Wifi router, network configuration and security considerations

This post is to cover details related to network config related to this post:

I am considering following for home network incorporating home assistant in a new house:

  • All house locations covered by the Wifi network - too large for single router, probably need some mesh or other mechanism (180m2 house - 2 levels, separate garage building, surrounding garden also to be Wifi covered).
  • Only main devices at home (PC, laptop, phones, playstation) on the main network
  • All smart home appliances on separate network or vlan
  • having internet access
  • but unable to reach the main network to not interfere with home PCs and other devices (security reasons)
  • HA instance accessible remotely over cloudflared tunnel

Are those assumptions reasonable?
What Wifi router would you recommend that would allow setting up separate vlan (most basic home routers don’t offer this as far as I’m aware) and good security level for preventing unauthorized access from the internet (given HA instance, security cameras etc expose high risk if breached).

Opnsense + vlan aware switch + any AP or WiFi devices

1 Like

I recommend separating the router from the WiFi access point(s). Look for routers with robust firewall and VPN features, and higher-end access points with wired connections back to the router. A small PoE switch can also add additional hardwired ports and power the APs centrally. A battery backup ensures it all stays online if the power fluctuates/goes out.

I use an OpenWrt-based router from GL.iNet (though it’s easy to make one yourself) and Omada EAP600-series APs with TP-link managed switches. Ubiquiti also makes good hardware.

For using opnsense I assume I need a PC to run it, and then additional switch and Wifi access points? Do I get it right?

  • Good point on additional switch with PoE support - I planned to use it anyway for connecting cameras which I don’t want to be on Wifi.
  • I also plan to have some backup power for selected circuits in the house, including networking equipment.

For the router + AP configuration, do I understand correctly the router should not expose any Wifi and leave it completely to the access points, right?
In such case, the VLANs are implemented on the router? Do I then need separate APs for home Wifi and for the HA Wifi, or same AP can implement both?
I would prefer not flashing my own OpenWRT, but a GL.iNet that has it built in sounds compelling. Any particular model you recommend as a router?

Your main idea of segmenting the network is the standard security practice. Basically:

  • Home: Personal computing devices like PC’s, phones, tablets…
  • Services: Servers like HA or any other core service you come up with later (DNS, etc).
  • DMZ: Anything that’ll be directly accessible from the outside.
  • IoT: All the IoT junk.

WiFi for any of these networks should be equally segmented, ie, the Home WiFi on that same subnet, etc. You’ll need a robust router than can do decent firewalling and a managed switch (to support vlans). For the WiFi networks, use several AP’s, or one AP that can do vlans over different SSIDs.

There’s plenty of non enterprise-grade devices on Amazon that let you do all this.

2 Likes

Yes. Just like Linux any hardware works buyt PC with dual nic or where it may be installed preferred.

I use unifi USG router for years and still use the APs and switches. My USG fail, 5th time, so I grab an old PC I had and put Opnsense. Much happier with performance and features

For prosumer networking, Ubiquity is the gold standard. TP-Link Omada is silver quality at bronze price. Roll-your-own solutions can get you comparable features at a lower price, if you have the skills in this space.

2 Likes

Or, as a personal experience, avoid wifi altogether as much as possible for smart home stuff and go for zigbee as much as possible.

(Waiting for the ESPhome acolytes to rip me a new one)

So to summarize, what I need is, eg. based on Ubiquity:

Ubiquity looks nice, but prices are quite high. I’ll research a bit more with Omada equivalents later, but I think I already have a general idea.

The Opnsense path raises my “geek spirit”, but I’m afraid it would cost me much more time to learn how to deploy it and the need to have a dedicated PC discourages me.

This IS my plan to avoid IoT WiFi where its possible, but for some devices it will not be possible, like weather station Ecowitt integration, or non HA stuff like Roomba which I also don’t want on my main network.

Ecowitt seems to be a local push integration, so I don’t think you need internet access at all for it.

Roomba integration seems to be pretty much the same, but there’s some things you have to watch out for.

If that’s the extent of your current devices, I wouldn’t worry too much. Set them up, then block all access to the internet without messing around with Vlans while you get comfortable.

Ecowitt indeed works in the local network (I have one already in my current setup) but it requires Wifi with my weather station (the head unit only allows wifi, no ethernet port).
Same with Roomba. It would be hilarious to have Roomba dragging ethernet cable all around :slight_smile:

Lol, I meant you should be able to disable internet access totally. I didn’t mean you had to hardwire your Roomba! :rofl:

Way into the weeds without answering the question.

You definitely do not want multiple routers. At the end of lots of troubleshooting, it probably won’t work.

