How can I describe my problem better? (Meta)

At my dad's house, I installed a TL-SG116E (v1.0) in 2018 or 2019 (current version at the time). It's running the latest firmware available for that version. I can't say if it fixed the super low-level problems since I never did wireshark the configuration methods. But I can say, it's a terrible switch and I regret buying it..

It's possible that the newer revisions have improved somewhat, but they still are best considered a last-resort optiion. The ZyXel switches do seem to be better at the same/near pricepoint, although I can't say first hand. Also, on the 5-port maanged siwtch side of thigns, the Unifi Flex Mini is actually pretty cool -- you do have to run the Unifi Network Application, and it does have a few limitations, but it's $30 and does have proper security and management.

Their OEM firmware is quite fine (and updated regularly), I can't compare it to the TP-Link or Ubiquiti models, but it is quite nice compared to the D-Link DGS-1210 series, Allnet ALL-SG8208m/ ALL-SG8316 and HPE switches. In addition they can run OpenWrt as well, easy to install, serial console being relatively easy to access, but a bit limited in terms of flash size (6976 KB max.). With either firmware they're well behaved.

1 Like

For input wrt Home Network hardware advice I would rewrite requirements into something like this:

Starting points

  • Internet connection: 1 Gbps
  • number of Wired devices: ...
  • budget: up to $1000 (?)

Generic requirements

Wireless coverage (to determine amount of Access Points)

Additional Router services (the more you need, the more cpu/memory is needed)

  • Network isolation / Guest Wifi
  • Traffic shaping (=> ie. SQM)
  • Adblock / tracking protection (=> ie. Adblock-fast or Adblock-lean)
  • VPN (=> ie. WireGuard)
  • Intrusion Detection/Prevention System (=> ie. CrowdSec)

ps1: standard features Firewall and Parental Control do not impact the choice of hardware.
ps2: SPAM protection refers to SPAM received per email? If so, this needs to be done by email provider / email client
ps3: do you have actually have old wireless devices which require legacy 802.11b ?

Hi,

my 2 cents (most points already added by others but hope i may add a few more)

1G WAN => requires beefy hardware, there is the topic you linked about what to do if you have 500+Mbps wan link, it explains why you need a beefy hw nicely.
3 floors => get a wired router, at minimum install one AP per floor (may require more per floor depending on walls, layout) connected via cable to router (1)
many device => use a decent business grade switch preferably with PoE (2) and VLAN support.
ease of management, control => that's a dream (3)

(1) if you want reliable backbone connection then cabling is the only choice.

(2) even a used business grade HP/Cisco etc switch is better imho than any small home switch (see problems mentioned here). And PoE is great for your floor APs as you will need just one cable. But check the PoE support because there are various flavors.

(3) based on your writing i assume you want a nice, easy to use GUI to configure all your controls in mind, and would avoid writing configuration files. in my experience there are many attempts to make user friendly but feature rich solution, but at the end you must invest your time for sure either case. probably from ecosystem point of view products from Unifi and other similar prosumer-enterprise products are the better ones. Unifi's AP, gateway, switch products works together out of the box ... till they don't. in short: when it works it works great, you have pretty and useful interface but it can break too (check the rants in their forum).

also you want adblock, acl, content & time limitation etc there are tools (such as AdGuard Home, PiHole which does a subset, and other tools the other bits) but usually if you want control it means you cannot use default fast path (i.e. software or hardware based network acceleration) but must process each network packet, identify and decide if it can go on or should be stopped, i.e. back on square one: it requires beefy hw.
openwrt is great, it supports so many things but that so many thing is not under single control hence not everything is integrated with each other, not everything has GUI etc. so again you will need to invest your time and may need to edit config files in order to put all bits and pieces together.

and to set expectation early on, to apply network policy (e.g. content restriction) is not that easy as it may seem, there are many topic here how to do DNS filtering and parental control, and it always turns out the best way is to educate your kids, then hope they will not learn faster the shortcuts you would never thought of; and you have to be smarter than "smart" devices (mobile devices, browsers, apps) whose developers decided that they know better what you want and hardwired stuff in their code/hw (e.g. you will soon learn what is DNS hijacking and DoH filtering).

and decent setup will cost you.

so, in short, as others mentioned too: a mix setup of owrt based router with decent switch and APs (either owrt based or not) probably would give you the best overall performance and flexibility. but some kind of enthusiastic attitude will be required. at least i am not aware one nice GUI based solution which can satisfy all your requirements out of box with a 2-clicks setup.

