"Home" Router with "Enterprise" Features?

Dameon

n00b
Joined
Jul 21, 2011
Messages
20
I have been looking for a plain ol' router for my home, but with some (obviously) unique features... as such:

1) WiFi 6

2) Multiple SSIDs and the ability to map an SSID to an Ethernet port
- Scenario: SSID "internal" would be mapped to eth1 and this port would be plugged into my managed switch as a VLAN 101 access port. All computers on VLAN 101 would pull a DHCP IP from the router (or a Windows DHCP server if necessary) and all activity would be restricted to this VLAN except for ACL (as defined by this router) allowances. No Internet access on this VLAN.
- Scenario: SSID "guest" would be mapped to eth2 and this port would be plugged into my managed switch as a VLAN 102 access port. Same as above. This SSID would allow internet access.
- Scenario: SSID "IoT" would be mapped to eth3 and this port would be plugged into my managed switch as a VLAN 103 access port. Same as above. This SSID would allow internet access.

3) Port Forwarding, DMZ, Firewall functions

4) Mesh - Inexpensive add-on APs would be nice as I'll need 3-4 units. These units would be hard wired to the LAN and would need to supply meshed connections to all SSIDs... meaning the LAN port would likely need to support VLAN tagging.

5) Niceities: Some degree of management from a mobile device, decent reporting on web activity (eg. what IoT device went to what URL?)

Does such a consumer router exist?

Thanks.
 
I have been looking for a plain ol' router for my home, but with some (obviously) unique features... as such:

1) WiFi 6

2) Multiple SSIDs and the ability to map an SSID to an Ethernet port
- Scenario: SSID "internal" would be mapped to eth1 and this port would be plugged into my managed switch as a VLAN 101 access port. All computers on VLAN 101 would pull a DHCP IP from the router (or a Windows DHCP server if necessary) and all activity would be restricted to this VLAN except for ACL (as defined by this router) allowances. No Internet access on this VLAN.
- Scenario: SSID "guest" would be mapped to eth2 and this port would be plugged into my managed switch as a VLAN 102 access port. Same as above. This SSID would allow internet access.
- Scenario: SSID "IoT" would be mapped to eth3 and this port would be plugged into my managed switch as a VLAN 103 access port. Same as above. This SSID would allow internet access.

3) Port Forwarding, DMZ, Firewall functions

4) Mesh - Inexpensive add-on APs would be nice as I'll need 3-4 units. These units would be hard wired to the LAN and would need to supply meshed connections to all SSIDs... meaning the LAN port would likely need to support VLAN tagging.

5) Niceities: Some degree of management from a mobile device, decent reporting on web activity (eg. what IoT device went to what URL?)

Does such a consumer router exist?

Thanks.
If you want enterprise features, buy an enterprise router.

Wifi6 might be challenge currently, but you could check out dd wrt or open wrt and see if either of those projects meet your needs, then buy a supported router and Flash it with the custom firmware.
 
1) Why? It'll be difficult to get right now.

2) I don't know why you want your router to also be your WiFi infra. Separate the areas of concerns.
Any good WiFi AP worth its salt will allow you to map SSID to a VLAN. No need to map it to a port. I'm not even sure I've seen APs that map to ports as that would be management hell.
Get the right tool for the right job.

3) Ok these are super basic and everything since 2001 has had them. Not exactly "enterprise"

4) You sound like you're heavily conflating what mesh is with something else here

5) With a proper VPN, any management (ssh or if you need dummy GUI, those too), is possible from basically any device. If you want to be extra special and expose your infrastructure to the internet, well, that's about as anti-enterprise as you can get.
 
I have been looking for a plain ol' router for my home, but with some (obviously) unique features... as such:

1) WiFi 6

2) Multiple SSIDs and the ability to map an SSID to an Ethernet port
- Scenario: SSID "internal" would be mapped to eth1 and this port would be plugged into my managed switch as a VLAN 101 access port. All computers on VLAN 101 would pull a DHCP IP from the router (or a Windows DHCP server if necessary) and all activity would be restricted to this VLAN except for ACL (as defined by this router) allowances. No Internet access on this VLAN.
- Scenario: SSID "guest" would be mapped to eth2 and this port would be plugged into my managed switch as a VLAN 102 access port. Same as above. This SSID would allow internet access.
- Scenario: SSID "IoT" would be mapped to eth3 and this port would be plugged into my managed switch as a VLAN 103 access port. Same as above. This SSID would allow internet access.

