TLDR: Here's my gear; how should I set it up for best VPN throughput?
TPLink C2600 with OpenWRT 19.07
D-Link 868L with DD-WRT something-something
Dell PowerConnect 6248 + 4x SFP+ [uses 80W at idle]
Mikrotik CRS-326 (2x SFP+) - RouterOS
Watchguard XTM330
ISP Modem - connection 500/40
Long version:
Am trying to architect my home in the best way with max speed through subscription VPN.
|| The gear:
- TPLink C2600 with OpenWRT 19.07
- D-Link 868L with DD-WRT
- Dell PowerConnect 6248 + 4x SFP+ [uses 80W at idle]
- Mikrotik CRS-326 (2x SFP+) - RouterOS
- Watchguard XTM330
- ISP Modem - connection 500/40
- Sonos One with Alexa (reason for mentioning later)
- Video Editing rig & QNAP using 10Gbe SFP+
- Windows, Linux, Android & IoT clients
- Enterprise networking knowledge but 0 coding/compiling skills.
|| The goals:
- Run my VPN subscription over a single device at max speed to protect "all" internal objects
- Separate IoT net from user devices if possible
- Ideally, retire the PC6248 as it uses a ton of power
|| The issues:
- I have a bunch (like 20+) of smart bulbs that are managed via cloud app but also via the local Alexa device on the Sonos ("Alexa-enabled").
- Sonos app doesn't like being routed so Wifi client to control Sonos needs to be on same subnet (unless workaround?)
- VPN throughput
- ISP modem won't let me configure specific internal IP ranges.
|| Plan so far:
- Use C2600 w/ OpenWRT as internal router/FW and VPN endpoint
- Routing table to pass certain source addresses to ISP router instead of over VPN
- Trunk multiple VLANs [pref. using redundant link LAG] from C2600 to Mikrotik; passing specific SSIDs over specific VLANs
- Separate IoT VLAN from 'user' VLAN
- Manually switch control device (cellphone) to IoT VLAN when needed to direct Sonos (not common but Alexa doesn't recognise certain station names).
- Maintain the ISP modem in full mode in order to publish guest Wifi and 'failsafe' wifi for times I mess up the VPN/router config internally :))
- Keep a third non-VPN-passing internal VLAN for switching wired devices for certain uses when necessary (with unique SSID and managed via switchport config); (hence intended routing table config).
|| Questions:
- Is OpenWRT capable of trunked VLANs over LAG (2-interface is sufficient) at Gbps without significant difficulty and/or in-depth Linux acquisition for me?
- How to assign specific SSID to specific VLAN in OpenWRT?
- What maximum speed can I expect from the C2600 using 256bit AES VPN?
- Anyone see a better architecture here? I realise by far the best option is to use the Watchguard as the front-end but it is not silent.. and I definitely want to avoid using the PC6248 as it is -very- not silent and also the power draw mentioned above.
- Am I being excessively hopeful asking this much of the C2600?
- What do to with the DDWRT 868L? :))
Sorry for the long detail but I like to be thorough. :)) And thanks in advance for your thoughts.