal install so out of the 3 options I'd go with a UDM. Either option would work though.


If you've got another option I'm all ears mate. These are based solely on my limited reading, I'm still reading up on openWRT, just didn't see the point as it was going to cost me the same as the DrayTek.
 
Back
Top Bottom