3) Port Forwarding, DMZ, Firewall functions

4) Mesh - Inexpensive add-on APs would be nice as I'll need 3-4 units. These units would be hard wired to the LAN and would need to supply meshed connections to all SSIDs... meaning the LAN port would likely need to support VLAN tagging.

5) Niceities: Some degree of management from a mobile device, decent reporting on web activity (eg. what IoT device went to what URL?)

Does such a consumer router exist?

Thanks.
So this is a tough set of criteria, and if anything exists in either consumer or enterprise for under $500, I'd be shocked. It's just a really big mix of features that are usually addressed by different products which can be done by the following:

1. Get a separate enterprise wifi 6 access point that can do multiple ssids or get multiple cheaper possibly non-enterprise ones that each handle a single ssid

2. Most smb and all enterprise routers have vlan support, so check these out. Cost will be minimal in the used market. You'll need to check the manuals to make sure the vlan implementation will work how you need it to (by port/by tag).

3. Standard everywhere so easy-peasy requirement. :)

4. This is again would be an external add-on where you'll need to find such a mesh. You won't need this at all though if you get the enterprise APs as they implement such a thing, but much better than consumer level stuff.

5. This will depend on the router you get. A lot of enterprise ones will have reporting beyond anything you want, depending on which one it is.

One of the few setups that I think might meet all your criteria is a ubiquiti setup. Mind you it won't be cheap, but it should be cheaper than a full blown enterprise implementation of the same thing.
 
Ya, finding SSID per VLAN usually only exist in enterprise or very expensive home "mesh" systems.

Mesh is not a feature really of any AP,. you can take 5 different APs, just configure them all with the same SSID's with the same passphrase and tune the power level so they dont cross to bad and tadda, you got a "mesh" network. Systems that claim they are mesh, really just allow you to configure them all from 1 main GUI.
 
Ya, finding SSID per VLAN usually only exist in enterprise or very expensive home "mesh" systems.
That's not true at all. TPLink EAPs almost universally support this. The ones I use (EAP225 V3s) have it and only cost $60 each. The new EAP620 (WiFi 6 ones) also have it at $130 ea or $90 ea (depending on mounting option).
 
That's not true at all. TPLink EAPs almost universally support this. The ones I use (EAP225 V3s) have it and only cost $60 each. The new EAP620 (WiFi 6 ones) also have it at $130 ea or $90 ea (depending on mounting option).
To be fair, these are essentially business/enterprise designs versus consumer though.
 
Ya, finding SSID per VLAN usually only exist in enterprise or very expensive home "mesh" systems.

Mesh is not a feature really of any AP,. you can take 5 different APs, just configure them all with the same SSID's with the same passphrase and tune the power level so they dont cross to bad and tadda, you got a "mesh" network. Systems that claim they are mesh, really just allow you to configure them all from 1 main GUI.
Having a controller for APs or one of those home mesh systems does/can come with a few perks over standalone access points beyond just centralized management. The big one for home use is probably fast roaming. It lets clients switch between APs more quickly and allows the network to tell the client to switch APs. It made a big difference for me. Clients used to get stuck on the wrong access point for a while if I moved across the house, resulting in low data rates. I still get a stable connection at the wrong end of the house and apparently it's not slow enough to get clients to switch APs in a timely manner. With fast roaming enabled they switch fairly quickly. I don't know about the consumer mesh stuff but the EAPs can also do load balancing by telling clients to move to a different AP or even kick them off to force them to switch.

I'm not sure if TP-Link is just confused or what, but my EAP610s have an "Omada mesh" feature. It has nothing to do with central control or APs working together. "Omada mesh" is just the ability to use a wireless backhaul instead of an ethernet cable. I disabled "mesh" on my setup since all my APs are wired and they still do all the "mesh" inter-unit coordination stuff.

