In need of advice to plan creating network (hardware mostly)

Quardah

n3wb
Joined
Aug 13, 2019
Messages
5
Reaction score
2
Location
Montréal
Hey folks.

I have been reading a lot on this forum and i have some questions before making a move. I would like assistance from senior with experience in this domain it would be greatly appreciated.

As a quick and brief introduction, i got into this new home and i would like to setup a network that i will be able to properly add cameras to later on. The network must absolutely have a guest network (it's a feature i absolutely need here). From my understanding so far, the router should support both OpenVPN and IPCT DDNS. If possible i would like to know if routers can support Wireguard as a VPN solution because i am most familiar with it, but it's not really mentioned here in the forums from what i read.

I currently have a TP-Link Archer2 AC750 which is not bad but i can't find any VPN support for it so i'm willing to change it. I also have a modem from the ISP which is connected to their router (a Zyxel router, i don't know the model). I also need to add a third router in another room for full coverage of the building. I also have a Cisco E4200v2 but considering it was a pain to make two routers from different companies use the same wifi networks (2.4 and 5ghz, the guest network with two different routers never worked), instead i think it would be best not to install it and properly plan and design what hardware to use.

So the plan here is to make a killer network with VPN support (openvpn or wireguard), IPCT DDNS support, high security, with three wifi networks with three of the same device. It also needs to be able to support cameras that will be added later.

My plan right now would be to have three times the same router. One will be connected to the modem as a gateway, the two other ones in two different rooms will be used both to replicated the same three wifi networks (guest, 2.4 and 5ghz) and used as switches for cabled computers (and cameras, eventually). I see a lot of people mention the Asus AC1900 RT-AC68U but it's 200$ + taxes in canada (230$ each, times three it's 700$!!!) so it's a little too expensive. The TP-Link Archer2 AC750 i have was 40 bucks (cheap lmao) but let's say i would be willing up to 120$ with taxes each routers.

Unfortunate it doesn't seem to support either VPN or DDNS.

I think three routers will be sufficient as my terrain i need to cover with Wifi is 42 by 80 feets in a two stories building with basement. The main router (internet gateway) is in the basement, eastward, and the other two routers are located First floor west and first floor north.

Please let me know what you think!

Thanks!
 

reflection

Young grasshopper
Joined
Jan 28, 2020
Messages
46
Reaction score
20
Location
Virginia
Hmmm.... a killer network. Really depends on how much tinkering you want to do.

  • I would get a used managed POE switch for your cameras and access points.
  • For WiFi coverage, get some used autonomous Access Points. (you can find them on Ebay for $30 and they will be more powerful and more reliable than a consumer "router"). Cisco AIR-CAP3702I-N-K9 Aironet 3702i Wireless Access Point | eBay. This AP will let you have multiple WiFi networks, all mapped to their own VLAN (including a guest VLAN)
  • For your VPN, run pfSense. It supports openvpn or wireguard. It will be your gateway firewall. There are tons of add-ons. I also recommend pfBlockerNG to block ads. You can run pFSense on the same server as Blue Iris (assuming you are using some sort of hypervisor).
 
Last edited:

Quardah

n3wb
Joined
Aug 13, 2019
Messages
5
Reaction score
2
Location
Montréal
Hmmm.... a killer network. Really depends on how much tinkering you want to do.

  • I would get a used managed POE switch for your cameras and access points.
  • For WiFi coverage, get some used autonomous Access Points. (you can find them on Ebay for $30 and they will be more powerful and more reliable than a consumer "router"). Cisco AIR-CAP3702I-N-K9 Aironet 3702i Wireless Access Point | eBay. This AP will let you have multiple WiFi networks, all mapped to their own VLAN (including a guest VLAN)
  • For your VPN, run pfSense. It supports openvpn or wireguard. It will be your gateway firewall. There are tons of add-ons. I also recommend pfBlockerNG to block ads. You can run pFSense on the same server as Blue Iris (assuming you are using some sort of hypervisor).
Thank you for your input.

The managed POE switch is a very good option.

There is a problem with using APs because i need to connect computers via ethernet in both rooms where the routers will be located. The thing is the entrypoint is in the basement, but only two ethernet cables are routed in the walls to reach the Western and Northern part of the house. Both these places have multiple wired computers. But i could do with an access point if it has at least 2 switchports on them.

It would be nice to have multiple networks throught VLANs or VLSM. But it's not mandatory because home networking solutions nowadays typically grant three networks out of the box (2.4ghz 5ghz and guest) and it would do the job fine.

Maybe APs are more secured because you can't physically connect to them.

