In need of advice to plan creating network (hardware mostly)

Quardah

n3wb
Joined
Aug 13, 2019
Messages
11
Reaction score
3
Location
Montréal
Hey folks.

I have been reading a lot on this forum and i have some questions before making a move. I would like assistance from senior with experience in this domain it would be greatly appreciated.

As a quick and brief introduction, i got into this new home and i would like to setup a network that i will be able to properly add cameras to later on. The network must absolutely have a guest network (it's a feature i absolutely need here). From my understanding so far, the router should support both OpenVPN and IPCT DDNS. If possible i would like to know if routers can support Wireguard as a VPN solution because i am most familiar with it, but it's not really mentioned here in the forums from what i read.

I currently have a TP-Link Archer2 AC750 which is not bad but i can't find any VPN support for it so i'm willing to change it. I also have a modem from the ISP which is connected to their router (a Zyxel router, i don't know the model). I also need to add a third router in another room for full coverage of the building. I also have a Cisco E4200v2 but considering it was a pain to make two routers from different companies use the same wifi networks (2.4 and 5ghz, the guest network with two different routers never worked), instead i think it would be best not to install it and properly plan and design what hardware to use.

So the plan here is to make a killer network with VPN support (openvpn or wireguard), IPCT DDNS support, high security, with three wifi networks with three of the same device. It also needs to be able to support cameras that will be added later.

My plan right now would be to have three times the same router. One will be connected to the modem as a gateway, the two other ones in two different rooms will be used both to replicated the same three wifi networks (guest, 2.4 and 5ghz) and used as switches for cabled computers (and cameras, eventually). I see a lot of people mention the Asus AC1900 RT-AC68U but it's 200$ + taxes in canada (230$ each, times three it's 700$!!!) so it's a little too expensive. The TP-Link Archer2 AC750 i have was 40 bucks (cheap lmao) but let's say i would be willing up to 120$ with taxes each routers.

Unfortunate it doesn't seem to support either VPN or DDNS.

I think three routers will be sufficient as my terrain i need to cover with Wifi is 42 by 80 feets in a two stories building with basement. The main router (internet gateway) is in the basement, eastward, and the other two routers are located First floor west and first floor north.

Please let me know what you think!

Thanks!
 

reflection

Pulling my weight
Joined
Jan 28, 2020
Messages
302
Reaction score
206
Location
Virginia
Hmmm.... a killer network. Really depends on how much tinkering you want to do.

  • I would get a used managed POE switch for your cameras and access points.
  • For WiFi coverage, get some used autonomous Access Points. (you can find them on Ebay for $30 and they will be more powerful and more reliable than a consumer "router"). Cisco AIR-CAP3702I-N-K9 Aironet 3702i Wireless Access Point | eBay. This AP will let you have multiple WiFi networks, all mapped to their own VLAN (including a guest VLAN)
  • For your VPN, run pfSense. It supports openvpn or wireguard. It will be your gateway firewall. There are tons of add-ons. I also recommend pfBlockerNG to block ads. You can run pFSense on the same server as Blue Iris (assuming you are using some sort of hypervisor).
 
Last edited:

Quardah

n3wb
Joined
Aug 13, 2019
Messages
11
Reaction score
3
Location
Montréal
Hmmm.... a killer network. Really depends on how much tinkering you want to do.

  • I would get a used managed POE switch for your cameras and access points.
  • For WiFi coverage, get some used autonomous Access Points. (you can find them on Ebay for $30 and they will be more powerful and more reliable than a consumer "router"). Cisco AIR-CAP3702I-N-K9 Aironet 3702i Wireless Access Point | eBay. This AP will let you have multiple WiFi networks, all mapped to their own VLAN (including a guest VLAN)
  • For your VPN, run pfSense. It supports openvpn or wireguard. It will be your gateway firewall. There are tons of add-ons. I also recommend pfBlockerNG to block ads. You can run pFSense on the same server as Blue Iris (assuming you are using some sort of hypervisor).
Thank you for your input.

The managed POE switch is a very good option.

There is a problem with using APs because i need to connect computers via ethernet in both rooms where the routers will be located. The thing is the entrypoint is in the basement, but only two ethernet cables are routed in the walls to reach the Western and Northern part of the house. Both these places have multiple wired computers. But i could do with an access point if it has at least 2 switchports on them.

It would be nice to have multiple networks throught VLANs or VLSM. But it's not mandatory because home networking solutions nowadays typically grant three networks out of the box (2.4ghz 5ghz and guest) and it would do the job fine.

Maybe APs are more secured because you can't physically connect to them.

