How can I describe my problem better? (Meta)

Hardware Questions and Recommendations
1

This is a meta-post inspired by a few other hardware threads:

It's "meta" in that I'm not asking for hardware recommendations (yet). I'm trying to figure out if I've got my problem defined well enough.
If an OpenWRT veteran can look at the post and say, "Oh yeah, I know what this person needs. Go get XYZ hardware." I'd consider this "done" and would go on to ask what XYZ is.
If that same veteran could reasonably say, "We don't know what your needs are around <\somecapability> and depending on those needs, you'll get a totally different answer." I'll go and figure out what that is.
ie I'd like to iterate on this until "it depends.." is no longer a reasonable response :slight_smile:
Conversely, if there's stuff in here that's either irrelevant or self-evident, I'd be inclined to remove it.

<\begin problem>

Requirements:

  • All hardware should be reliable; it should have a rich record of use without major problems (any problem that can't be addressed by a single entry in an FAQ or a single page in official documentation).
  • All end devices can connect to the home network via Ethernet or WiFi, depending on end device capabilities.
  • The home network should minimize marginal latency relative to connecting an end device directly to the modem.
  • The home network should never be the limiting factor in bandwidth.
    • Expect up to 4 normal users plus potential guests.
    • The WAN link may be a limiting factor.
    • The individual network cards on end devices may be limiting factors.
  • A guest should be able to add themselves to the network easily.
  • Users should never be disconnected accidentally
    • Users may be disconnected if there is a physical disruption (eg moving out of range, power loss, disconnected cables)
    • Users and administrators may intentionally disconnect users.
  • An administrator should be able to change the permissions of particular users or devices easily.
  • An administrator should be able to impose parental filters on particular sites; including content and time limitation.
  • An administrator should be able to control bandwidth for particular devices, services or users
  • An administrator should be able to add SPAM and tracking protection to the whole home network.
  • An administrator should be able to create a firewall that allows filtering, IDS, logging and port forwarding.

Non-requirements:

  • Cost isn't everything. It's a factor but I'm not looking for the cheapest solution on the market.
  • This doesn't all need to fit into the same piece of hardware.

Assets:

  • Wheelbarrow and holocaust cloak
  • 1Gbps WAN (Verizon FIOS)
  • ~2,500 sf over 3 floors (basement, 1st, 2nd)
  • Radio quiet area (I can see the networks of only 3 neighbors and they're all weak signals)
  • Modem is in the basement but there's a CAT 6 cable running to the 1st floor.
  • 1 desktop with 1Gbps card
  • multiple laptops, tablets and phones that support variations of 802.11a/b/g/n/ac
    future plans for more 1Gbps cards

Constraints:

  • It's possible, but not easy, to add more cabling.

<\end problem>

2

Get a beefy router which can support the gigabit uplink.
Get some APs (they don't need to support OpenWrt) which support vlans and multiple SSIDs (e.g Ubiquity Unifi)
Expand network to 2nd floor or install the APs on the 1st floor to cover both ground and 2nd.

2 Likes
3

Agree with @trendy. Ideally your network looks like this:

ISP modem ---> Wired Only Router ---> Small business managed switch 
                                            |----> Access points on each floor
                                            |----> Wired points in offices / etc

If it were me I'd put the router, managed switch, and one AP in the basement, then use the existing Cat 6 to get to the first floor where I'd put another AP on the ceiling. If needed, a third AP on the 2nd floor.

The minimal switch is a TL-sg108e for about $30, but if you consider the option of running more wires or something a 16 or 24 port switch would be good to have. Still, you can upgrade later and the $30 switch is probably good enough.

There are many options for the wired router:

  1. Raspberry Pi 4B plus UE300 USB ethernet is very popular and very successful. It was too expensive for a while but prices are back down.
  2. NanoPi r4s is fully supported and equally performant as RPI4 above
  3. A number of good x86 mini PCs available, I have a Beelink N95 installed at my sister's house very useful device and works great.

I personally use the Omada access points (not OpenWrt) but you have lots of options for access points that work with OpenWrt too. It's more a matter of taste.

1 Like
4

Avoid all of the TL-SG1xxe devices. And likewise, the entry level Netgear managed switches. Both of those have some serious flaws in the firmware implementation. Get the next level up (small business grade) if you go with either of those brands, or look at other brands entirely.

