Help with new home network?

///AMG

2[H]4U
Joined
Sep 19, 2012
Messages
3,835
I swapped from comcast to another provider with gig speeds, so now I have 2 ISPs both 1Gbps symmetrical (One paid for by work and one that is personal).

What I want is to keep one connection specifically for my workstation that is provided by work on the ISP that my work pays for. I want a second network just for my personal residential network. I want both networks to fail over to the other one just in case. I also need to have some 10GbE ports for transfer between some QNAP NAS (I have 3 now, 2 with 10GbE) and my personal computers.

I was thinking I need 2 Ubiquiti UDM-Pros, a few Unifi NanoHD/HD APs (I am thinking 4? I have 6500 sq ft indoors that my eeros currently do fine in and I want to add one outside my patio), and a Unifi switch 16 XG?

Do you guys think this would work and is there any alternatives that are easy to manage and cost effective? I'm not super knowledgeable with advanced networking things.
 
Wow.
That is some serious gear.

If I were doing it, I would keep it as simple as possible. Two network cards/ports/connections into your work machine, handle failover in that.

To clarify, work machine has a link to work network and uses it as failover from the home network.

Home network based around google nest wifi, as opposed to unifi. Put in as many points as you need for coverage and be done with it. Start with three points, add more if you need them. Simple to set up, simple to manage.

An alternative would be feeding the google network with a failover device (edge router comes to mind) as you mentioned, and just using google for wifi points.

found this...

https://xenappblog.com/2016/cheapest-dual-wan-router-for-failover/
 
Last edited:
Wow.
That is some serious gear.

If I were doing it, I would keep it as simple as possible. Two network cards/ports/connections into your work machine, handle failover in that.

To clarify, work machine has a link to work network and uses it as failover from the home network.

Home network based around google nest wifi, as opposed to unifi. Put in as many points as you need for coverage and be done with it. Start with three points, add more if you need them. Simple to set up, simple to manage.

An alternative would be feeding the google network with a failover device (edge router comes to mind) as you mentioned, and just using google for wifi points.

found this...

https://xenappblog.com/2016/cheapest-dual-wan-router-for-failover/

If I went this route I'd just keep my eero's then add an edgerouter of some sorts for wan failover. To control the edgerouter I'd buy a cloudkey which would put me close to the UDM-Pros anyways price wise. I would still need something like the Unifi switch 16 XG for 10GbE switching. Unless I am missing something? I'm also not big on google anything lately.

From what I read during research the UDM-Pros are able to do IDS and DPS at full 1gbps which I find desirable not sure if its even good or useful though.
 
If I went this route I'd just keep my eero's then add an edgerouter of some sorts for wan failover. To control the edgerouter I'd buy a cloudkey which would put me close to the UDM-Pros anyways price wise. I would still need something like the Unifi switch 16 XG for 10GbE switching. Unless I am missing something? I'm also not big on google anything lately.

From what I read during research the UDM-Pros are able to do IDS and DPS at full 1gbps which I find desirable not sure if its even good or useful though.

Do what works - I've used google's mesh wifi (admittedly in its first iteration) for a few years now and had zero issues, and zero maintenance to do on it. Updates itself, just works. New models have integrated google assistant if that floats your boat.

If your eeros are doing enough why change it? Grab the switch you need, job done. Keep it simple. There might be something Mikrotik which could be less expensive ...

I find the less time I spend on home networking the better (rather spend that time with family, dogs, house maintenance, gardening etc), it's why I moved away from pfsense.
 
Do what works - I've used google's mesh wifi (admittedly in its first iteration) for a few years now and had zero issues, and zero maintenance to do on it. Updates itself, just works. New models have integrated google assistant if that floats your boat.

If your eeros are doing enough why change it? Grab the switch you need, job done. Keep it simple. There might be something Mikrotik which could be less expensive ...

I find the less time I spend on home networking the better (rather spend that time with family, dogs, house maintenance, gardening etc), it's why I moved away from pfsense.

Eeros do great but don't have enough features and moving forward I feel like since I am going to make changes might as well just do it well the first time, build out for what I could conceivably need and not mess with it for a long time. I am not a big fan of any voice assistance, I have none except the ones built into the ecobee 4 which I disable.
 