1 Like

Thank you for all your response.
Several posts are already suggestions for solutions.
I'm sure those will be very helpful once I've defined the problem well so I'll try to finish that first.

I'll write up a new draft of the problem statement but I had some questions about your proposed rewrite. I'll just add them as inline questions.

Starting points
Internet connection: 1 Gbps

Did you pull out the rest of the info because bandwidth is the only relevant factor?

number of Wired devices: ...

What's the best way to describe this given that it's not a static number? I could list the devices that people in my family currently have. I could provide some estimates on the maximum number of concurrent devices over the past few months. I could guess at the maximum we might need in the near to mid-term.
Is it enough to guess that the order of magnitude is around 10 (ie support for just 5 is probably not enough, support for 20 is probably overkill)?

budget: up to $1000 (?)

I don't have a fixed budget. I want to primarily focus on defining the requirements. If I can get the platonic ideal of home networks for $1100 I won't complain but, by the same token, I wouldn't be happy with a $900 home network that is missing key functionality.

Generic requirements

For this section as a whole, I love that you provided objectively measurable factors for all of them)

wide userbase (=> statistics via https://sysupgrade.openwrt.org/stats/d/LM1HE4E7k/attended-sysupgrade-server?orgId=1)

Yes. That seems like a great way to define "wide user base". Do I understand correctly that you're suggesting some (fixed or percentage) threshold of "builds by target" as the metric?

proven reliability (=> choose device that is supported since 22.03 or before and look for user experiences)

"time since supported" is a good metric. If possible it would be nice to have a metric of how well it was supported (eg trend of bug reports, mean time to resolution)

maximum throughput (=> choose device that handles 802.11ax on 2.4GHz and 5Ghz)

Between this and PS3 it seems like the relevant question here would be "What is the range of planned/current wifi devices (eg 802.11c - 802.11ax)?

future proof upgrades (=> choose device with minimal 16MB flash / 128MB RAM)

"future proof" is a tricky requirement to define. Are there actually any reasonably future scenarios I could describe that would yield a different recommendation? If not maybe "future proof" isn't a good requirement at all and >16MB flash / 128MB RAM should just be the minimum recommended memory?

I notice you pulled out the section on latency. Is that not a relevant question? I could imagine that some effects are just fixed; ie adding a device will in the path will always increase latency. I've read cases where design choices or misconfigurations resulted in unnecessarily high latencies. Keeping that in check is relevant to me.

Wireless coverage (to determine amount of Access Points)

number of floors: 3
area/#rooms per floor? concrete/brick walls?
strategic positioning of Access Points possible? (=> https://arstechnica.com/gadgets/2020/02/the-ars-technica-semi-scientific-guide-to-wi-fi-access-point-placement/)
outside coverage needed?

That Arstechnica article reinforces what I knew about signal strength; it's complicated. I don't have a device that measures signal attenuation directly but I have "Wi-Fi Sweetspots". It shows more confusion. The room right next to the AP gets a weaker signal and than the next room farther away gets. The house is almost 100 years old and I don't really know what's in the walls. At least 2 generations of wiring, water and steam plumbing, some lath and plaster. There's also weird stuff; like a wall with windows facing nothing, just the interior of the wall.
Is the most practical approach to wireless coverage just to try it out and, if it's not enough, commit to adding more wired APs until it is?

Additional Router services (the more you need, the more cpu/memory is needed)
Network isolation / Guest Wifi

Maybe? I'm not sure. My main motivation for having Guest Wifi is that
a) Guests can easily sing up to our network
b) Organization and tracking
I'm less concerned about network isolation for QoS or Security. I should have enough bandwidth that guests can happily stream videos without causing a problem and I'm not worried about house guests using up my Laserjet toner or DOSing my network drives.

