Need Suggestions for Redesign of Home Network

[fred583]

What new equipment and configuration would you suggest to provide risk isolation to my home network below? I still have a DVR now but want to buy the NVR and IP cameras. I thought I should redesign the network before getting the new NVR. Also, I do not have VPN setup, this is just the plan. Thanks very much for any ideas.

Existing Home Network:
Spectrum Cable Modem
|
ASUS RT-AC68U Wireless Router - VPN Server
|
Wireless Connections
- Trane Thermostat
- Ipad Mini

Wired Connections
- Roku TV 1
- Roku TV 2
- Main computer (Win 10)
- Laptop (Win 10)
- Security Camera PoE NVR (all cameras plug into this unit)



RV Travel Network:
Ipad Mini (Verizon WiFi Hotspot)
Laptop (Win 10) (VPN Client)

 

[IReallyLikePizza2]

A managed/smart switch would be my number one addition, then you can VLAN stuff off to your hearts content

Next would be a better firewall/router and a dedicated AP

 

[Holbs]

I started out on an ASUS router. If simply worried about cameras not getting to the internet, the dual-NIC Blue Iris machine is your answer and I am sure you can setup your IoT devices on the guest network or if possible, to create a dedicated IoT subnet. The ASUS worked really well for it's initial purpose. However, I needed more robust firewall rules and vlans for home network security. I am no good with Linux just yet so didn't want to go down the path of linux firewalls or such. Enterprise security appliances were beyond what my brain can handle. I settled on Ubiquiti UDM router (which as an internal AP for WiFi), additional AP for a distant location and managed switch.
With the small number of devices you listed, the ASUS should be able to handle the load. Later on, can easily upgrade to something more robust if your needs demand it.

Oh...already NVR so no need for dual-NIC Blue Iris

 

[fred583]

Thanks for your replies.

I think VLAN partitioning is what I need here but my ASUS does not appear to do VLAN. The Ubiquiti UniFi Dream Machine(UDM) appears to handle everything. So I should just replace the ASUS with the Ubiquiti. Does it run hot? I understand it has a fan but I don't see much opportunity for ventilation.

 

[The Automation Guy]

What you have isn't bad. However I agree that the next step in network architecture should be the addition of VLANs. I am not sure if your router will support those or not.

If you want to move to something more configurable, I would suggest looking at pfSense (an open source firewall OS) running on a small thin client and a managed switch with POE. I would suggest getting these items used (probably off EBay) because there are tons of options available because companies upgrade this equipment quite frequently.

Personally I use a HP T620 plus think client with an Intel 4 port network card (i-350 t4) and a 48 port Aruba POE network switch (the Aruba s2500-48p). The switch is about $120 on Ebay (they also make a 24 port version) and it does not require any licenses to work. Many other brands of switches require licenses that may or may not be included in the purchase price (usually not). The t620+ is still a very popular item for running pfSense and therefore the price hasn't dropped a whole lot since I bought it while other models have. So I might suggest looking at the t730 instead because it is more powerful and about the same price on Ebay.

So all told, for about $300-$350 you can get a much more capable system in your home that should last for quite a while.

You can use the old router as a wireless access point to get going, especially since you can move it to a more optimal location in the house instead of having to place it by the service provider's termination point. But you may find you want to change to other wireless APs in the house. If you can run ethernet wire to the APs, it is always better to do so instead of running a "mesh" network that is very popular right now, but tends to run slower than hardwired systems. I've used Ubiquity and TP Link access points in my family's homes with good success.

 

[Holbs]

Thanks for your replies.

I think VLAN partitioning is what I need here but my ASUS does not appear to do VLAN. The Ubiquiti UniFi Dream Machine(UDM) appears to handle everything. So I should just replace the ASUS with the Ubiquiti. Does it run hot? I understand it has a fan but I don't see much opportunity for ventilation.

The Ubiquiti UDM router does not run hot. This is the ... giant tylenol pill looking router. Has 4-5 ports. There is the UDM Pro router which I think rack mountable with many more ports. Don't know anything about that.