You say you’re not super knowledgeable and want simple, but you’re implying you know a lot more and want complicated.

Here is what I am reading that you need:
  1. a few 10 gig ports for your NAS
  2. failover for dual net connections
  3. some (currently) undefined features for your mesh wireless
  4. IPS & IDS
Let me simplify:
If you are a potential high risk data store node/have huge potential loss risk, then you need IPS and IDS. Typically this is not needed for a home system and can cause a lot of issues that need time consuming work to fix. High maintenance.

Failover net connections: nice to have, these seem to be necessitating your infrastructure change, how often do these connections go down and how crucial is this? You want simple and low maintenance, you’re asking for an advanced feature.

Draytek have decent high end consumer/small-medium business gear in this space, easy to configure too:
https://www.draytek.com/products/load-balancing-routers/
10gig ports, there are an abundance of new 10gigE switches around, but ideally you want as few of these as possible or some power saving mechanism, do you have a rack? If so noise is less of an issue. These will eat power, is SFP+ an option? Much less power consumption...mikrotik have reasonably priced gear for switching 10gig sfp+ into 1gigE ports

If you want configurability in your mesh, the synology mesh network seems to be the one to go with, as it has a dedicated backhaul channel and all the latest and greatest features. Are your mesh points wired up? The more configurability you get, the more maintenance in my experience, are you prepared to trade off some configurability for ease of use? (In which case, nest wifi)

Hope this helps
 
Last edited:
One UDM Pro should be able to handle 2x 1Gbps failover -- the only 'kink' I see is figuring out how to isolate your work system to the work connection and then have mutual failover between the two networks. Isolation could be done by running the work system to a separate interface on the router, or just using a separate VLAN / Subnet, I think, but getting the mutual failover config working would likely require some research.
 
One UDM Pro should be able to handle 2x 1Gbps failover -- the only 'kink' I see is figuring out how to isolate your work system to the work connection and then have mutual failover between the two networks. Isolation could be done by running the work system to a separate interface on the router, or just using a separate VLAN / Subnet, I think, but getting the mutual failover config working would likely require some research.
Can't speak for UDM Pro but this is trivial with a Fortigate. You can isolate anyway you like to the point of a single application being isolated to one link if you like.
 
You say you’re not super knowledgeable and want simple, but you’re implying you know a lot more and want complicated.

Here is what I am reading that you need:
  1. a few 10 gig ports for your NAS
  2. failover for dual net connections
  3. some (currently) undefined features for your mesh wireless
  4. IPS & IDS
Let me simplify:
If you are a potential high risk data store node/have huge potential loss risk, then you need IPS and IDS. Typically this is not needed for a home system and can cause a lot of issues that need time consuming work to fix. High maintenance.

Failover net connections: nice to have, these seem to be necessitating your infrastructure change, how often do these connections go down and how crucial is this? You want simple and low maintenance, you’re asking for an advanced feature.

Draytek have decent high end consumer/small-medium business gear in this space, easy to configure too:
https://www.draytek.com/products/load-balancing-routers/
10gig ports, there are an abundance of new 10gigE switches around, but ideally you want as few of these as possible or some power saving mechanism, do you have a rack? If so noise is less of an issue. These will eat power, is SFP+ an option? Much less power consumption...mikrotik have reasonably priced gear for switching 10gig sfp+ into 1gigE ports

If you want configurability in your mesh, the synology mesh network seems to be the one to go with, as it has a dedicated backhaul channel and all the latest and greatest features. Are your mesh points wired up? The more configurability you get, the more maintenance, in my experience, are you prepared to trade off some configurability for ease of use? (In which case, nest wifi)

Hope this helps

I have a server closet that has a ductless mini split with a rack (if I remember correctly its a 24u rack) so I don't care about noise or heat. It has my av stuff for my theater room, also where I keep my 3 QNAP NAS. Never heard of dray tek before so I'll take a look. All my mesh points are hardwired, if you mean where my eeros currently are. I didnt even known synology made mesh stuff.

When I had comcast I would always have a day or two every month where they would do maintenance for 6 hrs or so at night. I do a lot of work at night so this was a major inconvenience. The ISP that I use on my network machine goes out maybe once a month for a few hrs. I am not sure about the new ISP I switched to so lets just say its probably the most important feature I want that I currently don't have.

