Simple vlan, hardware and setup recommendations

Cherry Dude

Weaksauce
Joined
Sep 1, 2016
Messages
127
Hi there

I am moving to a large house in the summer and will get a full gigabit connection (1000/1000). At the same time, I am giving my devices a good look over and adding some new, like Roborock robot vacuum cleaners. Unfortunately, I have given up rooting the vacuum cleaners, and I do not really trust them.

So, I am looking for a solution that will allow me to take full advantage of the internet connection, and separate IoT from my private network (both Wi-Fi and wired)

I am getting a bit crossed eyed and more and more confused; the more forum posts I read – perhaps I should just realize I am a network newbie.
I currently have an Asus RT-AC66U and a TP-Link TL-SG108E switch.

Now I do realize that what I need is to setup vlan, but what hardware to use is not easy.
Ubiquity, PFSense (e.g., SG-2100, Lawrence Systems has guides, even one using the same switch) or other? I would also need an AP that can be split in those cases. An Asus router with Merlin or DD-WRT might also be an option?
I am really looking for a set and somewhat forget solution, so I doubt I will get the most out of the products anyways – so a sanity check is always nice.

Does anyone have suggestions for possible setups, or some tips?
 
Unifi udm-pro, 16 port unifi poe switch, and some new wifi 6 aps with proper coverage. You could setup 2-3 vlans and isolated traffic. Internal prod, IoT, guest vlans
 
Pfsense is fairly easy if you want to build your own hardware, basically just add interfaces and force traffic to tag with VLAN ID, then setup rules to allow flows inside your network. Or conversely have your AP with a tagged configuration and have rules to pass or block trafic to different segments of your network. I think untangle is another fairly easy option to have an easier take on the setup if you are wanting to build your own hardware.
 
If you want to keep things separated, I'd definitely get a separate access point for the IoT. You can do multiple SSIDs on one AP with vlans, but commercial APs where its easy are expensive and consumer APs won't let you do it with stock firmware and it can be tricky with third party firmware. Different APs is simple, and not very expensive. Your switch should manage vlans fine (I've got two of the 16-port ones, and they work enough). Just FYI, the security on the TP-Links is a joke, but if you assume your IoT won't hack your switch to get on a different vlan, it's probably fine?

Setup one vlan on one subnet, another vlan on another subnet, and have your pfsense not forward packets between the two subnets, but NAT everything out to the internet. Easy peasy. If you've got a gigabit connection, I would definitely put a second nic in the pfsense to connect to the ISP. At less than a gigabit, you could make that a third vlan. Or you could put three nics in the pfsense, and connect your isp to one, your switch to another, and your IoT AP to the third.
 
Pfsense is fairly easy if you want to build your own hardware, basically just add interfaces and force traffic to tag with VLAN ID, then setup rules to allow flows inside your network. Or conversely have your AP with a tagged configuration and have rules to pass or block trafic to different segments of your network. I think untangle is another fairly easy option to have an easier take on the setup if you are wanting to build your own hardware.
Sounds great :)
 
Unifi udm-pro, 16 port unifi poe switch, and some new wifi 6 aps with proper coverage. You could setup 2-3 vlans and isolated traffic. Internal prod, IoT, guest vlans
I love the Ubiquiti gear, but aren't the IDS/IPS abilities of the UDM/Pro still lacking compared to Pfsense with Suricata?
 
Last edited:
If you want to keep things separated, I'd definitely get a separate access point for the IoT. You can do multiple SSIDs on one AP with vlans, but commercial APs where its easy are expensive and consumer APs won't let you do it with stock firmware and it can be tricky with third party firmware. Different APs is simple, and not very expensive. Your switch should manage vlans fine (I've got two of the 16-port ones, and they work enough). Just FYI, the security on the TP-Links is a joke, but if you assume your IoT won't hack your switch to get on a different vlan, it's probably fine?

Setup one vlan on one subnet, another vlan on another subnet, and have your pfsense not forward packets between the two subnets, but NAT everything out to the internet. Easy peasy. If you've got a gigabit connection, I would definitely put a second nic in the pfsense to connect to the ISP. At less than a gigabit, you could make that a third vlan. Or you could put three nics in the pfsense, and connect your isp to one, your switch to another, and your IoT AP to the third.
Ha ha okay maybe I will invest in a better switch. Any suggestions?
So to separate AP's, do you have some good examples of inexpensive ones?
Do you have any tips for pfsense box, netgates seem a little expensive and might not deliver speeds. Something like a Qotom-Q350 might be interesting but I am almost embarrassed to say I have a small tinfoil hat on regarding, could there be anything nasty in the hardware in such a "china" box?
 
Ha ha okay maybe I will invest in a better switch. Any suggestions?
I mean, it's an OK switch (like I said, I have two), LACP + VLANs and inexpensive is nice. It's just a shame you can't assign the management functions to a vlan or something.

So to separate AP's, do you have some good examples of inexpensive ones?
I like the tm-ac1900 (t-mobile branded RT-AC68U) although they're not as inexpensive as they used to be, but really mostly anything decent is fine. IoT is usually low bandwidth (unless you're doing IoT video surveillance), so if you had an old wrt54g that would be fine too. You're going to be running it in AP mode, so most of the software issues are bypassed, as long as it's got stable wireless drivers.