You just need the small business stuff to get SSID->VLAN. On that note I'd label TPLink Omada (aka EAP access points, etc.) as small/medium business. The Omada routers only have gigabit ports, switches top out at 10gig and the TPLink Omada stuff is all pretty cheap. My EAP610s were $100 each. Faster EAP660s are $180. They'll sell you a wired router for $60, controller is $100 if you want to run one but don't want to have to leave a machine running for the free software one, etc.
 
Thanks for the responses everyone. Some good thoughts and, as expected, some useless accusations and banter. All part of the Internet society.

I ended up ordering a TP-Link AX6000 router and two TP-Link TL-WA1201 which support 4 SSID's to VLAN mapping.
 
So this is a tough set of criteria, and if anything exists in either consumer or enterprise for under $500, I'd be shocked. It's just a really big mix of features that are usually addressed by different products which can be done by the following:

1. Get a separate enterprise wifi 6 access point that can do multiple ssids or get multiple cheaper possibly non-enterprise ones that each handle a single ssid

2. Most smb and all enterprise routers have vlan support, so check these out. Cost will be minimal in the used market. You'll need to check the manuals to make sure the vlan implementation will work how you need it to (by port/by tag).

3. Standard everywhere so easy-peasy requirement. :)

4. This is again would be an external add-on where you'll need to find such a mesh. You won't need this at all though if you get the enterprise APs as they implement such a thing, but much better than consumer level stuff.

5. This will depend on the router you get. A lot of enterprise ones will have reporting beyond anything you want, depending on which one it is.

One of the few setups that I think might meet all your criteria is a ubiquiti setup. Mind you it won't be cheap, but it should be cheaper than a full blown enterprise implementation of the same thing.
Since you offered a well thought out and helpful response, I'm going to clarify some points using your information.

1) I think the AX6000 will meet most of the requirements for the router/FW portion of my asks. If not, I'll likely end up going with some software defined firewall on a Guest in my VMware farm at home. I was really looking for something to remove some of the complexity of my home infrastructure.

2) I think the TL-WA1201 is going to work for access points. TP-Link seems to have an interesting feature-to-cost product line.

3) Yeah, I thought so too, but sometimes those "standard" features get lost in the specs and I did wind up with some candidates that didn't have that functionality or it was far too basic for my needs.

4) Mesh would be nice (faster more reliable switchover), but in the end, I'll see how autonomous access points work in my environment. TP-Link does seem to have some form of meshing with OneMesh.

5) We'll see what TP-Link offers in hardware feedback via reporting. More to come on that.

It is interesting you suggested Ubiquiti. I've been using Ubiquiti video surveillance equipment for over 10 years. They've always had a lot of quirks, but generally worked well. The advantage they always had is a company forum that the developers hang out on. Suggestions would often go from forum post to firmware in due time. If it made sense, it was developed and implemented. I liked that their on-prem NVR product ran well in my VMware farm and didn't require Internet access... as it shouldn't. I refuse to give any entity access to my video feeds, especially companies like Facebook or Google. My departure from their products came after an announcement that all future video products would require Internet access. I am now shopping for a new home surveillance product that doesn't require Internet access.
 
Last edited:
Since you offered a well thought out and helpful response, I'm going to clarify some points using your information.

1) I think the AX6000 will meet most of the requirements for the router/FW portion of my asks. If not, I'll likely end up going with some software defined firewall on a Guest in my VMware farm at home. I was really looking for something to remove some of the complexity of my home infrastructure.

2) I think the TL-WA1201 is going to work for access points. TP-Link seems to have an interesting feature-to-cost product line.

3) Yeah, I thought so too, but sometimes those "standard" features get lost in the specs and I did wind up with some candidates that didn't have that functionality or it was far too basic for my needs.

4) Mesh would be nice (faster more reliable switchover), but in the end, I'll see how autonomous access points work in my environment. TP-Link does seem to have some form of meshing with OneMesh.

5) We'll see what TP-Link offers in hardware feedback via reporting. More to come on that.

It is interesting you suggested Ubiquiti. I've been using Ubiquiti video surveillance equipment for over 10 years. They've always had a lot of quirks, but generally worked well. The advantage they always had is a company forum that the developers hang out on. Suggestions would often go from forum post to firmware in due time. If it made sense, it was developed and implemented. I liked that their on-prem NVR product ran well in my VMware farm and didn't require Internet access... as it shouldn't. I refuse to give any entity access to my video feeds, especially companies like Facebook or Google. My departure from their products came after an announcement that all future video products would require Internet access. I am now shopping for a new home surveillance product that doesn't require Internet access.

