Rebuilding wireless network at home - two networks?

[iroc409]

I've always been pretty paranoid about wireless at home--possibly undeservedly but I've seen what people do with wireless (not WPA2, of course). I didn't really use wireless until I built a segregated network for it. I am looking at expanding capability at home a bit, and looking at options for rebuiding the network. I also don't really allow untrusted/promiscuous devices on the internal network.

My current setup is an Untangle box on the perimeter with a wireless interface running a WRT45G (v5?) on a separate IP range with firewall rules blocking it from my internal network. I also like having the network separate in case I ever need to troubleshoot a suspect machine, I know it's not going to affect any of my trusted devices. This doesn't happen very often. Currently really the only devices that use wireless is our DVD player, two smart phones, and a couple laptops. One of the laptops is used for work travel and is used on a non-trusted network so I don't let it on the internal network. I have a FreeBSD/ZFS file server on the internal network that houses our client backups and all our files.

I'm looking at adding capacity to possibly a HTPC on wireless, and a couple machines to use in garage/basement that would have server access for media (playing music and stuff). I'd like to hardwire the HTPC, but currently it is not able to be on wire.

So, the two options I am looking at is either upgrade my current AP and allow limited access through the firewall to my internal network and let everyone play, or add a second AP that only trusted devices would be allowed on, and still have a segregated network for untrusted devices. The separate AP sounds like a more secure plan, but it seems like a major hassle to have two wireless networks, and the APs would have to be in relative proximity to each other so I don't know if I'd have interference issues. I would probably also decide to break down and run a firewall on my server, which I don't currently as it's relatively robust out of the box and in a fairly sterile environment.

So, which is a better plan?

 

[dandragonrage]

Can you use MoCA for the HTPC? ANYTHING is better than wireless. The main problem with wireless is that it's too inconsistent. Many times streaming over wireless fails because of inconsistent transfer rates, even though the average transfer rates may seem fine.

 

[iroc409]

Can you use MoCA for the HTPC? ANYTHING is better than wireless. The main problem with wireless is that it's too inconsistent. Many times streaming over wireless fails because of inconsistent transfer rates, even though the average transfer rates may seem fine.

Haven't heard of it before, but maybe. You're talking about data over existing coax? I'll have to do some reading.

Powerline might be an option too, but they will be on separate circuits. Still won't resolve the other machine(s) I'd like to add in the garage and basement, but they won't have the same data requirements (other than access).

I plan on refinishing the basement. We're going to add a bedroom, and tear out all the drywall as whoever originally did it did not do a very good job. When we tear out the old stuff, I'll run wire to the living room and it will solve that problem, but the basement is at least a year off.

 

[Schro]

For wireless, I would suggest looking into the Ubiquiti Unifi AP. It does require a server app to run to control it, but it will allow you to create a pair (or more) SSID's that tie to different networks. I have a guest network that it doesn't let touch my internal network (with a splashscreen password required for authentication) as well as a trusted network that's encrypted with WPA2. Both SSID's on the same AP seem to work well, and if coverage is an issue, you can add multiple AP's throughout the house and the centralized server software will manage both. The AP itself is where the network restriction happens, so you won't need to run a separate firewall.

MoCA is a great option, but most kit is discontinued at this point. I am using it for my home network backbone and have 4 nodes around the house. Sure, its limited to 100mbit at each node, but that's plenty for data traffic between segments.

 

[vegaman]

I've been wanting to set up something similar too. I was already interested in the UniFi access points but was thinking I'd have to get two and put them on separate VLANs. If I can achieve the same with just one that's awesome.

 

[/usr/home]

I've been wanting to set up something similar too. I was already interested in the UniFi access points but was thinking I'd have to get two and put them on separate VLANs. If I can achieve the same with just one that's awesome.

That's the whole point of VLANs, to only need one device and virtually segment networks. You need a switch that supports VLANs though.

 

[vegaman]

That's the whole point of VLANs, to only need one device and virtually segment networks. You need a switch that supports VLANs though.

I was assuming the access points wouldn't support VLANs so I'd need separate devices and set the VLAN for their ports on the switch. I'll read up some more on UniFi though to see how I could do it with one.

 

[Schro]

I was assuming the access points wouldn't support VLANs so I'd need separate devices and set the VLAN for their ports on the switch. I'll read up some more on UniFi though to see how I could do it with one.

Here's a snip from my guest portal configuration page. The guest policies apply uniformly to all guest SSIDs from what I can tell, but while this isn't a straight VLAN, it essentially lets you either disallow access to other IP ranges or explicitly allow (which I assume is a Deny All on the others) a single range (or IP).

 

[+Eric]

UnFi definitely supports vlans. The AP's support multiple SSID's and for each SSID you can define a VLAN ID. So long as your switch and firewall properly supports VLANs you'll have no issue. I have my guest network set up this way to separate it.

 

[haunter]

yep.

I do that at a customers place for segregated wireless, 3 different SSIDs, 3 different VLANs

 

[iroc409]

I had looked into UniFi previously but discounted it--not sure why. Maybe the connector software? With a brief Googling, it looks like UniFi's controller should run on FreeBSD--perhaps with a little work. I have a pretty primo spot (once we get the basement refinished) for an AP that will probably cover the main and upper level of the house with a single AP, but not sure how well it would serve the garage & basement. Unifi is a great idea though, I might have to do that.

My HP network switch does not support VLANs, but maybe I can do that through Untangle--I've never messed with it. That would work pretty well though if I could do that. I'd probably rather not have the expense of a new switch for the time being.

 

[aggiec05]

Unifi software only has to run if you want a guest portal, or to make changes to your AP. Otherwise it can only run when you need to make a change.

 

[iroc409]

It looks like the latest version of Untangle does finally support VLAN, so hooray Untangle! But, it looks like I'll have to pick up a managed switch to set it up. I'm thinking maybe the HP 1810. I've been pretty happy with my current HP switch, I think a 1410 unmanaged GbE. If I'm getting a managed switch, I just need to make sure it can do VLAN and I'd like to try link aggregation for my file server.

Also, does anyone have experience with Engenius stuff? Newegg is blowing out one of their N AP's for $30, but it's only a 150Mbps. The 300Mbps is about $110, and is probably more appropriate. I've looked at them before, and they do support multiple SSID/VLANs and client isolation, and I don't think you have to run any server software for multiple SSIDs unless you're actively making changes.