1 Like
5

Well, yes and no. I mean the sg108e is like $30 and if it's inside your LAN and you don't have any active attacks eminating from inside your house, then it's perfectly reasonable. The step up business class stuff is going to start at 4 or 5 times as much money and isn't going to offer much advantage for a typical home user who has ONE cat 6 line in their house.

The biggest flaw in the 108e is that in order to avoid noobs locking themselves out via VLAN it will listen to untagged packets on any port and allow them to attempt to access the http server. A lot of the older ones had other issues as well, but current versions that's the main problem I know of.

1 Like
6

A few other major flaws:

  • There is no option to specify the management VLAN.
  • If the device is set to get an address via DHCP, it may actually end up getting an address on a different network than is expected (because of the first point)
  • For any traffic that is actually moving through the switch itself, the device will respond to all connection requests even if the device is on another VLAN relative to the address that it holds. It is kind-of VLAN-hopping since it is responding locally rather than forwarding those packets to the router (where a firewall might limit/prohibit the connection) (I think this is what you were referencing @dlakelan)

There are other issues with this series, too... I recall that there was a really good writeup, but I haven't found it again... if I do, I'll post it here.

For the 8-port switch, the delta is about 3x... still significant, so yes, I understand and agree that it's not an obviously worthwhile or necessary upgrade for the extra cost (~$27USD for the TL-SG108e, ~$75USD for the TL-SG2008 based on my search just now). But the number of cat6 cables isn't, IMO, the indicator... it's what the user plans to do with it and how they want their security structured. When you run untrusted devices (IoT and guest) through the switch, you don't want the switch to be the thing that could compromise your security, especially if you're going to the effort of using VLANs so you can leverage the router's firewall.

EDIT: I found a writeup -- not sure if this was the one I was thinking about, but it shows just how poorly implemented the security protocols are for this switch (i.e. barely any)

7

In used condition, 8-24 port devices from the ZyXEL gs1900 series can sometimes be surprisingly cheap.

8

It's worth looking at some of the recent firmware updates. I believe the V1 of the switch reviewed there is very very old like 2010 era or something. They've put out a bunch of bug fixes and security changes between 2018 and 2021 or so. It's still not a "very secure" system but I think some of the worst stuff of the past is now behind us.

9

At my dad's house, I installed a TL-SG116E (v1.0) in 2018 or 2019 (current version at the time). It's running the latest firmware available for that version. I can't say if it fixed the super low-level problems since I never did wireshark the configuration methods. But I can say, it's a terrible switch and I regret buying it..

It's possible that the newer revisions have improved somewhat, but they still are best considered a last-resort optiion. The ZyXel switches do seem to be better at the same/near pricepoint, although I can't say first hand. Also, on the 5-port maanged siwtch side of thigns, the Unifi Flex Mini is actually pretty cool -- you do have to run the Unifi Network Application, and it does have a few limitations, but it's $30 and does have proper security and management.

10

Their OEM firmware is quite fine (and updated regularly), I can't compare it to the TP-Link or Ubiquiti models, but it is quite nice compared to the D-Link DGS-1210 series, Allnet ALL-SG8208m/ ALL-SG8316 and HPE switches. In addition they can run OpenWrt as well, easy to install, serial console being relatively easy to access, but a bit limited in terms of flash size (6976 KB max.). With either firmware they're well behaved.

1 Like
11

For input wrt Home Network hardware advice I would rewrite requirements into something like this:

Starting points

  • Internet connection: 1 Gbps
  • number of Wired devices: ...
  • budget: up to $1000 (?)

Generic requirements

Wireless coverage (to determine amount of Access Points)

Additional Router services (the more you need, the more cpu/memory is needed)

  • Network isolation / Guest Wifi
  • Traffic shaping (=> ie. SQM)
  • Adblock / tracking protection (=> ie. Adblock-fast or Adblock-lean)
  • VPN (=> ie. WireGuard)
  • Intrusion Detection/Prevention System (=> ie. CrowdSec)

ps1: standard features Firewall and Parental Control do not impact the choice of hardware.
ps2: SPAM protection refers to SPAM received per email? If so, this needs to be done by email provider / email client
ps3: do you have actually have old wireless devices which require legacy 802.11b ?