I want IPS and IDS more for my work machine and work laptop, talk to my boss and they said they can foot the bill for one of the UDM-Pros for me so I would only need to pay for one. I want the stuff provided from work as isolated as possible from my regular home network for various reasons.
 
I think you're overcomplicating - Suricata and Snort are very good IPS/IDS systems, you could virtualise one if you've got spare machine cycles. Suricata will even work on windows.

That said the Draytek units have basic IPS/IDS which you can use....

Another alternative is the netgate SG-3100 which you could configure for dual wan/failover with included IPS/IDS (which you can install as a package - Snort or Suricata). Heck of a lot more bang for buck than the UDM-Pros. I would suggest the ssd option if you want to run IPS/IDS

IPS/IDS will add latency - if this matters to you.
 
I think you're overcomplicating - Suricata and Snort are very good IPS/IDS systems, you could virtualise one if you've got spare machine cycles. Suricata will even work on windows.

That said the Draytek units have basic IPS/IDS which you can use....

Another alternative is the netgate SG-3100 which you could configure for dual wan/failover with included IPS/IDS (which you can install as a package - Snort or Suricata). Heck of a lot more bang for buck than the UDM-Pros. I would suggest the ssd option if you want to run IPS/IDS

IPS/IDS will add latency - if this matters to you.
I'll look at the netgate, also by ssd option do you mean add one to the negate via what looks like the USB? I don't game that much and when I do I play stuff like WC3 or other RTS so latency isn't a huge issue unless its like 50ms+ penalty?
 
I'll look at the netgate, also by ssd option do you mean add one to the negate via what looks like the USB? I don't game that much and when I do I play stuff like WC3 or other RTS so latency isn't a huge issue unless its like 50ms+ penalty?

No I mean when you purchase it there is the option for a 32GB ssd, I recommend you pay for that extra option.

Latency wise with IPS/IDS it completely depends on:
  • Your filter/rule set size
  • Your available processing power for the software
  • Your amount of memory (whether the filter set can fit in memory)
  • Whether there is hardware acceleration
Effectively with a good IPS/IDS you're sniffing packets going in and out and comparing against the rules/filters you set, then passing it on or killing it in its track and not forwarding, creating a firewall rule to block it from the source. This takes processing power and memory and adds a delay. If the size of the rule set is bigger than memory the device needs to pull that off slow storage. Note that you can configure this to snoop inside some encrypted packets, but not all.

If you're doing all of this in memory and you have decent processing power, you're probably going to have a 5-10ms delay for the hop.
 
Last edited:
No I mean when you purchase it there is the option for a 32GB ssd, I recommend you pay for that extra option.

Latency wise with IPS/IDS it completely depends on:
  • Your filter/rule set size
  • Your available processing power for the software
  • Your amount of memory (whether the filter set can fit in memory)
  • Whether there is hardware acceleration
Effectively with a good IPS/IDS you're sniffing packets going in and out and comparing against the rules/filters you set, then passing it on or killing it in its track and not forwarding, creating a firewall rule to block it from the source. This takes processing power and memory, and adds a delay. If the size of the rule set is bigger than memory, the device needs to pull that off slow storage.

If you're doing all of this in memory and you have decent processing power, you're probably going to have a 1-10ms delay for the hop.

I see. Is it user upgradeable, I have a few msata and nvme ssds laying around.
 
I see. Is it user upgradeable, I have a few msata and nvme ssds laying around.

I would suggest that, while you could, I wouldn't. It's about $40 for the privilege, which considering it is guaranteed to work is peanuts.
 
Last edited:
I would suggest that, while you could, I wouldn't. It's about $40 for the privilege, which considering it is guaranteed to work is peanuts.

I see, Ill start looking at pfsense videos on youtube then.
 
You could build a rackmountable pfsense box cheaper using a sata or nvme - but you did say you didn't want complicated, and you want something that just works.

An intel 4 port nic, plus a mini itx J5005, 8 or 16 gig of ram, picopsu or something.. done, could put this in a rackmount box.. you are a bit SOL if you need support for random hardware though.
 
You could build a rackmountable pfsense box cheaper using a sata or nvme - but you did say you didn't want complicated, and you want something that just works.

