In a week, a friend and I are going to build a small gaming cyber-cafe.
Initially for 10 pcs and a ps5 but with plans to expand soon to 15 pcs.
We going to have a router (Intel N5105 4 ports) running OpenWrt with mwan3 for two ISP, and it will also run sqm cake with diffserver4 and per host isolation by ip, we are planning to buy two Wi-Fi APs.
I have some doubts, and would greatly appreciate some advice to achieve some things:
We need one network for the Pcs, IoT devices, lancache & home assistant to talk to each other, thats the "main" network.
Another separated network for the smartphones of our clients, but i need either the main router or the lan cache server to see their mac address so I can run some automations on Home assistant.
I need sqm&cake to treat all the smartphones as if it was only one IP (so it will have more bandwidth to the gaming pcs), or at least deprioritize network 2.
I made a small picture that I hope it helps to illustrate
For number 2 : we can use the remaining Lan port on the router on a different firewall zone.
But i don't know how to make SQM&Cake do number 3.
Only solution I could think was to use one Wi-Fi AP with OpenWrt for the clients as a router, so the double NAT would make the main router see only one ip, then try to use MQTT or some other package for the mac address info to the main router or the Lan cache itself? I am a little confused on how to solve this.
The priority is the Gaming PCs, PS5 and good Wi-Fi for the IoT devices, the Wi-Fi for the smartphones does not have to be perfect, just good enough.
I know it is not related to OpenWrt, but if you have any tips about how to improve the topology, we are glad to hear them.
Do not use an unmanaged switch... you'll be best off using a managed switch because then you can use VLANs. Curretnnly, your IoT devices and the PCs and PS5s would all hace access to each other and to the receptionist PC. You will want to have more granular control over the networks and access for each of the different classes of devices.
With a managed switch, you can then setup VLAN aware APs (running OpenWrt or other firmware that can work with VLANs), that broadcast multiple SSIDs. Depending on the size and floorplan of your space, user/device count, and bandwidth requirements of those devices (between each other and/or to the other networks or the internet), that will drive the decisions for the APs models you select as well as the number required.
All that said, you also need to design a network that will be robust and secure -- so you should specifically plan out all the required subnets and the security mechanisms you'll employ in terms of permissions or prohibitions.
I will follow your advice to use a managed switch, sadly we already have a unmanaged switch, maybe we will find another purpose for it
Well this would be "fun" to do.. i dabbled very little with Vlans before, only used a Raspberry 4 with a managed switch as a router, so i was trying to avoid it, specially because there is also Proxmox involved...
Switch:
Ports for PC's and PS 5=> untaggedvlan 1.
Ports for Wifi APs => tagged vlan 2 and 3 (One SSID for IoT on Vlan 2, another for Smartphones on Vlan 3)
Port for cameras DVR => untagged on Vlan 2
Port for "Receptionist PC": VM Windows,VM Home Assistant,VM Lan-cache => tagged vlan 1,2,3
This "receptionist PC" runs Proxmox, inside there are 3 VM's: Windows, Home assistant and Lan Cache.
So i would have to go inside Proxmox and make them Vlan aware:
Windows tagged Vlan 1,2 (Receptionist must have access to the PCs to issue commands, and to home assistant, IOT(don't like too much but sometimes we need to ping this stuff, and cameras)
VM Home assistant tagged Vlan 1, 2, i need Home Assistant to talk to the computers sometimes for automations.
VM Lan cache untagged Vlan 1
Am i on the right path, does this makes sense ?
My brain starting to melt.
I also feel i need some more rules.
About the sqm&cake configuration do you have any tips ? How can I deprioritize the smartphones ?
I want to go forward with this setup but I'm also afraid as I'm not the guy that always gonna be there, i will document everything, but also i need to make things simple as possible for other people as well.
Run your router on bare metal. Don't virtualize it unless you have very good reasons to do so.
Remember, you're running a business -- you need to have a rock solid, secure gateway device. Your business more than most cafes, will not be able bring in revenue if your connection isn't stable.
The lan cache, home assistant and windows desktop of the receptionist are virtualized, but I'm thinking about removing the desktop to a different machine.
That leaves only the home assistant and Lan cache virtualized, and the cyber-cafe can work without both.
Put your windows machine on just one VLAN. You will use routing and firewall rules to allow it to reach the hosts on other networks.
same here.
If this is the case, you may want to consider hiring an IT consultant to do this. Please don't take this as an insult or in any way doubting your ability to learn this stuff, but considering that your business is truly reliant on this being done right from the get-go, it is well worth the investment to pay for these services.
On these topics, I am not an expert. But I know it can be done. There are many threads on configuring cake, and there should be documentation available.
Another reason it may be worth hiring an IT professional. You can setup a contract with someone who will be 'on-call' if there are issues.
First of all, thank you very much for all your thoughtful answers!!
Got it, I will search about it.
I will bring this concern to my friend, he is more knowledgeable on network and IT than me, that's his area, although he only used Mikrotiks, I convinced him to use OpenWrt because I think its a much better system for the purpose of load-balance and SQM, so he and I gonna have to learn how to do it on OpenWrt.