12

Hi,

my 2 cents (most points already added by others but hope i may add a few more)

1G WAN => requires beefy hardware, there is the topic you linked about what to do if you have 500+Mbps wan link, it explains why you need a beefy hw nicely.
3 floors => get a wired router, at minimum install one AP per floor (may require more per floor depending on walls, layout) connected via cable to router (1)
many device => use a decent business grade switch preferably with PoE (2) and VLAN support.
ease of management, control => that's a dream (3)

(1) if you want reliable backbone connection then cabling is the only choice.

(2) even a used business grade HP/Cisco etc switch is better imho than any small home switch (see problems mentioned here). And PoE is great for your floor APs as you will need just one cable. But check the PoE support because there are various flavors.

(3) based on your writing i assume you want a nice, easy to use GUI to configure all your controls in mind, and would avoid writing configuration files. in my experience there are many attempts to make user friendly but feature rich solution, but at the end you must invest your time for sure either case. probably from ecosystem point of view products from Unifi and other similar prosumer-enterprise products are the better ones. Unifi's AP, gateway, switch products works together out of the box ... till they don't. in short: when it works it works great, you have pretty and useful interface but it can break too (check the rants in their forum).

also you want adblock, acl, content & time limitation etc there are tools (such as AdGuard Home, PiHole which does a subset, and other tools the other bits) but usually if you want control it means you cannot use default fast path (i.e. software or hardware based network acceleration) but must process each network packet, identify and decide if it can go on or should be stopped, i.e. back on square one: it requires beefy hw.
openwrt is great, it supports so many things but that so many thing is not under single control hence not everything is integrated with each other, not everything has GUI etc. so again you will need to invest your time and may need to edit config files in order to put all bits and pieces together.

and to set expectation early on, to apply network policy (e.g. content restriction) is not that easy as it may seem, there are many topic here how to do DNS filtering and parental control, and it always turns out the best way is to educate your kids, then hope they will not learn faster the shortcuts you would never thought of; and you have to be smarter than "smart" devices (mobile devices, browsers, apps) whose developers decided that they know better what you want and hardwired stuff in their code/hw (e.g. you will soon learn what is DNS hijacking and DoH filtering).

and decent setup will cost you.

so, in short, as others mentioned too: a mix setup of owrt based router with decent switch and APs (either owrt based or not) probably would give you the best overall performance and flexibility. but some kind of enthusiastic attitude will be required. at least i am not aware one nice GUI based solution which can satisfy all your requirements out of box with a 2-clicks setup.

1 Like
13

Thank you for all your response.
Several posts are already suggestions for solutions.
I'm sure those will be very helpful once I've defined the problem well so I'll try to finish that first.

I'll write up a new draft of the problem statement but I had some questions about your proposed rewrite. I'll just add them as inline questions.

Starting points
Internet connection: 1 Gbps

Did you pull out the rest of the info because bandwidth is the only relevant factor?

number of Wired devices: ...

What's the best way to describe this given that it's not a static number? I could list the devices that people in my family currently have. I could provide some estimates on the maximum number of concurrent devices over the past few months. I could guess at the maximum we might need in the near to mid-term.
Is it enough to guess that the order of magnitude is around 10 (ie support for just 5 is probably not enough, support for 20 is probably overkill)?

budget: up to $1000 (?)

I don't have a fixed budget. I want to primarily focus on defining the requirements. If I can get the platonic ideal of home networks for $1100 I won't complain but, by the same token, I wouldn't be happy with a $900 home network that is missing key functionality.

Generic requirements

For this section as a whole, I love that you provided objectively measurable factors for all of them)

wide userbase (=> statistics via https://sysupgrade.openwrt.org/stats/d/LM1HE4E7k/attended-sysupgrade-server?orgId=1)

Yes. That seems like a great way to define "wide user base". Do I understand correctly that you're suggesting some (fixed or percentage) threshold of "builds by target" as the metric?

proven reliability (=> choose device that is supported since 22.03 or before and look for user experiences)

"time since supported" is a good metric. If possible it would be nice to have a metric of how well it was supported (eg trend of bug reports, mean time to resolution)

maximum throughput (=> choose device that handles 802.11ax on 2.4GHz and 5Ghz)

Between this and PS3 it seems like the relevant question here would be "What is the range of planned/current wifi devices (eg 802.11c - 802.11ax)?

future proof upgrades (=> choose device with minimal 16MB flash / 128MB RAM)

"future proof" is a tricky requirement to define. Are there actually any reasonably future scenarios I could describe that would yield a different recommendation? If not maybe "future proof" isn't a good requirement at all and >16MB flash / 128MB RAM should just be the minimum recommended memory?

