Access Points - best practices?

J

jlbenedict

2[H]4U
Joined
May 22, 2005
Messages
2,206
The Asus router appears to be on its way to being a POS, so i put together some spare parts for a OpenWRT router.

Access point - patch it off the switch? Or should it be patched off one of the ports from the router?

Build specs are light-
Asrock qc5000m ( amd a4-5000 )
2gb ecc unbuffered
Quad-port Intel Pro/1000 (Dell part)
Internet speeds are cable, 200/20
 
jlbenedict said:
The Asus router appears to be on its way to being a POS, so i put together some spare parts for a OpenWRT router.

Access point - patch it off the switch? Or should it be patched off one of the ports from the router?

Build specs are light-
Asrock qc5000m ( amd a4-5000 )
2gb ecc unbuffered
Quad-port Intel Pro/1000 (Dell part)
Internet speeds are cable, 200/20
Click to expand...
Doesn't matter too much either way. The switches job is to expand the number of ports you have to connect devices to a network. If you have enough ports on the router then there is no need to plug in a switch. If you have a limited number of ports on the router, then you'd use the switch to expand that, and in that case you'd want to plug the AP into the switch instead. If the switch isn't firewalling or routing which is the case like 99% of the time, then it's not doing anything that would sway your decision one way or another. The actual bandwidth to your AP is still dependent upon the port speed of the router, so any traffic leaving that network isn't going to go any faster plugged directly into a switch versus in the router.

The only type of traffic where it might be beneficial to be plugged directly into a switch is same network traffic between the access point and switch. Since that traffic doesn't need to be routed, you're not unnecessarily saturating the uplink to the router with local traffic. Any traffic bound for the internet is going out the router regardless, and you can't saturate your ports with your internet connection, so it will basically make no difference where you plug in for that scenario.
 
Off the switch.

That 4-port NIC is not the same as a switch, and even if set up in OpenWRT (or any other router distro) to bridge them all, will not transfer frames across its ports as quickly or efficiently as a switch (even a basic 4-5 port unit) will.

It won't really matter so much for wireless hosts going directly to the Internet, but any time they need to access a LAN resource (e.g., file sharing/NAS), it will.
 
Good responses so far... thanks all!

There will be some wireless clients that will need access to LAN resources (NAS, Emby media server... etc).. The switch involved will be a basic Netgear 8-port vlan capable switch..
 
Best practice would be AP on separate network with firewall/access control policies protecting your wired network. Wireless certainly is and should always be considered less trustworthy. That said, most consumer routers fail utterly on this principal and almost always wired and wireless are flat at layer 3. As a result most home networks are insecure from the start and a lot of products depend on this insecurity to work.

Not famliar with how OpenWRT works but if it works like a real router then each interface would be expected to be a separate network with routing between. This is likely not what you expect or want and given the question almost certainly not what you are prepared to deal with. Plug the AP into the switch.
 
Thanks all again..

By putting the AP on the switch, will this still allow me to eventually set up this scenario:

Segregate a second/guest SSID on a VLAN, and route it through an OpenVPN connection in the router OS (OpenWRT)?
I believe the TP-Link AP i have supports creating two additional guest ssids
 
jlbenedict said:
Thanks all again..

By putting the AP on the switch, will this still allow me to eventually set up this scenario:

Segregate a second/guest SSID on a VLAN, and route it through an OpenVPN connection in the router OS (OpenWRT)?
I believe the TP-Link AP i have supports creating two additional guest ssids
Click to expand...
As long as the AP supports separate VLAN tagging per SSID (most but not all do) you should at least be able to separate them, I currently have 3 separate SSID's on a single AP, each of those gets assigned a VLAN tag, my router hands out IP address depending on what SSID a client is connected to. This allows me to do things like isolate my IOT devices on their own network and put FW rules in place so they can't talk to anything on any of my other networks. As far as routing a particular VLAN througha particular VPN tunnel that would depend more on the router, I've done that in an enterprise environment with features like Junipers Filter Based Forwarding(FBF), but haven't attempted to do anything similar in a home network.
 
realized my 8-port switch will not be enough to accommodate everything I have.. so I connected the AP to port 1 on my router NIC; switch to port 2, and my computer to port 3.. (br-lan has eth1, eth2, eth3 bridged to it).. eth0 is my WAN..
Everything seems to be working as it should..

Assuming by bridging ports 1,2 & 3 to the lan, this essentially is turning my box into a 3-port router, such as the commercial off the shelf ones that have 3 & 4 ports, like the Asus, TP-Link, etc..
 
jlbenedict said:
realized my 8-port switch will not be enough to accommodate everything I have.. so I connected the AP to port 1 on my router NIC; switch to port 2, and my computer to port 3.. (br-lan has eth1, eth2, eth3 bridged to it).. eth0 is my WAN..
Everything seems to be working as it should..

Assuming by bridging ports 1,2 & 3 to the lan, this essentially is turning my box into a 3-port router, such as the commercial off the shelf ones that have 3 & 4 ports, like the Asus, TP-Link, etc..
Click to expand...

Effectively, yes. Bridging multiple NICs is functionally like a switch, and the topology is the same. As mentioned, it's just that moving frames across bridged NICs is slower and less efficient than a switch. It's may not be ideal, but if you're out of ports do what you gotta do.

Consumer routers do contain a proper switch, FWIW.
 
You must log in or register to reply here.
Back
Top