I'll start reading on pfSense. It's a software? If it's available on Linux it would be best. I could add a host server on the network with KVM for two VMs both for pfSense and Blue Iris that would be rad. Is pfBlockerNG network-wide? Because i'd like it to act on all networks if possible. I heard of Pi-Hole, is it similar?
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
3,365
Reaction score
2,223
Location
Houston Tx
If you have one internet connection I see no need for multiple routers. One route is all you need. You are over working the problem.
Please provide a diagram with equipment of your proposed network.
 

jmhmcse

Getting the hang of it
Joined
Dec 30, 2018
Messages
93
Reaction score
33
Location
usa
pfSense will provide everything you need in a router, but it's major overkill. (though it is fun to play with) pfSense is its own linux kernel which requires minimal CPU with modest memory and storage.

three routers are not necessary, nor would it provide a simple 'flat' network. one ASUS router with ASUS-MERLIN replacing the stock firmware provides multiple SSIDs and multiple network ranges (#.#.#.#/24). Multiple switches (not routers) would increase remote connectivity requirements with dual radio Access Points providing WiFi connectivity. If VLANs are a requirement then make sure you have level-2 bridges (likewise, insure the router you pick supports VLAN tagging).

prepare a diagram of what requirements must be met on each level/floor. this will help you define everything you need and allow comment/review of your (picture) of the layout.
 
Last edited:

reflection

Young grasshopper
Joined
Jan 28, 2020
Messages
46
Reaction score
20
Location
Virginia
Thank you for your input.

The managed POE switch is a very good option.

There is a problem with using APs because i need to connect computers via ethernet in both rooms where the routers will be located. The thing is the entrypoint is in the basement, but only two ethernet cables are routed in the walls to reach the Western and Northern part of the house. Both these places have multiple wired computers. But i could do with an access point if it has at least 2 switchports on them.

It would be nice to have multiple networks throught VLANs or VLSM. But it's not mandatory because home networking solutions nowadays typically grant three networks out of the box (2.4ghz 5ghz and guest) and it would do the job fine.

Maybe APs are more secured because you can't physically connect to them.

I'll start reading on pfSense. It's a software? If it's available on Linux it would be best. I could add a host server on the network with KVM for two VMs both for pfSense and Blue Iris that would be rad. Is pfBlockerNG network-wide? Because i'd like it to act on all networks if possible. I heard of Pi-Hole, is it similar?
Since there are two cables to each side (Western and Northern), one cable can be used for a AP and the other for a mini-switch. At some point if you are going to do POE cameras, you are going to have the cameras wired to a POE switch. You have a wiring issue no matter what and you will have to run cables.

2.4ghz and 5ghz are not different networks, they are different frequencies. You can have the same network on both your 2.4ghz and 5ghz radios. Not all client devices support both frequencies. I have 3 networks mapped to different VLANS and both my 2.4ghz and 5ghz radios serve all three networks. Your home router might configure two SSIDs (home and home-5G) and they may both map to the same network.

VLSM? variable length subnet mask? On your LAN, you are using private address space so there is no need to conserve IPs with VLSM. Just give each VLAN a /24.

You would install pfSense as its own VM. pfBlockerNG runs on pfSense. Yes it would be network wide since pfSense will be your gateway/router/firewall/VPN server. pfBlockerNG is like pi-hole, same purpose.

If you run Blue Iris as a VM, you should get a server with Intel quicksync and passthrough the integrate GPU. It will be night and day difference in terms of performance of your Blue Iris.

I'd recommend the free version of ESXi for your hypervisor.
 
Joined
Apr 26, 2016
Messages
899
Reaction score
519
Location
Colorado
Unifi might have an option you could look at. I have a guest bedroom where I wanted to provide AP & a few wired connections for a renter, I looked at: UAP-AC-IW-US ($99 for AP + 2 wired ports) & UAP-IW-HD-US ($179 for high density + 4 wired ports). They can be fed by one wire in the wall to each room providing you 1 pass-thru POE, a built-in switch and an AP on a single cable run.

If you want “killer network” I can’t disagree with pfsense, but just know it has a learning curve because it can do a lot more than a consumer router. And you will either need to Split up a single slightly overpowered PC to run VM’s (Blue Iris, Hypervisor, pfSense) or proper computer for Blue Iris (and Ubiquity software) and a separate mini-computer (I.e. something like their Official SG-1100 or build something yourself on something like an HP SB T740 Thin Client) for pfSense (and all that adds to cost/complexity/effort).

To add cameras later, you will want to have them hardwired and mounted with home runs back to the basement to a POE switch and connect that to either the Blue Iris PC (dual-NIC method, personal preference), or make sure the Blue Iris machine is connected to those same camera switches to keep most that traffic off your primary network.
 
Last edited:

reflection

Young grasshopper
Joined
Jan 28, 2020
Messages
46
Reaction score
20
Location
Virginia
Here is a sample drawing, both logical and physical view. I'm assuming that your Zyzel router can provide wireless for guests. Your signature has network and system admin so hopefully this make sense. If not, we are here to help. You will have to configure the appropriate VLANs on your physical switch as well as your virtual switch in ESXi. The $30 used APs that I linked for you are 4x4 MIMO (same as the ASUS AC68U) and should give you plenty of bang for the buck. The size of your ESXi server will depend on how many cameras you want to grow to and the settings. For example, right now I have 4 cameras (three 2MP and one 4MP, motion detect alerts, record continuously, direct to disk, 15fps), I allocated Blue Iris 2vCPU and 8GB RAM and passthrough by GPU and current CPU utilization is 15%. For pfSense, I allocated 1 vCPU and 8GB RAM and that's overkill. My ESXi server that I'm using for this is just a 4-core (no hyper-threading).

