We’re renovating a house and I’m looking to add some smart home devices in the home. This gives me a perfect excuse to renew my current home network setup. I currently have a simple setup: my ISP router + an unmanaged 16port switch with 2 Unifi AC Pro APs (feed using PoE injectors). I want to give the 2 Unifi APs to friends of mine so I’m looking at a total newal of my network.
I have a homeserver which runs 25+ containers, some for home use and some that I expose to the internet as well.
Since I’m adding smart home appliances (most z-wave but I will have to use some Wifi devices as well) to the network, I’d like to isolate these devices and give them minimal access to the internet and my own network. Since this will require me to setup VLANs I also want to setup multiple VLANs for various needs (see below).
As I’m not a network expect (I have basic knowledge) I like SDN setups. I was doubting between Unifi and Omada, after reading many posts I’ve got the feeling that Unifi isn’t the same company it was 5 years ago, the router solutions Unifi is selling don’t really seem to fit my needs (dream router/machine). The older Unifi routers feel like a better fit, however I’m worried that they will becom EoL and will no logner receive security updates. After learning that the Omada APs support PPSK without RADIUS - which allows me to use 1 SSID and have clients added to a VLAN depending on their passphrase - I decided to give Omada a chance.
I want to buy a smart doorbell (reolink), I don’t plan on recording 24/7 or having any security camera’s however I do worry that if I do get them I might hammer my router since the traffic streams will have to be routed between VLANs. However L3 switches are way pricier so I’d like to try with my current setup and upgrade if need be if/when the time comes.
I read that Omada routers are also not that great (I would primarily be using it to configure the routing between VLANs). And was doubting between opnsense or mikrotik, I got the impression that the Mikrotik (while harder to configure initially) is more a set and forget solution with enough capacity for my needs.
I want to buy the following hardware (fanless is a must):
- MikroTik RB5009UG+S+IN
- TP-Link JetStream TL-SG2016P (16 ports will be enough, I expect to require 3 PoE ports)
- 2 * TP-Link EAP650 - I like their small form factor and PPSK
I want to configure the following vlans:
- VLAN 10: 192.168.10.0/24 - management vlan
- Contains: pihole, VPN server, network devices, omada controller
- Access to: all vlans
- VLAN 20: 192.168.20.0/24 - private services vlan
- Contains: server containing 25+ containers and home assist server
- Access to other vlans: 30
- VLAN 30: 192.168.30.0/24 - shared services vlan
- Contains: chromecasts, printers, other services I would like to expose to guests and home users
- Access to other vlans: none
- VLAN 40: 192.168.40.0/24 - smart home devices vlan (via wifi or wired)
- Contains: smart home sensors/devices + home assist server
- Will not have access to the internet
- Would like to have client isolation if possible/feasible
- Access to other vlans: none
- VLAN 50: 192.168.50.0/24 - smart home devices vlan with internet access (via wifi or wired)
- Contains: hopefully nothing, devices that require internet access to function
- Would like to have client isolation if possible/feasible
- Access to other vlans: none
- VLAN 200: 192.168.200.0/24 - Home users (via wifi or wired, mac address whitelisted?)
- Contains: home users
- Access to other vlans: 20, 30, 210, 220
- VLAN 210: 192.168.210.0/24 - VPN users
- Contains: VPN users Access to other vlans: 30
- VLAN 220: 192.168.220.0/24 - Guests users (wifi only or wired)
- Contains: guests
- Access to other vlans: 20, 30, 200, 210
I plan to assign 3 VLANs to my home assistant server so it can be reached by the smart home devices and it can be reached by home users, however there might be better solutions to solve this.
I’m also wondering if it would make sense to split my 25+ containers over multiple vnets (putting containers reachable from the internet in a seperate VNET).
Any feedback is greatly appreciated!
This promises to be a fun project!
It sounds to me like you have above-average demands on your network and I’d agree that UniFi (and therefore probably Omada) are not what I’d consider great as routers/firewalls.
I’m a fan of pfSense/OPNSense for that purpose, which you can install on pretty much any x86_64 hardware. They’re both wonderful and you can fine tune to your heart’s content or get them set the way you like and leave them.
If you really like a dedicated router appliance, I do like the Mikrotiks, too, but you’d have to study their sometimes-peculiar way of doing things.
To my tastes, UniFi does great at switching and wireless, but any of you’re unhappy with that direction, I’ve heard good things about Omada and the Aruba stuff is fantastic. I recently have been playing with some used iap-325s from eBay. I picked them up for $25 and they’ve been terrific.
I agree. The Unifi firewall leaves a lot to be desired, but their switches and access points are great!
I’m currently running pfSense on one of these, and I have that connected to Unifi PoE switch with two Unifi APs connected to it, as well as several PoE IP cameras. It runs great, and I have no complaints.
If I were redoing it today, I would grab a more modern version of my firewall hardware, preferably with 2.5g nics, but pretty much everything else is great!
Very similar to my setup as well. I have a Qotom with 5x2.5Gb NICs. It’s got a lower end processor - Intel Celeron J4125 but I haven’t noticed any performance issues with my 1.5Gb connection.
I’ve got my proxmox cluster and my workstation on one interface with a 2.5Gb unmanaged switch, and then on another interface a Unifi 8 Lite PoE switch with 2 Unifi AP’s where all the streaming devices, wife’s and kids devices live.
Your setup is actually very similar to mine at home, except that I’m running pfSense on a used thin client with a quad-port NIC. I agree the UniFi switches and APs have never given me a problem.
I almost went with the opnsense route as well, the versatility of this device and the fact it can run on lots of hardware configs makes it hard to find a hw/feature combination that will serve my needs with low power usage and no fan. Also I hope that mikrotiks fw updates have a lower chance of breaking my setup as I’ve read some bad experiences with pfsense/opnsense updates in the past.
None the less I do like the opnsense setup and might add an additional opnsense vm in the future to play around with!
I do worry that if I do get them I might hammer my router since the traffic streams will have to be routed between VLANs.
The key here is to not route traffic across VLANs. Choose one VLAN to host all your network video content (IP cameras and NVR). This way, since all traffic is on the same subnet, all the network traversal can happen on the switch (even layer 2 switches) and not need to ever touch the router.
Also, if you suspect there will be a decent amount of network traffic that needs to cross VLANs, it’s usually best to add an additional network interface that’s connected to the correct subnet. That way traffic can avoid the router.
Thanks, that makes a lot of sense! Will certainly look into getting a NVR in the same vnet as the cams if I ever get them. I was planning to have devices exposed to multiple vlans (e.g. home Assistant). However I wasn’t sure if that is good or bad practice (since it opens an attack vector to jump across vlans). I could always opt for a L3 switch if need be.
No problem.
I actually just learned this lesson recently (in the last week). I have a NAS that I use for my PCs, and it also stores my media collection for Plex, it was natively sitting on the same network as my PCs, as that’s where I was most concerned about network speed. I was having it cross VLANs for the Plex stuff, and it was only when I got a Ubiquiti switch that I noticed that traffic was hitting the router when crossing the VLANs but not when the two subnets were the same.
I’m happy that my hard knock lesson can help someone avoid that same mistake.