I'll start reading on pfSense. It's a software? If it's available on Linux it would be best. I could add a host server on the network with KVM for two VMs both for pfSense and Blue Iris that would be rad. Is pfBlockerNG network-wide? Because i'd like it to act on all networks if possible. I heard of Pi-Hole, is it similar?
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
4,035
Reaction score
3,094
Location
Houston Tx
If you have one internet connection I see no need for multiple routers. One route is all you need. You are over working the problem.
Please provide a diagram with equipment of your proposed network.
 

jmhmcse

Getting the hang of it
Joined
Dec 30, 2018
Messages
119
Reaction score
60
Location
usa
pfSense will provide everything you need in a router, but it's major overkill. (though it is fun to play with) pfSense is its own linux kernel which requires minimal CPU with modest memory and storage.

three routers are not necessary, nor would it provide a simple 'flat' network. one ASUS router with ASUS-MERLIN replacing the stock firmware provides multiple SSIDs and multiple network ranges (#.#.#.#/24). Multiple switches (not routers) would increase remote connectivity requirements with dual radio Access Points providing WiFi connectivity. If VLANs are a requirement then make sure you have level-2 bridges (likewise, insure the router you pick supports VLAN tagging).

prepare a diagram of what requirements must be met on each level/floor. this will help you define everything you need and allow comment/review of your (picture) of the layout.
 
Last edited:

reflection

Pulling my weight
Joined
Jan 28, 2020
Messages
302
Reaction score
206
Location
Virginia
Thank you for your input.

The managed POE switch is a very good option.

There is a problem with using APs because i need to connect computers via ethernet in both rooms where the routers will be located. The thing is the entrypoint is in the basement, but only two ethernet cables are routed in the walls to reach the Western and Northern part of the house. Both these places have multiple wired computers. But i could do with an access point if it has at least 2 switchports on them.

It would be nice to have multiple networks throught VLANs or VLSM. But it's not mandatory because home networking solutions nowadays typically grant three networks out of the box (2.4ghz 5ghz and guest) and it would do the job fine.

Maybe APs are more secured because you can't physically connect to them.

I'll start reading on pfSense. It's a software? If it's available on Linux it would be best. I could add a host server on the network with KVM for two VMs both for pfSense and Blue Iris that would be rad. Is pfBlockerNG network-wide? Because i'd like it to act on all networks if possible. I heard of Pi-Hole, is it similar?
Since there are two cables to each side (Western and Northern), one cable can be used for a AP and the other for a mini-switch. At some point if you are going to do POE cameras, you are going to have the cameras wired to a POE switch. You have a wiring issue no matter what and you will have to run cables.

2.4ghz and 5ghz are not different networks, they are different frequencies. You can have the same network on both your 2.4ghz and 5ghz radios. Not all client devices support both frequencies. I have 3 networks mapped to different VLANS and both my 2.4ghz and 5ghz radios serve all three networks. Your home router might configure two SSIDs (home and home-5G) and they may both map to the same network.

VLSM? variable length subnet mask? On your LAN, you are using private address space so there is no need to conserve IPs with VLSM. Just give each VLAN a /24.

You would install pfSense as its own VM. pfBlockerNG runs on pfSense. Yes it would be network wide since pfSense will be your gateway/router/firewall/VPN server. pfBlockerNG is like pi-hole, same purpose.

If you run Blue Iris as a VM, you should get a server with Intel quicksync and passthrough the integrate GPU. It will be night and day difference in terms of performance of your Blue Iris.

I'd recommend the free version of ESXi for your hypervisor.
 
Joined
Apr 26, 2016
Messages
991
Reaction score
658
Location
Colorado
Unifi might have an option you could look at. I have a guest bedroom where I wanted to provide AP & a few wired connections for a renter, I looked at: UAP-AC-IW-US ($99 for AP + 2 wired ports) & UAP-IW-HD-US ($179 for high density + 4 wired ports). They can be fed by one wire in the wall to each room providing you 1 pass-thru POE, a built-in switch and an AP on a single cable run.

If you want “killer network” I can’t disagree with pfsense, but just know it has a learning curve because it can do a lot more than a consumer router. And you will either need to Split up a single slightly overpowered PC to run VM’s (Blue Iris, Hypervisor, pfSense) or proper computer for Blue Iris (and Ubiquity software) and a separate mini-computer (I.e. something like their Official SG-1100 or build something yourself on something like an HP SB T740 Thin Client) for pfSense (and all that adds to cost/complexity/effort).

To add cameras later, you will want to have them hardwired and mounted with home runs back to the basement to a POE switch and connect that to either the Blue Iris PC (dual-NIC method, personal preference), or make sure the Blue Iris machine is connected to those same camera switches to keep most that traffic off your primary network.
 