The big cost here is really going to be your time and how much that is worth to you. If you want to learn, then it's all worth it. There is going to be a learning curve if you have not done this before.

Screen Shot 2020-05-24 at 1.08.13 PM.png
 

Quardah

n3wb
Joined
Aug 13, 2019
Messages
5
Reaction score
2
Location
Montréal
wow thank you all for all your input. i am sorry for the late response, i was painting one of my appartment overnight and just got up lmao

i would like to clarify some things :

1 - i was saying "router" but it's really access points. it's just that in the home networking context a "router" is a device that is both a router, has switchports plus is an access point.

2 - there is ONE cable going north, and ONE cable going west, hence why i can't have both an AP and a POE switch. i could have an additional POE switch though, where both the camera and AP could be connected onto.

Many thanks for the diagrams, i understand them. my only concern is the following; if the Zyxel provides guest access but the guest are out of range, can the access point provide access for the guest network? I haven't been working a lot with access points (my work networking experience is mostly datacenter, i never really had the chance to work with deploying wireless access points). It's home networking gear so they "made it simple" and they have a "guest" feature but to be honest now i think it would be best simply to have two seperated network one for guest and one for management.

I would like to know more about ESXi, i usually go with KVM because it's free software and i'm used to it but i can learn new things. Why ESXi instead of KVM? Why do you have this preference? ;)

From my understanding instead of going with a built-in openvpn solution like i've read a lot of times on the forum you would instead dedicate a full host to doing all of the software tasks, splitted as VMs. The first VM would be running pfsense as an entrypoint firewall for inbound traffic (firstly for openvpn but could be flexible for anything else i add later on) and a second VM for blueiris software for the cameras.

since i have a single cable going west and north each i would maybe need to add 2 more poe switches to have both the AP and cameras attached to it (adding cables to the basement would be really hard at this point).

I'd like to add i am planning on four cameras

In resume from my understanding in this case you would use the same Zyxel router, add a POE switch, get two access points with at least 2 ethernet access (i like the UAP-AC-IW-US proposed by crw030) and an hypervisor host.

What POE switch do you have in mind? any particular switch you like for certain features? Plus what specs for the hypervisor host? with the new ryzens i guess it won't be very expensive to get some kickass specs for cheap.

Thank you for your time. I really appreciate the efforts.
 

reflection

Young grasshopper
Joined
Jan 28, 2020
Messages
46
Reaction score
20
Location
Virginia
Many thanks for the diagrams, i understand them. my only concern is the following; if the Zyxel provides guest access but the guest are out of range, can the access point provide access for the guest network? I haven't been working a lot with access points (my work networking experience is mostly datacenter, i never really had the chance to work with deploying wireless access points). It's home networking gear so they "made it simple" and they have a "guest" feature but to be honest now i think it would be best simply to have two seperated network one for guest and one for management.
Datacenters are my specialty. That's my day job.
Yes, the AP can provide the access to the same network. You would have to connect the LAN side of the Zyxel back into the switch. You would have a guess VLAN that is on the same L2 domain as your LAN side of the Zyxel (basically the LAN side of the Zyxel is your guest network).

I would like to know more about ESXi, i usually go with KVM because it's free software and i'm used to it but i can learn new things. Why ESXi instead of KVM? Why do you have this preference? ;)
ESXi is also free for your use case (if you are using less than 2 CPU sockets and under 2TB of RAM. Most people have one CPU. My biggest server at home has 2 sockets and 192GB RAM. It still free to use ESXi for that server). It is an enterprise hypervisor and #1 in the world. It normally costs over $1000 for the license. It's also very lightweight. The ISO file is about 350MB. In my opinion it is much easier to use than KVM but that's all relative. You can use KVM if you are more comfortable.
What POE switch do you have in mind? any particular switch you like for certain features? Plus what specs for the hypervisor host? with the new ryzens i guess it won't be very expensive to get some kickass specs for cheap.
For PoE switch, find one that can do 802.1q VLANs and inter-vlan routing, 802.3at PoE, port-security is a plus. If it can be an NTP server and DHCP server, that would be great (you won't be using your Zyxel for DHCP on your Internal network because the Zyxel will service the Guest VLAN, pfSense protects your Internal network). pfSense will be doing your DNS and NAT. For your server, how much do you plan to grow? If not much, then you don't need anything that powerful as long as it has Quicksync. This means no AMD ryzens because Quicksync is from Intel. The server I use is a Dell T40 (4-cores) which is about $350 on sale. It has the current generation integrated GPU with Quicksync. It can easily handle Blueiris and pfSense and more.
 
Top