I notice you pulled out the section on latency. Is that not a relevant question? I could imagine that some effects are just fixed; ie adding a device will in the path will always increase latency. I've read cases where design choices or misconfigurations resulted in unnecessarily high latencies. Keeping that in check is relevant to me.

Wireless coverage (to determine amount of Access Points)

number of floors: 3
area/#rooms per floor? concrete/brick walls?
strategic positioning of Access Points possible? (=> https://arstechnica.com/gadgets/2020/02/the-ars-technica-semi-scientific-guide-to-wi-fi-access-point-placement/)
outside coverage needed?

That Arstechnica article reinforces what I knew about signal strength; it's complicated. I don't have a device that measures signal attenuation directly but I have "Wi-Fi Sweetspots". It shows more confusion. The room right next to the AP gets a weaker signal and than the next room farther away gets. The house is almost 100 years old and I don't really know what's in the walls. At least 2 generations of wiring, water and steam plumbing, some lath and plaster. There's also weird stuff; like a wall with windows facing nothing, just the interior of the wall.
Is the most practical approach to wireless coverage just to try it out and, if it's not enough, commit to adding more wired APs until it is?

Additional Router services (the more you need, the more cpu/memory is needed)
Network isolation / Guest Wifi

Maybe? I'm not sure. My main motivation for having Guest Wifi is that
a) Guests can easily sing up to our network
b) Organization and tracking
I'm less concerned about network isolation for QoS or Security. I should have enough bandwidth that guests can happily stream videos without causing a problem and I'm not worried about house guests using up my Laserjet toner or DOSing my network drives.

Traffic shaping (=> ie. SQM)

Maybe? Is that actually a functional requirement? From reading into it the main point of SQM seems to be to reduce latency. So yes to reduced latency but I'm totally open to considering other ways to reduce latency.
Would you put parental controls in this category? Ideally I'd have time controls (ie off at bedtime) and tiered access control (ie free access to most sites, weekly or daily time limits on things likesocial media, complete blocks on sites that present a security threat)

Adblock / tracking protection (=> ie. Adblock-fast or Adblock-lean)

Yes. I want aggressive and configurable Ad and tracking protection. I'm comfortable using some combination of Pi-hole, filters and subscriptions to allow/deny lists

VPN (=> ie. WireGuard)

I don't think so. We can install VPNs on end devices as needed (either for work or for privacy). I don't have a need to have the whole house on VPN and I wouldn't want the additional latency.

Intrusion Detection/Prevention System (=> ie. CrowdSec)

Yes. Is it enough to say "yes" to an ID/PS? Or do I need to go into more detail about what I want?
We have a fairly simple setup at home. I haven't set up dynDNS yet (although maybe I should) so we haven't bothered to set up any services with externally available ports.
For IDS I'm mostly interested in comprehensive logging, both internal and external. I don't

ps1: standard features Firewall and Parental Control do not impact the choice of hardware.

Good to know. I'll leave that out of the final version.

ps2: SPAM protection refers to SPAM received per email? If so, this needs to be done by email provider / email client

I was using SPAM in the more general sense of "unwanted connections" (ads, trackers etc)

ps3: do you have actually have old wireless devices which require legacy 802.11b ?

See above.

Thank you for your efforts in helping me. And thank you to all the people who offered specific hardware recommendations. I'll use those as the starting points once the requirements are buttoned up and I'm ready to design the solution.