Last edited:

reflection

Pulling my weight
Joined
Jan 28, 2020
Messages
302
Reaction score
206
Location
Virginia
Here is a sample drawing, both logical and physical view. I'm assuming that your Zyzel router can provide wireless for guests. Your signature has network and system admin so hopefully this make sense. If not, we are here to help. You will have to configure the appropriate VLANs on your physical switch as well as your virtual switch in ESXi. The $30 used APs that I linked for you are 4x4 MIMO (same as the ASUS AC68U) and should give you plenty of bang for the buck. The size of your ESXi server will depend on how many cameras you want to grow to and the settings. For example, right now I have 4 cameras (three 2MP and one 4MP, motion detect alerts, record continuously, direct to disk, 15fps), I allocated Blue Iris 2vCPU and 8GB RAM and passthrough by GPU and current CPU utilization is 15%. For pfSense, I allocated 1 vCPU and 8GB RAM and that's overkill. My ESXi server that I'm using for this is just a 4-core (no hyper-threading).

The big cost here is really going to be your time and how much that is worth to you. If you want to learn, then it's all worth it. There is going to be a learning curve if you have not done this before.

Screen Shot 2020-05-24 at 1.08.13 PM.png
 

Quardah

n3wb
Joined
Aug 13, 2019
Messages
11
Reaction score
3
Location
Montréal
wow thank you all for all your input. i am sorry for the late response, i was painting one of my appartment overnight and just got up lmao

i would like to clarify some things :

1 - i was saying "router" but it's really access points. it's just that in the home networking context a "router" is a device that is both a router, has switchports plus is an access point.

2 - there is ONE cable going north, and ONE cable going west, hence why i can't have both an AP and a POE switch. i could have an additional POE switch though, where both the camera and AP could be connected onto.

Many thanks for the diagrams, i understand them. my only concern is the following; if the Zyxel provides guest access but the guest are out of range, can the access point provide access for the guest network? I haven't been working a lot with access points (my work networking experience is mostly datacenter, i never really had the chance to work with deploying wireless access points). It's home networking gear so they "made it simple" and they have a "guest" feature but to be honest now i think it would be best simply to have two seperated network one for guest and one for management.

I would like to know more about ESXi, i usually go with KVM because it's free software and i'm used to it but i can learn new things. Why ESXi instead of KVM? Why do you have this preference? ;)

From my understanding instead of going with a built-in openvpn solution like i've read a lot of times on the forum you would instead dedicate a full host to doing all of the software tasks, splitted as VMs. The first VM would be running pfsense as an entrypoint firewall for inbound traffic (firstly for openvpn but could be flexible for anything else i add later on) and a second VM for blueiris software for the cameras.

since i have a single cable going west and north each i would maybe need to add 2 more poe switches to have both the AP and cameras attached to it (adding cables to the basement would be really hard at this point).

I'd like to add i am planning on four cameras

In resume from my understanding in this case you would use the same Zyxel router, add a POE switch, get two access points with at least 2 ethernet access (i like the UAP-AC-IW-US proposed by crw030) and an hypervisor host.

What POE switch do you have in mind? any particular switch you like for certain features? Plus what specs for the hypervisor host? with the new ryzens i guess it won't be very expensive to get some kickass specs for cheap.

Thank you for your time. I really appreciate the efforts.
 

reflection

Pulling my weight
Joined
Jan 28, 2020
Messages
302
Reaction score
206
Location
Virginia
Many thanks for the diagrams, i understand them. my only concern is the following; if the Zyxel provides guest access but the guest are out of range, can the access point provide access for the guest network? I haven't been working a lot with access points (my work networking experience is mostly datacenter, i never really had the chance to work with deploying wireless access points). It's home networking gear so they "made it simple" and they have a "guest" feature but to be honest now i think it would be best simply to have two seperated network one for guest and one for management.
Datacenters are my specialty. That's my day job.
Yes, the AP can provide the access to the same network. You would have to connect the LAN side of the Zyxel back into the switch. You would have a guess VLAN that is on the same L2 domain as your LAN side of the Zyxel (basically the LAN side of the Zyxel is your guest network).