If it’s a new home, run lots of Ethernet, CAT5e or CAT6 into a central location. I wish I had done this when I embarked on this journey when building my network. You can never have too much Ethernet.

Do NOT buy an all-in-one consumer router. A consumer router is one that combines the Router, Switch and WiFi in one box. And they don’t do all three functions well. What you want is one router, one or more switches and access points everywhere. This will provide WiFi everywhere.

(Whether you actually use the WiFi is for a later discussion).

In my home I had finally exceeded the capacity of my Verizon FIOS consumer router. It started getting flaky after 60 or 70 WiFi clients connect. And I have more than 100 today.

I was looking at two solutions: Ubiquity Unifi or TP-Link Omada. Omada is described as Ubiquity on a budget, so that;s what I did.

My hardware:

  • ER7206 Router
  • OC200 Omada Hardware Controller
  • EAP-610 Access Point (2)
  • EAP-615-Wall Access Point (2)
  • TL-SG1210P 8 Port Gigabit PoE Switch
  • TL-SG1005P 5 Port Gigabit PoE Switch
  • TL-POE10R PoE Splitter

I originally used the ER605 router and it crapped out at 75-80 clients, so I upgraded it to the ER7206 router.

The access points are all POE which makes it easy to add access points wherever needed. This summer I plan to add an outdoor Access Point to get better WiFi on our deck.

3 Likes

As you were writing your post, I was reviewing the set of Omada HW and came to almost identical conclusion, i.e. er7212pc + eap650 (2 or 3 of them).

What exactly is the purpose of OC200? Simplifying software configuration of all components?

Unifi Ultra Swiss Army knife APs are great. Other than those I prefer the AP-in wall models. All are under $89. I used other unifi models but those 2 models seem to have best coverage of them all. The Ultra can be used outdoor as well.

The controller is software based so install on same system as HA. DO Not use the cloud key stuff. I have never liked it

I still prefer OpnSense but I recently got a unifi express to test and it was fairly decent.

Do not forget that you may use low cost $25 switch like Unifi flex to allow vlan out to cheap POE multiport model that is not vlan aware. In this case each switch would be dedicated to an individual vlan, like for your cameras. In the case of AP you can route all vlan but SSID used by connecting device will determine its vlan.

SUMMARY

2 port PC for opnsense
1 Unifi flex
2 unifi ultra AP or more
2 8 port POE switch

Also note that vlan is not needed for any of this as you can apply firewall rules based on IP in any system. Vlan just adds convenience and clarity to person managing network

EDIT
UXG-Lite is available. I guess it is update of unifi USG router. USG was decent except for the thumb drive that it used for storage that constantly failed on multiple devices for me. If they improved that UXG-Lite would be good router. I think Ubiquiti was bout by investment firm a while back so who knows

1 Like

Your definition of the OC200 is fundamentally right. It coordinates all the other pieces in the Omada environment (router, switches, access points). It’s not technically necessary for a small environment like a house, but it simplifies things a lot. For example, you don’t need to apply firewall rules to each of the devices separately, you just log in once to the OC200 and do it once from there. If you’re using Omada to run a business’s network infrastructure, it’s essential.

1 Like

Note that the Er7212PC router has the Omada Controller functionality built in, so you don’t need a separate OC200 to control the various devices.
I have one, connected to 3 x EAP 615 Wall APs, through an SG2008P managed PoE switch, and it works quite well, but note that it does not support Wireguard and its VPN support generally is very poor. If I was buying gain, I’d get the OC200 and a different router, but overall the Omada stuff is a good buy and works well.

For the OP, I’ve just finished retrofitting an existing house, including a full rewire, and can confirm that he should pick an IT cupboard/location, and lay in ethernet from there it all relevant locations in the house - eg’s include cat5e for PoE CCTV positions (Synology NAS in the IT location works well as a NVR), cat6 for PoE wall or ceiling-mounted APs, and other cat 6 for TV/games console locations, and for office locations, if applicable.
Also include ethernet to items such as EV car chargers, PV solar controllers, as well as the usual ethernet and power cables to garages/sheds, intercom locations at doors and gateways.
Also consider USB-A or C connectors in the (strategically-placed) electrical sockets where you will want to place sensors, chargers, etc

3 Likes

You don’t need a controller. You can manage each device individually, but it makes managing all of your Omada devices much easier. Alternately, you can use their free Software controller. I installed the free controller on a Raspberry Pi 4 that wasn’t being used for anything and thought that I was saving a few dollars. Weeks later, I needed a Raspberry Pi for another project, so I started shopping for one online. By the time I added the Pi4-8mB + PSU + case, I was over $125. So it was cheaper to replace my software controller with an OC200. I should have started with that.

2 Likes