If cost isn't an real roadblock I would instead look at something like a Protectli 4-port router running OPNsense versus the TP-LINK. It'll handle all features you desire in terms of a firewall, DMZ, VLAN, etc. Plus there's all the plugins for OPNsense...Wireguard for VPN. Adguard if you want DNS filtering (or just run a Pi-hole which is my personal choice) and so much more.

I chose this route over a year ago now and haven't regretted it one bit. These are routers and will inevitably have security holes that need to be patched. What happens 24 months from now? Does TP-LINK abandon that AX6000? Who knows. So I'd remove that concern as it's not an issue with OPNsense.

Also by it being a 4-port router you can split out your network on totally separate networks that have individual NICs. Far more flexible than any consumer type router. Makes things like IOT device isolation even stronger.

For the WiFi I'd build out the MESH with Ubiquiti mesh ACs.
 
Since you offered a well thought out and helpful response, I'm going to clarify some points using your information.

1) I think the AX6000 will meet most of the requirements for the router/FW portion of my asks. If not, I'll likely end up going with some software defined firewall on a Guest in my VMware farm at home. I was really looking for something to remove some of the complexity of my home infrastructure.

2) I think the TL-WA1201 is going to work for access points. TP-Link seems to have an interesting feature-to-cost product line.

3) Yeah, I thought so too, but sometimes those "standard" features get lost in the specs and I did wind up with some candidates that didn't have that functionality or it was far too basic for my needs.

4) Mesh would be nice (faster more reliable switchover), but in the end, I'll see how autonomous access points work in my environment. TP-Link does seem to have some form of meshing with OneMesh.

5) We'll see what TP-Link offers in hardware feedback via reporting. More to come on that.

It is interesting you suggested Ubiquiti. I've been using Ubiquiti video surveillance equipment for over 10 years. They've always had a lot of quirks, but generally worked well. The advantage they always had is a company forum that the developers hang out on. Suggestions would often go from forum post to firmware in due time. If it made sense, it was developed and implemented. I liked that their on-prem NVR product ran well in my VMware farm and didn't require Internet access... as it shouldn't. I refuse to give any entity access to my video feeds, especially companies like Facebook or Google. My departure from their products came after an announcement that all future video products would require Internet access. I am now shopping for a new home surveillance product that doesn't require Internet access.
Thank you for the additional information. I didn't get a post notification for some reason so only saw it today when looking for another thread. :oops:

As far as an nvr, almost any regular plain jane nvr will work and you can simply limit any devices ability to 'phone home' with static routes as well as not leaving any ports open from the outside and use vpn access to get inside your network (much safer).
 
Unifi dream machine for all in one or UDM pro+switch+aps

I know you already ordered, but I would recommend the UDM pro for any future readers. I've been absolutely thrilled with my UDMP Pro, U6-Pro, U6-Lite, and Mini Flex. Setup is dead simple and the mobile and web apps to manage the console are beautiful.
 
As soon as you say "enterprise" you need to be ready to use separate devices. I use a pfsense for routing, managed switches for vlans and POE, and Unify APs for wireless. Has been pretty stinkin' rock solid.
 
You should be separating the Wifi from the router and using AP's. The router/firewall should be concerned with the routing, firewalling, QoS, and NAT'ing. With respect to QoS, if you have a relatively low speed and asymmetric connection then a router that can do FQ_Codel would be important. The UDM Pro is supposedly very good at this. If you have a high speed symmetric connection then I wouldn't be too concerned about QoS. A cheap firewall that can do the rest would be a Fortigate 60D which you can find used on Ebay for $50 that can do 1Gbs throughput. These were designed as enterprise security appliances but make a great home firewall without any licensing. Even an old Edgerouter Lite can handle a 1Gbs as long as HW acceleration can be used.
 