I would like to know more about ESXi, i usually go with KVM because it's free software and i'm used to it but i can learn new things. Why ESXi instead of KVM? Why do you have this preference? ;)
ESXi is also free for your use case (if you are using less than 2 CPU sockets and under 2TB of RAM. Most people have one CPU. My biggest server at home has 2 sockets and 192GB RAM. It still free to use ESXi for that server). It is an enterprise hypervisor and #1 in the world. It normally costs over $1000 for the license. It's also very lightweight. The ISO file is about 350MB. In my opinion it is much easier to use than KVM but that's all relative. You can use KVM if you are more comfortable.
What POE switch do you have in mind? any particular switch you like for certain features? Plus what specs for the hypervisor host? with the new ryzens i guess it won't be very expensive to get some kickass specs for cheap.
For PoE switch, find one that can do 802.1q VLANs and inter-vlan routing, 802.3at PoE, port-security is a plus. If it can be an NTP server and DHCP server, that would be great (you won't be using your Zyxel for DHCP on your Internal network because the Zyxel will service the Guest VLAN, pfSense protects your Internal network). pfSense will be doing your DNS and NAT. For your server, how much do you plan to grow? If not much, then you don't need anything that powerful as long as it has Quicksync. This means no AMD ryzens because Quicksync is from Intel. The server I use is a Dell T40 (4-cores) which is about $350 on sale. It has the current generation integrated GPU with Quicksync. It can easily handle Blueiris and pfSense and more.
 

Quardah

n3wb
Joined
Aug 13, 2019
Messages
11
Reaction score
3
Location
Montréal
I just realized my previous reply was never posted, apologies for the dead silence, i'm still very interested. My previous reply was only saying i had to work in my appartment for renovations and therefore i was going to put a little wait to this project, but now the wait is over and i am back again :)

The UAP-AC-IW-US mentionned by crw030 is greatly priced and fills my need exactly. I would end up exactly with what reflection is proposing. But the plan would then be divised into three steps, because some things must be deployed asap:

First :

I buy two UAP-AC-IW-US, then i install them both North and West of the building. This would deliver great wifi coverage for the building, which i need to deliver for July first (because internet access will be in the lease for my tenants, i'm that cool of a landlord (and that makes network equipment tax deductible ;) ;) ;) ).

Please confirm the following before i start first step : If i still use the Zyxel router that has three networks (2.4ghz, 5ghz and guest network) will the AP be broadcasting all three of these without any configuration? Also, do Ubiquiti APs need any configuration (never used them) and can i connect to them in some soft of web UI to configure them? How do you manage them exactly?

If these can broadcast all three network i would do this config ASAP. Also for now the Zyxel can do DHCP.

Second :

I would seize my nephew's old computer because we will be building gaming rigs when the next Ryzens come out. He currently has an Intel i5-6500 or i5-6400 (i don't remember), can you confirm that it would be sufficient to run ESXi server with both pfsense and blueiris virtualized? Because if it's a yes i would go with this, it's an affordable opportunity for my first experience. The server would also run DHCP and VPN service, using the IPCT-DDNS service available here :)

Third :

Buy cameras, drill some holes for the wiring and connect them to the Ubiquiti's PoE Passthrough ports. I will need to acquire a PoE switch with two ports then.


I would like some advice regarding the routers too if you could just help me with the following as well :

The Zyxel is an EMG2926 provided by Videotron (i am paying a lease) and my other aftermarket router is a TP-Link Archer C2 AC750. Could i go only with the TP-Link and give back the Zyxel to videotron so i would be saving leasing fees? I believe the TP-Link can act as the main router without issues, and i would save 4$ + tax a month :)


So yea does it sounds like we have a good plan here? What do you say?
 

Quardah

n3wb
Joined
Aug 13, 2019
Messages
11
Reaction score
3
Location
Montréal
Thank you for your answer. I have no windows computers though, can it run under Linux?

I need to add that i believe i would need to buy a PoE switch right away because it seems the APs are PoE only. I don't really mind buying it now but if it has an AC adapter and i could postpone getting the PoE switch that would be best.

EDIT: It seems like the software is available for linux :) : Ubiquiti - Simplifying IT
 

reflection

Pulling my weight
Joined
Jan 28, 2020
Messages
302
Reaction score
206
Location
Virginia
For the Ubiquity stuff you will need the Ubiquity controller software running on a PC or dedicated device to get it setup.
Thank you for your answer. I have no windows computers though, can it run under Linux?

I need to add that i believe i would need to buy a PoE switch right away because it seems the APs are PoE only. I don't really mind buying it now but if it has an AC adapter and i could postpone getting the PoE switch that would be best.