Traffic shaping (=> ie. SQM)

Maybe? Is that actually a functional requirement? From reading into it the main point of SQM seems to be to reduce latency. So yes to reduced latency but I'm totally open to considering other ways to reduce latency.
Would you put parental controls in this category? Ideally I'd have time controls (ie off at bedtime) and tiered access control (ie free access to most sites, weekly or daily time limits on things likesocial media, complete blocks on sites that present a security threat)

Adblock / tracking protection (=> ie. Adblock-fast or Adblock-lean)

Yes. I want aggressive and configurable Ad and tracking protection. I'm comfortable using some combination of Pi-hole, filters and subscriptions to allow/deny lists

VPN (=> ie. WireGuard)

I don't think so. We can install VPNs on end devices as needed (either for work or for privacy). I don't have a need to have the whole house on VPN and I wouldn't want the additional latency.

Intrusion Detection/Prevention System (=> ie. CrowdSec)

Yes. Is it enough to say "yes" to an ID/PS? Or do I need to go into more detail about what I want?
We have a fairly simple setup at home. I haven't set up dynDNS yet (although maybe I should) so we haven't bothered to set up any services with externally available ports.
For IDS I'm mostly interested in comprehensive logging, both internal and external. I don't

ps1: standard features Firewall and Parental Control do not impact the choice of hardware.

Good to know. I'll leave that out of the final version.

ps2: SPAM protection refers to SPAM received per email? If so, this needs to be done by email provider / email client

I was using SPAM in the more general sense of "unwanted connections" (ads, trackers etc)

ps3: do you have actually have old wireless devices which require legacy 802.11b ?

See above.

Thank you for your efforts in helping me. And thank you to all the people who offered specific hardware recommendations. I'll use those as the starting points once the requirements are buttoned up and I'm ready to design the solution.

Some additions/corrections to persecute your journey :slight_smile:

  • Starting points => add following (example)
    Wired devices: up to 10 (1Gbps)
    Wireless devices: up to 20 (802.11n/ac/ax)
    Radio quiet area
  • budget => redefine as "around $1000" ?
  • wide userbase => Builds by target is definitely a good metric here
  • proven reliability => related metrics can be obtained from https://github.com/openwrt/openwrt/labels?q=target
  • future proof upgrades => renaming to "Minimum memory: RAM 128MB/flash 16MB" is clear indeed
  • Wireless coverage => here you have the option to choose for multiple medium-signal Access Points or for single strong-signal Access Points ( i would opt for adding medium-signal Access Points on a needed base since the wireless device signal strength would be the weakest link in this)
    edit: newer chipsets do exhibit better results going through walls, see ie Adding support for Mercusys MR90X - #47 by diizzy
  • latency => I indeed forgot to mention this. Make sure that Access Point has a chipset that supports Airtime Fairness (i.e mt76xx)
  • Traffic shaping SQM => this reduces 'latency under load' when implemented

Addendum1: Benchmarks

Addendum2: Further reading (covers a lot of the UniFy framework, which, for easy of use may be interesting as well to look at as alternative for OpenWRT)

Addendum3: about Parental Control on the router - I learned that this is a hard battle - examples:

  • kids got to know the wifi password of my neighbors
  • kids devices using a random mac address are uncontrollable
  • kids devices using Google Family Link could bypass screentime
  • kids phones switch to LTE data once the wifi shut off

Thanks again for your help. I'm excited to finally build a nice home network and I hope to turn this into something helpful to others. When yet an other new user asks what hardware they should get, people should be able to say, "We just helped some other noob with this question. Does <this doc> describe what you need? If so look at the bottom to see the hardware we've already vetted and recommended, it meets all those requirements."
I think it's almost there (on the requirements side). I'm still not sure if I defined the ones with * well. If you give that a +1 I'll start sift through the rest of the thread to see which of those devices meet all the requirements. Hopefully, a clear set of requirements makes that part pretty easy.