 

[SouthernYankee]

I would add a simple managed network switch, that supports VLANS after the router and before any equipment. something like GS116E. The router should have three wires in it, the power cord, the wan signal and the ethernet cable to the switch. the router will be processing you wifi traffic.

Note the more managed stuff you add to your network the more time it will take to set it up and the more maintenance.

 

[NoBr8ks]

Agreeing with someone above me regarding Pfsense. Look into Netgate line of products. Netgate SG-2100 has 4 LAN Ports

Ubiquiti AP's are simply the best.


I do the RV thing too.
Wifi Ranger
RPi KODI
Intel NUC
HDHomeRun box ATSC & Clear QAM

 

[fred583]

Thanks for all the ideas. I think I need to go with an integrated, all-in-one type solution like the Ubiquiti UDM or similar (not sure if ASUS has one). That is because both of my VLAN partitions contain a mixture of wired and wireless. I don't know if a single VLAN can contain a mixture of wired and wireless, but the logical idea is shown below:

VLAN 1 (Trusted)

Wireless Connections
- Ipad Mini

Wired Connections

• Main computer (Win 10)
• Laptop (Win 10)

VLAN 2 (Not Trusted)

Wireless Connections
- Trane Thermostat

Wired Connections

• Roku TV 1
• Roku TV 2
• Security Camera PoE NVR (all cameras plug into this unit)

I really appreciate the knowledge and ideas you all offer. I feel I need to tell you a little about myself. I am retired from a long career in tech but it was mostly software oriented. I am burnt out on finding any pleasure in computer-based hobbies at this point and I am decreasingly proficient at such things. So I lean toward out of the box, easily configured, maintained and supported appliances. I do not see myself having anything to do with Blue Iris, PfSense or Merlin firmware.

 

[eeeeesh]

pfSense on a dedicated device and then you can change your existing router into a WiFi access point. (I would rather deal with physical subnets versus vlans). Decide how many subnets you want and then take a look at something like the Protectli Vault. A 4 port would probably work great for you - WAN, LAN, WIFI, IOT. Plenty of tutorials on YouTube about pfSense and Protectli also has come great info

Vault 4 Port - Protectli

Explore all Protectli Vault 4 Port Firewalls: Intel CPUs, 4 NIC ports, fanless & silent.

protectli.com

 

[J5TECH]

I agree with the PFsense comment which will also provide the option for VPN. I would also then suggest a Ubiquiti switch and APs for the house. Also mentioned above setting up VLANs with help secure down different networks. If you want further assistance or more details please feel free to reach out to me.

 

[fred583]

Thanks very much,

If managed switches only deal with wires and the wireless AP is a separate unit, can some of the devices connecting to the AP be on one LAN and others be on a different LAN?

 

[Holbs]

Thanks very much,

If managed switches only deal with wires and the wireless AP is a separate unit, can some of the devices connecting to the AP be on one LAN and others be on a different LAN?

you may want to do some networking infrastructure research or watch some YouTube vids of VLANs and subnets and hardware.

 

[fred583]

Yes, that is for sure, I need education. Just to answer a quick question: In my proposed network above, can the Ipad and Trane thermostat be on separate networks if there is only one AP? My assumption was yes, but only if you used VLANs and had an integrated unit like the Ubiquiti UDM.

 

[NoBr8ks]

Yes, that is for sure, I need education. Just to answer a quick question: In my proposed network above, can the Ipad and Trane thermostat be on separate networks if there is only one AP? My assumption was yes, but only if you used VLANs and had an integrated unit like the Ubiquiti UDM.

Yes

 

[fred583]

Is that Yes for an integrated unit or Yes for a managed switch and seperate single AP or Yes for both?

 

[NoBr8ks]

 

[fred583]

A managed/smart switch would be my number one addition, then you can VLAN stuff off to your hearts content

Next would be a better firewall/router and a dedicated AP

I am happy with the RT-AC68U wireless router, it just does not support VLANs. If I were to add a managed switch to my current system to achieve VLANs, where does it go? Between the cable modem and the RT-AC68U or after the RT-AC68U? If it is after the RT-AC68U, how does the VLANed signal go back upstream to use the RT-AC68U wifi?