14

Some additions/corrections to persecute your journey :slight_smile:

  • Starting points => add following (example)
    Wired devices: up to 10 (1Gbps)
    Wireless devices: up to 20 (802.11n/ac/ax)
    Radio quiet area
  • budget => redefine as "around $1000" ?
  • wide userbase => Builds by target is definitely a good metric here
  • proven reliability => related metrics can be obtained from https://github.com/openwrt/openwrt/labels?q=target
  • future proof upgrades => renaming to "Minimum memory: RAM 128MB/flash 16MB" is clear indeed
  • Wireless coverage => here you have the option to choose for multiple medium-signal Access Points or for single strong-signal Access Points ( i would opt for adding medium-signal Access Points on a needed base since the wireless device signal strength would be the weakest link in this)
    edit: newer chipsets do exhibit better results going through walls, see ie Adding support for Mercusys MR90X - #47 by diizzy
  • latency => I indeed forgot to mention this. Make sure that Access Point has a chipset that supports Airtime Fairness (i.e mt76xx)
  • Traffic shaping SQM => this reduces 'latency under load' when implemented

Addendum1: Benchmarks

Addendum2: Further reading (covers a lot of the UniFy framework, which, for easy of use may be interesting as well to look at as alternative for OpenWRT)

15

Addendum3: about Parental Control on the router - I learned that this is a hard battle - examples:

  • kids got to know the wifi password of my neighbors
  • kids devices using a random mac address are uncontrollable
  • kids devices using Google Family Link could bypass screentime
  • kids phones switch to LTE data once the wifi shut off
17

Thanks again for your help. I'm excited to finally build a nice home network and I hope to turn this into something helpful to others. When yet an other new user asks what hardware they should get, people should be able to say, "We just helped some other noob with this question. Does <this doc> describe what you need? If so look at the bottom to see the hardware we've already vetted and recommended, it meets all those requirements."
I think it's almost there (on the requirements side). I'm still not sure if I defined the ones with * well. If you give that a +1 I'll start sift through the rest of the thread to see which of those devices meet all the requirements. Hopefully, a clear set of requirements makes that part pretty easy.

Starting points

  1. 1Gbps internet link
  2. Radio Quiet Area

Requirements

  1. Hardware with wide userbase: Minimum of 30 "builds per target" https://sysupgrade.openwrt.org/stats/d/LM1HE4E7k/attended-sysupgrade-server?orgId=1&refresh=1m
  2. Proven Reliable: No major bugs reported in https://github.com/openwrt/openwrt/labels?q=target
  3. Budget: Around $1000. This is a soft requirement.
  4. *Latency: Is it reasonable to say the home network should add less than 1ms of latency. This latency should be sustained while supporting up to HD video streams over wireless. It's kind of hard to tell, but from what I've read, this should be reasonable on wired an 802.11ax. This is essentially the "worst case" scenario of 3 family members streaming separate movies while the 4th is trying to do something that requires low latency.
  5. *Wireless coverage: Maybe this is best described as "up to 5 access points"? It seems that the only practical way to make sure you have enough WiFi coverage is to try it and add/move APs until you do.
  6. Wired Devices: up to 4 (1Gbps) + potential backhaul
  7. Wireless Devices: up to 10
  8. Wireless Standards: needs to be able to support 802.11n/ac/ax
  9. Bandwidth: the home network should never be the bottleneck on bandwidth

Assumptions

  1. Need at least RAM 128MB/flash 16MB
  2. Software componenets (eg firewall, parental controls, adblocking will not have a negative impact on performance

Derived assumptions/requirements

  1. to meet the latency requirement
  • chipset supports Airtime Fairness
  • traffic shaping / SQM support

Actual Hardware:
I'll expand this if the above requirements are complete, starting with all the recommendations in the thread.
I think this will allow me to choose a router, switch and AP(possible several of identical ones) that meet all the requirements.
My metric for that is the reaction by veterans. If you look at it and say, "I know what you need." it's done. If you look at it and think, "I'd recommend device A or B depending on X." I'd want to know what X is so I can add it.

PS I get what you're saying about parental controls. My main plan is to just educate them but that takes a while. I don't need the controls to be foolproof. The kids can and should work to get around them.

18

Latency - I am unsure if/how to quantify this as a requirement.
fyi - I ran a few quick 'ping' tests that show I can only get <1ms round trip time on internal network.

ap => router  	  rtt min/avg/max = 0.451/0.523/0.730 ms
ap => modem 	  rtt min/avg/max = 2.185/2.586/2.822 ms
ap => 8.8.8.8 	  rtt min/avg/max = 7.523/10.891/16.425 ms
laptop => router  rtt min/avg/max = 1.289/2.486/3.048/0.622 ms
laptop => 8.8.8.8 rtt min/avg/max = 10.728/12.101/14.259/1.043 ms

Wired Devices => Access Points will also count as Wired devices (not sure whether you have taken this into account)