EDIT: It seems like the software is available for linux :) : Ubiquiti - Simplifying IT
You can run it on your ESXi server. You don't need another physical box.
 

reflection

Pulling my weight
Joined
Jan 28, 2020
Messages
302
Reaction score
206
Location
Virginia
For your ESXi server, it would depend on how much RAM. If you have 16GB ram, you could allocate:

  • 2vCPU and 8GB ram to Blue Iris. (should be fine for 4 cameras if you do GPU passthrough)
  • 1vCPU and 2GB ram to pfSense (more RAM if you want to run pfBlockerNG)
  • 1vCPU and 2GB ram for linux (for Ubiquity controller)

That processor has Intel Quicksync. It's an older implementation (2015) but should work. You still resources to spare on your server...
 

Holbs

Getting comfortable
Joined
May 1, 2019
Messages
600
Reaction score
713
Location
Reno, NV
Just to toss it out there as alternative option to consider... Ubiquiti UDM router followed by Ubiquiti managed switches followed by Ubiquiti AP's.
I wish I had the time to learn pfSense but I currently have 3 major projects I'm dealing with, as is. The Ubiquiti UDM router does have a built in AP too. Pretty robust network/firewall configurations. More than what you find in a home gaming router (such as ASUS) but probably less configurable than pfSense setup.
 

Quardah

n3wb
Joined
Aug 13, 2019
Messages
11
Reaction score
3
Location
Montréal
For your ESXi server, it would depend on how much RAM. If you have 16GB ram, you could allocate:

  • 2vCPU and 8GB ram to Blue Iris. (should be fine for 4 cameras if you do GPU passthrough)
  • 1vCPU and 2GB ram to pfSense (more RAM if you want to run pfBlockerNG)
  • 1vCPU and 2GB ram for linux (for Ubiquity controller)

That processor has Intel Quicksync. It's an older implementation (2015) but should work. You still resources to spare on your server...
Unfortunately the computer will not have a GPU at the time, but i could add one. What would you consider to be the minimum requirement for 2 cameras? I am planning only two right now.

Just to toss it out there as alternative option to consider... Ubiquiti UDM router followed by Ubiquiti managed switches followed by Ubiquiti AP's.
I wish I had the time to learn pfSense but I currently have 3 major projects I'm dealing with, as is. The Ubiquiti UDM router does have a built in AP too. Pretty robust network/firewall configurations. More than what you find in a home gaming router (such as ASUS) but probably less configurable than pfSense setup.
That could be an option but i believe it'll skyrocket the price lmao. I will look into it though because i know Ubiquiti is known to make good powerful tech very easy to setup. Thanks for the comment, i really appreciate you taking the time to give me your input. :)
 

Holbs

Getting comfortable
Joined
May 1, 2019
Messages
600
Reaction score
713
Location
Reno, NV
My UDM router was $299 which replaced my ASUS gaming router was $319 (US dollars). But the UDM does not support the two VPN services you mentioned (I think).
 

reflection

Pulling my weight
Joined
Jan 28, 2020
Messages
302
Reaction score
206
Location
Virginia
Unfortunately the computer will not have a GPU at the time, but i could add one. What would you consider to be the minimum requirement for 2 cameras? I am planning only two right now.
The Intel i5-6400 and i5-6500 that you listed both have integrated GPUs that support Quick Sync. You are good. When I said GPU passthrough, you would be passing through the integrated GPU. Then set your Blue Iris to use Intel hardware acceleration.
 

Quardah

n3wb
Joined
Aug 13, 2019
Messages
11
Reaction score
3
Location
Montréal
Alright here for a last confirmation before i make a move.

Can this switch : TP-Link 5 Port Gigabit PoE Switch | 4 Port PoE 56W | 802.3af Compliant | Shielded Ports | Traffic Optimization | Plug and Play | Sturdy Metal | Limited Lifetime Warranty (TL-SG1005P): Amazon.ca: Computers & Tablets

Power two ubiquiti APs? My friend warned me about PoE power, said to get a ubiquiti switch to be sure, but the price difference is considerable (more than 200$ CAD difference). The 5 port TP-Link model would offer enough connectivity too.

I would use my TP-Link router instead of the Zyxel. Then connect it to the non-PoE port of the switch. The two cables going in both rooms would go in the PoE Switch in PoE ports and these would connect to both ubiquiti APs.

I have found TP-Link APs as well but they do not have 2 ethernet ports. They only have one for PoE and reaching the router, but don't allow an additional computer to be connected. Unfortunate because they are much more affordable.

I also found the unifi software but i don't really need the features. I just need the APs to broadcast and extend the three default networks in the TP-Link router.

So yea the setup would be something like this :
1592107274639.png
The router being the TP-Link AC750
The switch being the 5port PoE switch
The APs being UAP-AC-IW-US
Cams not yet decided, will come later.
The router would act as DHCP for now until the hypervisor is ready to be deployed.

Please let me know what you think.If you believe this is good to go i will make a move :)
 
Top