My home network checks your boxes, minus the wifi6 part (though that is easy upgrade) and is right in line with above posts. Untangle Home for router/gateway, Netgear gs324 manged switch as central switch, TP-Link omada ap's. Personally ditched ubiquiti for untangle and couldn't be happier, gateway has 300+ days uptime and counting. I use untangles z4 appliance for space saving but you could run it on an old SFF Dell with dual nics and be just fine.
 
As soon as you say "enterprise" you need to be ready to use separate devices. I use a pfsense for routing, managed switches for vlans and POE, and Unify APs for wireless. Has been pretty stinkin' rock solid.
MikroTik actually makes routers that'll do all the stuff the OP wanted and have WiFi. The catch is I wouldn't recommend any of their WiFi stuff. They're just plain behind on WiFi. No WiFi 6, and I hear they're a hassle to set up. Plus you still end up with a better setup using separate routers, switches and APs and it really doesn't cost much more.

My home network checks your boxes, minus the wifi6 part (though that is easy upgrade) and is right in line with above posts. Untangle Home for router/gateway, Netgear gs324 manged switch as central switch, TP-Link omada ap's. Personally ditched ubiquiti for untangle and couldn't be happier, gateway has 300+ days uptime and counting. I use untangles z4 appliance for space saving but you could run it on an old SFF Dell with dual nics and be just fine.
Super easy given that if you deleted the first sentence you could have a WiFi 6 setup. You may not have WiFi 6 TP-Link Omada APs, but we wouldn't know that if you hadn't said so. I got a couple WiFi 6 TP-Link EAP610s for $100 each last month.

It's also worth noting that the TP-Link Omada APs can do mesh, but not as well as those mesh kits with dedicated backhaul radios. Wired backhaul is still preferred of course, and you'll need a controller for fast roaming if you use the Omada stuff. There's a free software controller you can run if you have an always on Windows or Linux machine. It's written in Java so it'll probably run on other stuff. I'm running it on an unsupported Linux distribution. It's easy to set up but the instructions for Linux are complete shit so it takes a little messing around installing stuff to get it going. I haven't tried the Windows version. Hardware controller is $100 if you don't have a machine you leave on all the time to run it on. I have an i3-10100 rig serving as a file server & general purpose Linux box so I just run it on that.
 
Ubiquiti was awesome a few years back but their code seemed to went a bit flakey for certain points during the last 2-3 years but it seems to be solid again as the developers went back to fixing their shit as oppossed to just keep adding features as if it was like a land grab.

I run a UDM Pro, the 10G aggregate switch, and the 2.5 GbE PoE switch along with a pair of U6-Pro APs and some mini flex switches which all have been solid for me for the past year.

I did have issues with the G4 Doorbell but it turns out my chimebox transformer wasn't supplying enough amps to power both reliably. Upgrading the transformer fixed that issue.
 
I know you already ordered, but I would recommend the UDM pro for any future readers. I've been absolutely thrilled with my UDMP Pro, U6-Pro, U6-Lite, and Mini Flex. Setup is dead simple and the mobile and web apps to manage the console are beautiful.

Ubiquiti was awesome a few years back but their code seemed to went a bit flakey for certain points during the last 2-3 years but it seems to be solid again as the developers went back to fixing their shit as oppossed to just keep adding features as if it was like a land grab.

I run a UDM Pro, the 10G aggregate switch, and the 2.5 GbE PoE switch along with a pair of U6-Pro APs and some mini flex switches which all have been solid for me for the past year.

I did have issues with the G4 Doorbell but it turns out my chimebox transformer wasn't supplying enough amps to power both reliably. Upgrading the transformer fixed that issue.

Not to hijack the thread, seems the OP has ordered his stuff already but wanted to ask about the UDM Pro. My current network I have been feeling like I havent been getting its full potential. I def do not know anything about networking just because I never put myself in the middle or had the equipment or knowledge on where to start but with some recent issues with online gaming and some other members suggesting that it might be my internet it got me looking into possibly upgrading my equipment and finally learning what I can do with the network.

Is there anything I should know before ordering the UDM Pro? Should I look at getting anything along side it (Switch, Modem, AP, etc)?

Devices in the house:

Wifi Connections -
3 Ring Cams
3 Ring Motion Lights
1 Ring Door Bell

1 Ring Chime Pro w/ 2 regular chimes
3 Cell Phones
2 iPads

2 Laptops
1 PC

Cat Connections -
1 Apple TV
2 PC's
1 TV
1 DVR Camera System

Connections in Green are always connected. The others only when someone is on them.