Starting points

  1. 1Gbps internet link
  2. Radio Quiet Area

Requirements

  1. Hardware with wide userbase: Minimum of 30 "builds per target" https://sysupgrade.openwrt.org/stats/d/LM1HE4E7k/attended-sysupgrade-server?orgId=1&refresh=1m
  2. Proven Reliable: No major bugs reported in https://github.com/openwrt/openwrt/labels?q=target
  3. Budget: Around $1000. This is a soft requirement.
  4. *Latency: Is it reasonable to say the home network should add less than 1ms of latency. This latency should be sustained while supporting up to HD video streams over wireless. It's kind of hard to tell, but from what I've read, this should be reasonable on wired an 802.11ax. This is essentially the "worst case" scenario of 3 family members streaming separate movies while the 4th is trying to do something that requires low latency.
  5. *Wireless coverage: Maybe this is best described as "up to 5 access points"? It seems that the only practical way to make sure you have enough WiFi coverage is to try it and add/move APs until you do.
  6. Wired Devices: up to 4 (1Gbps) + potential backhaul
  7. Wireless Devices: up to 10
  8. Wireless Standards: needs to be able to support 802.11n/ac/ax
  9. Bandwidth: the home network should never be the bottleneck on bandwidth

Assumptions

  1. Need at least RAM 128MB/flash 16MB
  2. Software componenets (eg firewall, parental controls, adblocking will not have a negative impact on performance

Derived assumptions/requirements

  1. to meet the latency requirement
  • chipset supports Airtime Fairness
  • traffic shaping / SQM support

Actual Hardware:
I'll expand this if the above requirements are complete, starting with all the recommendations in the thread.
I think this will allow me to choose a router, switch and AP(possible several of identical ones) that meet all the requirements.
My metric for that is the reaction by veterans. If you look at it and say, "I know what you need." it's done. If you look at it and think, "I'd recommend device A or B depending on X." I'd want to know what X is so I can add it.

PS I get what you're saying about parental controls. My main plan is to just educate them but that takes a while. I don't need the controls to be foolproof. The kids can and should work to get around them.

Latency - I am unsure if/how to quantify this as a requirement.
fyi - I ran a few quick 'ping' tests that show I can only get <1ms round trip time on internal network.

ap => router  	  rtt min/avg/max = 0.451/0.523/0.730 ms
ap => modem 	  rtt min/avg/max = 2.185/2.586/2.822 ms
ap => 8.8.8.8 	  rtt min/avg/max = 7.523/10.891/16.425 ms
laptop => router  rtt min/avg/max = 1.289/2.486/3.048/0.622 ms
laptop => 8.8.8.8 rtt min/avg/max = 10.728/12.101/14.259/1.043 ms

Wired Devices => Access Points will also count as Wired devices (not sure whether you have taken this into account)

Wireless coverage => this remains a complex topic - add/move APs until coverage gets ok might indeed be the way to go forward. On a sidenote: ceiling mounted APs do in general have a better coverage as wall mounted APs

I'm assuming your setup for the above is:
Internet (including 8.8.8.8) -> modem -> router -> switch? -> AP -> laptop

If that's the case, is your router adding ~2ms of latency? Is it possible to bring that down?
I would expect that AP=> modem would also be < 1ms (but maybe I need to adjust my expectations).
Unless the modem itself is proprietary to the ISP. Then I guess I'd have to target AP=>router < 1ms and I'll just have to live with my Verizon modem.

It also looks like the laptop to AP hop adds very little latency (I'd expect that to add < 1ms under ideal circumstances but would have high variation in the real world.
That suggests I shouldn't target either laptop=>router or laptop=>modem.

Wired Devices => Access Points will also count as Wired devices (not sure whether you have taken this into account)

Good point. I'll add that to as a "+" in the wired devices section. Am I correct in thinking that "# of wired devices" will just impact the choice of switch (ie does it have enough ports?)

Wireless coverage => this remains a complex topic - add/move APs until coverage gets ok might indeed be the way to go forward. On a sidenote: ceiling mounted APs do in general have a better coverage as wall mounted APs

Makes sense. In that case, I'm include to leave it as is. I probably don't need 5 APs. As I understand it, the max number of APs (in a single house) is only a question of if I have enough switch ports to support the backhaul. Ie this primarily matters in that it will affect the number of wired devices?