Do you have any tips for pfsense box, netgates seem a little expensive and might not deliver speeds. Something like a Qotom-Q350 might be interesting but I am almost embarrassed to say I have a small tinfoil hat on regarding, could there be anything nasty in the hardware in such a "china" box?
I just have a regular desktop PC as my router box (but I also run misc services on it). It's rocking a G3470 and was not close to being a bottleneck for gigabit NAT when I had fiber. I've run smaller boxes as the router before, and getting replacement parts when they fail can be a pain; I've got lots of room, so mATX is as small as I go for routers now. If you've got any parts from old builds, they'll probably work. You don't really want to stick a 8-core cpu as your router, but even that will probably downclock and not use too much power.
 
I mean, it's an OK switch (like I said, I have two), LACP + VLANs and inexpensive is nice. It's just a shame you can't assign the management functions to a vlan or something.
Oh I see, thanks.
I just have a regular desktop PC as my router box (but I also run misc services on it).
I guess for the DIY builds undervotling is a viable option, to reduce power consumption? (Not for your solution I guess when you are running other services :p). And it is tempting with the DIY solution, mainly because It has been a while since I build a computer. I could of course do a SFF build with two NICs as you previously recommended, find a mini-atx motherboeard, nice low power CPU etc.

Perhaps an odd question, but what is the limiting factor in terms of speeds? I understand VPN will give significant impact or running other advanced stuff. But do the firewall rules have any effect, and vlan splitting? (Just trying to justify the money/time investment in DIY in contrast to the Netgates/Qotom/Atoms/apu2s)
 
Then again… now that I look into it, there is a pretty decent amount of Dell Optiplex for sale (mainly from offices) From 200 euro and below (just model and CPU)

9020: I5-4570
9010: I5-3470
7010: i5-3470s
7010: i3-3220

Perhaps that could be an inexpensive way to go, If I added a NIC.
 
I recall Haswell being a pretty big step up for some uses, AES instructions were a big part of that, if you wanted to use a VPN with AES. But yeah, lots of nice things in an optiplex.
 
I recall Haswell being a pretty big step up for some uses, AES instructions were a big part of that, if you wanted to use a VPN with AES. But yeah, lots of nice things in an optiplex.
Not at least the price.
Yes for sure but they are no slouch either, and great point on AES.

It's pretty quiet. Mine is my garage with my noise 2u aio server with loud fans. So it's hard for me to tell
So in my mind this still leaves the Ubiquiti gear in play, and "pretty quiet" is a bonus.
I think this will come down to price - so it's local prices for PFsense vs Ubiquiti setup
 
Not at least the price.



So in my mind this still leaves the Ubiquiti gear in play, and "pretty quiet" is a bonus.
I think this will come down to price - so it's local prices for PFsense vs Ubiquiti setup
Unifi is going to be a bit more expensive. The advantage of unifi is when you go a full stack you get everything that integrates well together. Think single pane of glass. Unifi has its limitations on certain things, support you on your own mostly(forums and google are best) but once it's running everything just works. I am talking 6 months plus of uptime on everything with no reboots needed etc.. hell the only time my gear get rebooted if when there is a firmware update.
 
If you want to keep things separated, I'd definitely get a separate access point for the IoT. You can do multiple SSIDs on one AP with vlans, but commercial APs where its easy are expensive and consumer APs won't let you do it with stock firmware and it can be tricky with third party firmware. Different APs is simple, and not very expensive. Your switch should manage vlans fine (I've got two of the 16-port ones, and they work enough). Just FYI, the security on the TP-Links is a joke, but if you assume your IoT won't hack your switch to get on a different vlan, it's probably fine?

Setup one vlan on one subnet, another vlan on another subnet, and have your pfsense not forward packets between the two subnets, but NAT everything out to the internet. Easy peasy. If you've got a gigabit connection, I would definitely put a second nic in the pfsense to connect to the ISP. At less than a gigabit, you could make that a third vlan. Or you could put three nics in the pfsense, and connect your isp to one, your switch to another, and your IoT AP to the third.


toast0 You can buy Ubiquiti's that let you do this and they are 100x better than any cheap mesh network or other AP's you can buy, and you can get them between $50-$100 depending what models you want.
 
Unifi is going to be a bit more expensive. The advantage of unifi is when you go a full stack you get everything that integrates well together. Think single pane of glass. Unifi has its limitations on certain things, support you on your own mostly(forums and google are best) but once it's running everything just works. I am talking 6 months plus of uptime on everything with no reboots needed etc.. hell the only time my gear get rebooted if when there is a firmware update.
I hear you, it certainly is a big appeal
 
Last edited:
You are talkning about APs right? Like the light, or...?
All unifi aps can be setup in mesh mode where you have a hardwired ap that acts like a base station for another AP which will send it's traffic back wireless. So you just need to power it via a poe adapter. I have personally never tried this.
 
I saw some posts claiming their APU2'S maxed out at 700? Then again, bad setup might be the culprit.
I've seen some of these have trouble with PPPoE at gigabit speeds. I'm not sure what provider you're getting and if anyone other than CenturyLink in formerly Qwest areas runs PPPoE on fiber because PPPoE is dumb.
 
Back
Top