I am not sure if this is possible but I would love to designate a network or subnet (is that the correct term) for some of the devices so they only get a certain amount of usage. I feel like the devices are bogging down the internet. Would love for the gaming PC to get priority connection over everything else... Please educate my noobness.


My current setup:

Spectrum Internet 200Mbps
Netgear CM600 Modem
Netgear Nighthawk x6 Router

I am willing to get a whole new setup and invest where needed. I would say my budget is <$1000


Note: Mods if you feel I should make my own thread please let me know and I will do so, just with the 2 members commenting about the UDM Pro I felt like this might be the best place.
 
Not to hijack the thread, seems the OP has ordered his stuff already but wanted to ask about the UDM Pro. My current network I have been feeling like I havent been getting its full potential. I def do not know anything about networking just because I never put myself in the middle or had the equipment or knowledge on where to start but with some recent issues with online gaming and some other members suggesting that it might be my internet it got me looking into possibly upgrading my equipment and finally learning what I can do with the network.

Is there anything I should know before ordering the UDM Pro? Should I look at getting anything along side it (Switch, Modem, AP, etc)?

Devices in the house:

Wifi Connections -
3 Ring Cams
3 Ring Motion Lights
1 Ring Door Bell

1 Ring Chime Pro w/ 2 regular chimes
3 Cell Phones
2 iPads

2 Laptops
1 PC

Cat Connections -
1 Apple TV
2 PC's
1 TV
1 DVR Camera System

Connections in Green are always connected. The others only when someone is on them.

I am not sure if this is possible but I would love to designate a network or subnet (is that the correct term) for some of the devices so they only get a certain amount of usage. I feel like the devices are bogging down the internet. Would love for the gaming PC to get priority connection over everything else... Please educate my noobness.


My current setup:

Spectrum Internet 200Mbps
Netgear CM600 Modem
Netgear Nighthawk x6 Router

I am willing to get a whole new setup and invest where needed. I would say my budget is <$1000


Note: Mods if you feel I should make my own thread please let me know and I will do so, just with the 2 members commenting about the UDM Pro I felt like this might be the best place.
Do you have the ability to run cables for dedicated access points and do you have rack mount space? How much effort are you willing to put in to tinker or troubleshoot/learn networking fundamentals.
 
Do you have the ability to run cables for dedicated access points and do you have rack mount space? How much effort are you willing to put in to tinker or troubleshoot/learn networking fundamentals.
I have cables ran to the majority of the house already with the ability to run more if needed.

I have a closet near my current hardware I can use to put a small rack in

I have as much effort as my adhd will give me lol
 
I have cables ran to the majority of the house already with the ability to run more if needed.

I have a closet near my current hardware I can use to put a small rack in

I have as much effort as my adhd will give me lol
Look at unifi. Get there new UDM pro, standard 24 port poe switch and some standard wifi 6 aps.
 
I picked up 2 of them. have 2700sqft 2 story so may add a 3rd if needed.

I have nearly identical sqft and i too picked up the USW 24 PoE switch. I have a the U6 Pro on the second floor mounted to the ceiling in the middle of the hallway and a U6 Lite in the basement just sitting on an ibeam pointing up. The inside of my house has complete wifi coverage however outside and garage are borderline non-existent so I plan on running another AP when they are back in stock (waiting for the U6 In-Wall to be released).
 
Just to add my 2 cents. There is consumer hardware with some enterprise features, like WPA2/Enterprise and Radius support. And then there is enterprise hardware (with enterprise features of course).
 
Just to add my 2 cents. There is consumer hardware with some enterprise features, like WPA2/Enterprise and Radius support. And then there is enterprise hardware (with enterprise features of course).
Hence prosumer gear which is what unifi goes after
 
And my 2 cents on Ubiquiti is that while their stuff seems to fit perfectly in the prosumer/smb/small enterprise space, the way they handled their breech of data a while back is simply unacceptable. There are many alternatives presented in this thread, and while it may be easy, so is anything that compromises security. Some food for thought.
 
Back
Top