An intel 4 port nic, plus a mini itx J5005, 8 or 16 gig of ram, picopsu or something.. done, could put this in a rackmount box.. you are a bit SOL if you need support for random hardware though.

Yea, I would just buy it. I don't really want to build anything, for what I am doing I just want off the shelf stuff.
 
As an aside, processor speed will limit your bandwidth with IDS/IPS (see netgate site), may want to move up the range depending on your net connections

https://www.netgate.com/blog/choosing-the-right-netgate-appliance.html
If there is the option not to have IPS/IDS or to have a cut down version of it, I would take that - to do it right is a lot of processing. An option would be an AWS instance with pfsense or tnsr that your network interfaces with, then you're not as bound by processor.

The setup here would be dual VPN (failover) -> AWS instance running IPS/IDS -> (net)

For the record, I had pfsense in Esxi @home, and went heavy on the rules, it worked, but ate some power. Full IDS/IPS with deep packet inspection for home networks (in nearly all cases) is like bringing a bazooka to a knife fight.

Most workplaces I know of need you to VPN into them - they handle the IPS/IDS.. I find it strange this is an option for you.
 
Last edited:
As an aside, processor speed will limit your bandwidth with IDS/IPS (see netgate site), may want to move up the range depending on your net connections

https://www.netgate.com/blog/choosing-the-right-netgate-appliance.html
If there is the option not to have IPS/IDS or to have a cut down version of it, I would take that - to do it right is a lot of processing. An option would be an AWS instance with pfsense or tnsr that your network interfaces with, then you're not as bound by processor.

The setup here would be dual VPN (failover) -> AWS instance running IPS/IDS -> (net)

For the record, I had pfsense in Esxi @home, and went heavy on the rules, it worked, but ate some power. Full IDS/IPS with deep packet inspection for home networks (in nearly all cases) is like bringing a bazooka to a knife fight.

Most workplaces I know of need you to VPN into them - they handle the IPS/IDS.. I find it strange this is an option for you.

I do VPN in when I need to access work server clusters but I don't all the time, I'm not sure what work does on their side.
 
I then suggest the following if you're going to be managing IPS/IDS:

Get a load balancing router to the net, such as a draytek or the SG3100, then get work to pay for the AWS IPS/IDS instance (note cost includes power, infrastructure, bandwidth and software!) and use your work computers to VPN into the instance directly for the extra features. Being that it's a home connection, a t3.medium instance will probably be sufficient.

It will be a lot less hassle in the long term.

Note that as mentioned, IPS/IDS uses a fair bit of computing power. This translates directly to watts that someone needs to pay for, and if you need it for work then they should pay for it.
 
Last edited:
I do VPN in when I need to access work server clusters but I don't all the time, I'm not sure what work does on their side.

I would let them take care of it and make a point of VPNing in with your work computers - if work computers are connected to the net, they're VPN'd into work and access the net through that, it's less expensive and work is probably already doing IPS/IDS & Firewalling who they have specialists maintaining.

If something goes wrong or something is set up incorrectly it is then on them to fix it, if you set up your own IDS/IPS then it's on you.

Liability wise I'd rather my workplace handle that risk than have the chance to get sued by my workplace if I set it up incorrectly and a rogue program, hacker or virus hits work material (especially if this is new to me).



To Summarise:

If it were me I'd make sure work computers are VPN'd through to work, and isolated (if possible) from local computers unless absolutely required - Preferably on a different subnet and/or vlans, this could be managed with static ips and the hardware at router level, or at computer level.

If you must use IPS/IDS then Cloud based for that is the best option

Either of these options can be managed by the SG3100 or Draytek solutions, I would probably go with the draytek as it would be simpler
 
Last edited:
Hey I just had a look at the IPS/IDS features of the UDM-PRO (I was curious!) and I note that the threat lists predominantly come from uniFi and their partners, where when you're using suricata or snort(etc) you're using a whole lot of different suppliers of the threat info. If you're super security conscious, I think the latter would be want you want.
 
Hey I just had a look at the IPS/IDS features of the UDM-PRO (I was curious!) and I note that the threat lists predominantly come from uniFi and their partners, where when you're using suricata or snort(etc) you're using a whole lot of different suppliers of the threat info. If you're super security conscious, I think the latter would be want you want.