I did some more testing and found out there is a 1.6ms RTT between router and modem
(using ping executed in a ssh shell on the router WAN side). So in my case there is maybe something wrong with the ethernet-cable, or the ISP modem is very very slow.
Edit: I have a clue what causes the extra latency in my internal network: the part where the 1.6ms RTT is seen is occupied by a TP-Link UE300 usb-network adapter. So either I have a bad batch, or this is expected overhead from using this adapter
Edit2: my ISP modem is currently configured as Router (so I have a double NAT at the moment)
I will request my ISP to change this next month to Bridge and see if this shaves off 1ms or so from my latency

=> thus regarding requirements I would stick to "AP => router => modem round-trip time should be < 1ms"

These # of wired devices (including access points) will indeed impact the choice of the switch (8-port or more)

I've incorporated all of that into a new draft.
I'll leave out the benchmark links since they're already in the thread, for reference.
Added "switch" to the latency chain.
Added Nice to Have.
Added Acceptable but not required.
Started on the Actual Hardware section.

Starting points

  1. 1Gbps internet link
  2. Radio Quiet Area

Requirements

  1. Hardware with wide userbase: Minimum of 30 "builds per target" https://sysupgrade.openwrt.org/stats/d/LM1HE4E7k/attended-sysupgrade-server?orgId=1&refresh=1m
  2. Proven Reliable: No major bugs reported in https://github.com/openwrt/openwrt/labels?q=target
  3. Budget: Around $1000. This is a soft requirement.
  4. Latency: rtt(AP<=>switch<=>router<=>modem) < 1ms
  5. Wireless coverage: Up to 5 access points
  6. Wired Devices: up to 4 (1Gbps) + potential backhaul for access points + piHole
  7. Wireless Devices: up to 10
  8. Wireless Standards: needs to be able to support 802.11n/ac/ax
  9. Bandwidth: the home network should never be the bottleneck on bandwidth
  10. Roaming: The user should not be required to know the details of which AP they connect to, only the SSID and password. If they move out of range of one AP and into the range of an other AP they should reconnect automatically.

Nice to have:

  1. PoE access points

Acceptable but not required:

  1. GUI

Assumptions

  1. Need at least RAM 128MB/flash 16MB
  2. Software componenets (eg firewall, parental controls, adblocking will not have a negative impact on performance

Derived assumptions/requirements

  1. To meet the latency requirement
    • chipset supports Airtime Fairness
    • traffic shaping / SQM support
  2. To meet wired devices requirement
    • switch with >= 11 ports (5 end devices, 5 APS, router)

Actual Hardware:
In order to meet all the requirements and allow for easy upgrades we will split this into multiple hardware components.

My Nominees

Router
RaspBerry Pi CM4 (CM4002000) + DFRobot routerboard https://www.dfrobot.com/product-2555.html

  • BCM2711 / RAM 2Gb / Flash 8Gb (or more) MicroSD card
  • size 78x72x35mm
  • power consumption idle 1.8W, max 3W
  • supported since OpenWrt 21.02
  • excellent I/O with built-in GbE NIC internal and 2nd GbE NIC via PCIe lane
  • https://www.jeffgeerling.com/blog/2021/two-tiny-dual-gigabit-raspberry-pi-cm4-routers
  • 1,000,000 Raspberry Pi units sold each month
  • also available with built-in eMMC Flash (ie CM4002008); this is a bit harder to install though.

Access Point
Recent Mediatek/Filogic targets are rapidly being added lately - see i.e. https://downloads.openwrt.org/releases/23.05.0-rc3/targets/mediatek/filogic/. My advice here would be to order one of the below and drive them with stock firmware for the moment and decide later on whether you want to switch to OpenWrt.

Ubiquiti UniFi U6+

  • MT7981A / RAM 256 MB / Flash 16 MB NOR + 4 GB eMMC
  • size Ø160 x 33 mm
  • power consumption around 5W
  • coverage 140 m2
  • Zero-wait DFS (planned)

Netgear WAX220

  • MT7986 / RAM 1024 MB / Flash 128 MB SPI-NAND
  • size 196 x 196 x 44.4 mm
  • power consumption ?
  • coverage 185 m2

Managed switch
Netgear GS316EP

  • PoE+ total budget 180W, up to 30W/port
  • fanless

Side note
Recommended Router services

  • adblock-lean (advertising protection)
  • luci-app-banip (spam/malware protection - select feeds like darklist, debl, feodo, firehol1, firehol2, greensnow, iblockspy, proxy, sslbl, threat, tor)
  • luci-app-nlbwmon (traffic monitoring)
  • luci-app-sqm (traffic shaping)

Optional Router services

  • fail2ban (Intrusion Detection/Prevention - when running inbound services like Apache)

ps1: GS-1900-24 does not have PoE - in case you do prefer Zyxel I would advice to check GS1900-24EP
ps2: the Pi-hole in your drawing might be redundant since similar service can be done directly on the router.