Wireless coverage => this remains a complex topic - add/move APs until coverage gets ok might indeed be the way to go forward. On a sidenote: ceiling mounted APs do in general have a better coverage as wall mounted APs

19

I'm assuming your setup for the above is:
Internet (including 8.8.8.8) -> modem -> router -> switch? -> AP -> laptop

If that's the case, is your router adding ~2ms of latency? Is it possible to bring that down?
I would expect that AP=> modem would also be < 1ms (but maybe I need to adjust my expectations).
Unless the modem itself is proprietary to the ISP. Then I guess I'd have to target AP=>router < 1ms and I'll just have to live with my Verizon modem.

It also looks like the laptop to AP hop adds very little latency (I'd expect that to add < 1ms under ideal circumstances but would have high variation in the real world.
That suggests I shouldn't target either laptop=>router or laptop=>modem.

Wired Devices => Access Points will also count as Wired devices (not sure whether you have taken this into account)

Good point. I'll add that to as a "+" in the wired devices section. Am I correct in thinking that "# of wired devices" will just impact the choice of switch (ie does it have enough ports?)

Wireless coverage => this remains a complex topic - add/move APs until coverage gets ok might indeed be the way to go forward. On a sidenote: ceiling mounted APs do in general have a better coverage as wall mounted APs

Makes sense. In that case, I'm include to leave it as is. I probably don't need 5 APs. As I understand it, the max number of APs (in a single house) is only a question of if I have enough switch ports to support the backhaul. Ie this primarily matters in that it will affect the number of wired devices?

20

I did some more testing and found out there is a 1.6ms RTT between router and modem
(using ping executed in a ssh shell on the router WAN side). So in my case there is maybe something wrong with the ethernet-cable, or the ISP modem is very very slow.
Edit: I have a clue what causes the extra latency in my internal network: the part where the 1.6ms RTT is seen is occupied by a TP-Link UE300 usb-network adapter. So either I have a bad batch, or this is expected overhead from using this adapter
Edit2: my ISP modem is currently configured as Router (so I have a double NAT at the moment)
I will request my ISP to change this next month to Bridge and see if this shaves off 1ms or so from my latency

=> thus regarding requirements I would stick to "AP => router => modem round-trip time should be < 1ms"

These # of wired devices (including access points) will indeed impact the choice of the switch (8-port or more)

21

I've incorporated all of that into a new draft.
I'll leave out the benchmark links since they're already in the thread, for reference.
Added "switch" to the latency chain.
Added Nice to Have.
Added Acceptable but not required.
Started on the Actual Hardware section.

Starting points

  1. 1Gbps internet link
  2. Radio Quiet Area

Requirements

  1. Hardware with wide userbase: Minimum of 30 "builds per target" https://sysupgrade.openwrt.org/stats/d/LM1HE4E7k/attended-sysupgrade-server?orgId=1&refresh=1m
  2. Proven Reliable: No major bugs reported in https://github.com/openwrt/openwrt/labels?q=target
  3. Budget: Around $1000. This is a soft requirement.
  4. Latency: rtt(AP<=>switch<=>router<=>modem) < 1ms
  5. Wireless coverage: Up to 5 access points
  6. Wired Devices: up to 4 (1Gbps) + potential backhaul for access points + piHole
  7. Wireless Devices: up to 10
  8. Wireless Standards: needs to be able to support 802.11n/ac/ax
  9. Bandwidth: the home network should never be the bottleneck on bandwidth
  10. Roaming: The user should not be required to know the details of which AP they connect to, only the SSID and password. If they move out of range of one AP and into the range of an other AP they should reconnect automatically.

Nice to have:

  1. PoE access points

Acceptable but not required:

  1. GUI

Assumptions

  1. Need at least RAM 128MB/flash 16MB
  2. Software componenets (eg firewall, parental controls, adblocking will not have a negative impact on performance

Derived assumptions/requirements

  1. To meet the latency requirement
    • chipset supports Airtime Fairness
    • traffic shaping / SQM support
  2. To meet wired devices requirement
    • switch with >= 11 ports (5 end devices, 5 APS, router)

Actual Hardware:
In order to meet all the requirements and allow for easy upgrades we will split this into multiple hardware components.

Home Network
Home Network1190Ă—1102 66.3 KB