Something in the back of my mind with respect to IPS has been the similarity to antivirus / antimalware systems -- not only must the engine and supporting hardware be up to the task, but the threat definitions must be relevant and stay updated as well.

This isn't a nut that I'm sure there is a straightforward, remotely affordable means to crack for SMB / enthusiast let alone your average home user that is quickly adding clients including heaps of IoT.
 
This isn't a nut that I'm sure there is a straightforward, remotely affordable means to crack for SMB / enthusiast let alone your average home user that is quickly adding clients including heaps of IoT.

It is - the solution is a subscription to oink and emerging threats and a few others with pfsense (or opnsense) and suricata/snort + pfblockerNG on dedicated hardware, be it white box, esxi (with or without pass through), cloud based or netgate.

If your time is free, you can get this going for the price of a very basic computer with two network cards. PFsense is free, ET and oink have community versions which are free and that are about 1 week behind the new stuff. pfblocker lists that are regularly updated are abundant on the net.

Snort, suricata and pfblocker will automatically download new lists as they become available, if set up to do so.

All of this is why the netgate devices are such good value - getting similar functionality can cost many times as much for any sort of appliance that can do what they can and is in any way supported.

The issue is when you have IoT or random services/devices/software that you need to let through, cause you have to create pass rules on the firewall to let them through as by default everything is blocked.

Want to use steam/other game service? - you need to know which ports and protocols it uses and make a rule

Want to use a game that needs to connect to the net? - you need to know what ports and protocols it uses and set a rule or rules

Want to use Netflix et al or Google Assistant/Alexa/Siri? - same deal

Not to mention ideally isolating those rules to certain IPs. No UPnP cause that will just compromise things. This means that some devices flat out won't work.

This is not trivial, it takes time and regular weekly, if not daily, maintenance and research. Sometimes software you use changed ports due to an update or a new definition gets downloaded that stops similar packets to your existing software, so things sometimes just stop working randomly until you fix the firewall settings.

In summary, it’s a huge headache for a home network where you have other stakeholders such as your significant other and/or kids, and this is why I'm saying "use a VPN to work, let them take care of this" and “keep your home network simple”.

I know when the pressure is on at work or I have time to spend with family that the last thing I want to be doing is fixing firewall rules or network issues.
 
Last edited:
For the record, having done the pfsense thing both virtualised and using a whitebox, used 10 gig mikrotik gear and what not - I'm currently using google wifi and a basic (dumb) 8 port 1gbE dlink switch cause I don't need to think about it, just works and maintains itself.

My esxi server still exists cause it doesn't require a whole lot of upkeep, but that'll go as soon as I can find a decent NAS replacement that can do all I want.
 
I was looking at the suppliers for the bet gate stuff and there are some installers here in Houston that I am contemplating getting a quote so they can do this for me. I looked at YouTube videos of pfsense setups and to me it looked time consuming so I’m really considering paying to set it up.
 
I was looking at the suppliers for the bet gate stuff and there are some installers here in Houston that I am contemplating getting a quote so they can do this for me. I looked at YouTube videos of pfsense setups and to me it looked time consuming so I’m really considering paying to set it up.

Set up is one thing, it's actually not too time consuming to set it up. Maintenance is the thing that is time consuming for IPS/IDS.

..., it takes time and regular weekly, if not daily, maintenance and research.

If you're prepared to spend up to 1hr a day on this stuff, then by all means do it.
 
I'm wondering if something like Sophos might be more ideal -- something that can be tossed on more powerful hardware than Netgate is willing to let out the door for anything remotely reasonable, and still at least moderately consumer friendly?
 
I'm wondering if something like Sophos might be more ideal -- something that can be tossed on more powerful hardware than Netgate is willing to let out the door for anything remotely reasonable, and still at least moderately consumer friendly?

ipfire, sophos, untangle (even pfsense) - can be put on more powerful hardware, thing is they all run into the same time consuming issue.

Really, truly, get a load balancing router, use a VPN for work and spend your time/money on more worthwhile things. Managing the VPN on the work machines means that your router doesn't need the grunt.