I'll assume the requirements are pretty well defined now and move on to questions about the recommendations.

Wow. This seems almost too good to be true. It checks off all the requirements on performance, reliability and functionality. I'm not even sure I could find a crappy router for less money.
It almost makes me think that a bunch of the "it depends" responses could be replaced with, "If you want to take full advantage of a 1Gbps WAN link just get this router."

It makes sense to start with the stock firmware and only upgrading if there's something that actually needs to be fixed.
I see that both of those support WiFi6 and PoE. I looked up the power consumption on the Netgear and an extra 10W doesn't make that much difference. The prices are similar too.
It's not clear to me that a slightly higher "coverage" actually translates to better network connections for users.
When it comes to choosing between these two, are they similar enough that I'm basically picking which one I think will look nicer or are there more serious considerations?

I should have included fanless as a nice to have or a requirement. I appreciate the lower maintenance that comes with fewer moving parts.
I don't have any brand loyalty so I don't care if it's ZYXEL or Netgear. Thanks for pointing out that the switch also needs to support PoE. Is there a reason to care about PoE vs PoE+?
For the switch, does it also make sense to also plan to use the stock firmware first and only install OpenWRT if there's some particular problem with it?
Is there any other particular reason to choose the Netgear over the ZYXEL, or vice versa?

Do I understand correctly that all these services, including Pi-hole, could potentially just be put on the router, since it's a general purpose computer?
Are these also light-weight enough that (given the specs of the router) I can basically ignore their performance impact?

Well...there is one catch - CM4 units are currently hard to get (larger supplies will arrive in December)

  • you can monitor https://rpilocator.com/ to see if cm4002000 or cm4004000 pops up - or otherwise the eMMC version CM4002008
  • or check aliexpress (bit more expensive though)
  • when driven by stock firmware I would vote for Netgear WAX220 because of plenty configuration options; the Ubiquiti UniFi U6+ - in standalone mode - seems to be rather limited in this area
  • when driven by OpenWrt firmware I would choose the AP which looks nicest to you.

Yes (2x) - I currently have a RPi 4B (same cpu as CM4) with 100 Mbit ISP connection, about 20 connected devices and the same Services as in recommendation and this is mostly idling in cpu.

Thank you!

I just ordered:

(Your original link still has them in stock)
https://www.amazon.com/NETGEAR-Wireless-Access-Point-WAX220/dp/B0BMW95Q1J?th=1
https://www.amazon.com/NETGEAR-16-Port-Gigabit-Ethernet-GS316EP/dp/B08VD4N2TN?th=1

The total, including shipping, was $394.98. That only includes one AP so the price could still go up, in increments of $129.99, up to $914.94 (in the unlikely case that I actually end up needing 5 APs).

I should have all the pieces by next week and I'll post a follow up when I start putting that all together.

Great!
ps: the DFRobot routerboard is one piece of the Router - you separately need to order a Raspbery Pi CM4 as well (!)

This refers to some switches. PoE is working fine on a number of switches:

  • GS1900-8HP
  • GS1900-10HP
  • GS1900-24HP
  • D-Link DGS-1210-28MP
  • D-Link DGS-1210-10MP
  • TP-Link TL-SG2452P

just to name a few. IIRC PoE does not work on the GS1900-24EP.
Most of the switches can be found on the used market - sometimes for less than €50,-.
I have a GS1900-24HP as my main switch, along with a DGS-1210-28MP as backup and a GS1900-8HP for a separate WiFi AP.

Hmm. Bad on me for not double checking that.

Amazon has them in stock for $92.43

In a pinch, I've got a few RPi 4B I could cannibalize and one of them is running my Pi-hole right now

@andyboeh

What are the advantages of OpenWRT on those switches?

Most of the benefits of OpenWRT seem to accrue in routers.

Or is this mostly that, on several switches, there's no particular disadvantage to using OpenWRT?