Just because you can do it, doesn't mean you should
 
Last edited:
I'll again toss this out here. A Fortigate with a UTM license + Fortiswtich + FortiAP all managed from a single interface locally on the Fortigate using built in switch and wireless controllers or managed from Forticloud would make this next to painless. You can leave the home brew and consumer / prosumer crap on the floor where it belongs.
 
I'll again toss this out here. A Fortigate with a UTM license + Fortiswtich + FortiAP all managed from a single interface locally on the Fortigate using built in switch and wireless controllers or managed from Forticloud would make this next to painless. You can leave the home brew and consumer / prosumer crap on the floor where it belongs.

And a five-grand investment up front, plus whatever licensing is necessary for updates? If I'm reading it right- I wouldn't hesitate to use them for enterprise, but their buy-in for 2Gbps+ IPS etc. is hefty.
 
And a five-grand investment up front, plus whatever licensing is necessary for updates? If I'm reading it right- I wouldn't hesitate to use them for enterprise, but their buy-in for 2Gbps+ IPS etc. is hefty.

I just did some basic pricing on some entry level fortigate gear, it's not that bad, just under a grand up front for an entry level fortiswitch with dual wan and a year of support. That said it won't do 2Gps IPS. If you need that, then you're so much better off with a higher end netgate unit, price wise as you effectively get free updates of the UTM perpetually
 
Last edited:
I just did some basic pricing on some entry level fortigate gear, it's not that bad, just under a grand up front for an entry level fortiswitch with dual wan and a year of support. That said it won't do 2Gps IPS. If you need that, then you're so much better off with a higher end netgate unit, price wise as you effectively get free updates of the UTM perpetually

I looked it up just now and the 100f is almost 4K. Also was not aware of needing to buy licenses for updates. Netgate and ubiquiti is less than half of that for everything. Is fortigate worth that much more? I’d have to ask my wife for a 5-10k build out.
 
I looked it up just now and the 100f is almost 4K. Also was not aware of needing to buy licenses for updates. Netgate and ubiquiti is less than half of that for everything. Is fortigate worth that much more? I’d have to ask my wife for a 5-10k build out.

I think the fortigate is enormous overkill for this setup.

Do you need IPS/IDS or is it just a nice to have?
 
I think the fortigate is enormous overkill for this setup.

Do you need IPS/IDS or is it just a nice to have?
I don’t know. I’ve never had it so I would say it’s nice to have. I was thinking 2k to build the network out. I could do 3k maybe 4 without asking my wife but anymore than that she would question me.
 
I don’t know. I’ve never had it so I would say it’s nice to have. I was thinking 2k to build the network out. I could do 3k maybe 4 without asking my wife but anymore than that she would question me.

As mentioned - I think you should skip it and let work manage it, it's a lot of work and money if you don't need it.
 
As mentioned - I think you should skip it and let work manage it, it's a lot of work and money if you don't need it.
It would be nice for my own home network. I do a bit of consulting on the side.
 
It would be nice for my own home network. I do a bit of consulting on the side.


You're saying on one hand it's nice to have, on the other it's not needed.

This is a 1-2k expense plus maintenance time - Your call. ipfire is easier to use than pfsense and implements suricata, pfsense is more enterprise ready. You could just use something like a new/secondhand dell server (with 3+ network ports) and install ipfire/pfsense/untangle/sophos on it.

Some kind of quad core midrange Xeon (3ghz+), haswell generation or better with 8-16 gig of ram which is dual channel would be able to handle most IPS/IDS through suricata at wire speeds.

I would definitely segregate home stuff into “work/home” vs home (DMZ)
 
Last edited:
Checking it out...

1581906717514.png
 
You're saying on one hand it's nice to have, on the other it's not needed.

This is a 1-2k expense plus maintenance time - Your call. ipfire is easier to use than pfsense and implements suricata, pfsense is more enterprise ready. You could just use something like a new/secondhand dell server (with 3+ network ports) and install ipfire/pfsense/untangle/sophos on it.

Some kind of quad core midrange Xeon (3ghz+), haswell generation or better with 8-16 gig of ram which is dual channel would be able to handle most IPS/IDS through suricata at wire speeds.

I would definitely segregate home stuff into “work/home” vs home (DMZ)

think I could use my xenon e5-2683 v3? Planning on moving to TR4 anyways.
 
Back
Top