Hi all, I'm looking to enhance my home wifi network setup. I'm pretty much a newbie to home networking so I'm a little bit stuck on what I need to buy. Details as follows:
Current situation:
Floor 1:
ISP provided modem for 100mbs fiber internet (Zyxel VMG8825): the modem is very basic and doesn't have many useful features. It has no VLAN support which I think I will need.
Some IoT devices that send alerts and some other media to my phone.
One Ubiquiti Access Point AC Pro to broadcast wifi (same SSID across all floors for these access points).
Floor 2
Some more IoT devices. Same deal as floor 1.
Home office and personal computers.
One Ubiquiti Access Point AC Pro to broadcast wifi (same SSID across all floors for these access points).
Maybe smart TV and streaming device will be here soon.
Floor 3
Some more IoT devices. Same deal as floor 1.
One Ubiquiti Access Point AC Pro to broadcast wifi (same SSID across all floors for these access points).
It's a very basic and insecure setup right now. Basically 3 access points providing wifi to all floors, and all devices connect to them through wifi mesh. No guest network setup yet.
What I want to achieve
There are a few things I'd like to achieve. However, as previously mentioned, I don't know the right gear to buy. Here goes:
I want the IoT devices NOT be able to spy on my computers at all (it seems achievable with VLAN?).
If possible, I'd like to be able monitor and make firewall rules for both the IoT devices as well as Ubiquiti equipment in order to prevent them from sending intrusive data back to their servers. I explicitly mention Ubiquiti here because they had some privacy-related scandal and I'd like my setup to be as privacy-friendly as possible.
Block off internet access altogether for specific devices, such as "smart" TVs.
Is there an efficient way to make sure devices on my network can send me phone notifications, but nothing else to their servers?
Guests will be on their own network so they cannot spy nor tinker with anything in the house.
What I need help with
Given the above situation and requirements, what kinds of gear do you suggest me to buy? And how should I setup the network? What about firewall? I have seen Netgear R7800 being recommended on this forum; does it serve my use-case well?
(I am skeptical of closed-source devices in general so if possible I'd like to avoid giving total control to something like Ubiquiti Dream Machine Pro).
Thanks in advance. Any pointer is much appreciated.
Did you look up the Ubiquiti hardware to see if OpenWRT can be installed on it (your APs)? If not, I would think you would be purchasing new access points. The modem doesn't mater. You would likely just connect it to an OpenWRT device (router/access point) and then add an additional one or two depending on the signal strength in your home. Would a centrally located single device work/do you really need one per floor?
If you found they are compatible go ahead and flash one with OpenWRT. Configure it as your router. If you are happy with it, flash another. Configure it as a dumb access point. Do the same with the third.
In addition to the wiki I linked, there are several good videos describing VLAN setup with a router/access point as I am recommending to you:
Latest based on current OpenWRT image:
Two part older ones for additional details but know that some of the options are moved to different places in the current image. Concepts are there:
Thank you for the info. The access points I have only have one LAN/Ethernet port each. If I convert one of the three into a router, does it mean I need something extra like a Switch to connect the other two to it?
Also, how should the newly converted router connect to the ISP modem?
You might want to consider a separate device for routing if there is only a single port. If you want VLANs, you will need a managed switch for that setup. I use a RPi4 + USB dongle for routing as an example. Might be more simplistic for you to use a device that also offers an integrated switch.
100 Mbps will not be challenging to support, even with QoS.
Most any used MT7621AT or better device with 5 ports will provide you an economical router/switch combo and handle Gigabit without QoS, or QoS up to ~200 Mbps using fq_codel/simple.qos with packet steering and irqbalance (CAKE QoS is limited to ~100 Mbps on MT7621).
If you want something small, a MicroTik RB750Gr3 would work (~$60). I'd recommend an ER-X (what I use), except prices on even used ER-X's have absolutely gone through the roof lately.
If size is not an issue, there are many OpenWrt supported MT7621AT all-in-ones to choose from - just turn off the radios and call it a router. At least 256 MB of memory is nice to have if you want to run Adblock.
If you want future proofing (half gigabit to gigabit speeds), MT7621 is not going to cut it if you also want QoS capability. For future proofing, I would skip over "in-between" ipq806x hardware - unless you find a fantastic used bargain - and instead look hard at a Belkin RT3200 / Linksys EA8450 (1st choice - it comes with an internal switch and 5 ports), followed by a separate managed switch paired with either a NanoPi R4S or Raspberry PI4/USB dongle setup (toss up between the latter two in my opinion: NanoPi R4S is a bit simpler in not needing a dongle and coming with a nice metal case, the PI4 is easier to find - either will handle gigabit QoS and anything else you'd likely throw at them all day long).
Sounds like you have your three AP's already. Flash them with OpenWrt and call it a day for those.
Once you have OpenWrt on everything, use your base router to set up and manage all your VLAN's (home LAN, guest, IOT, etc.) and provide each VLAN its DHCP server on a different subnet to segregate things. This is straying from "help with choosing devices" to "help with the software configuration side of setting up a network," but OpenWrt can do all the things you want to do.
A follow-up question: If I use RT3200 as my router and connect it to my ISP Zyxel modem for WAN, and connect my 3 APs to it, why do I need the managed switch + Pi setup?
Agreed, the RT3200 will be plenty for that speed. If you ever go to something like 1000 MBit down, and if you want to use SQM, you will likely be limited. RPi4 can do that but I wouldn't get overly complicated for no good reason.
Thanks @darksky and @eginnc for your help. I have a better idea of what to look for now. A bit of followup on the RT3200: Given that I don't need to broadcast any wifi from the router (because I already have the 3 Ubiquiti APs for this purpose) and I don't think I will upgrade to 1 gigabit anytime soon, is RT3200 a good choice in terms of RAM and related processing power? I see on this forum sometimes people mention plenty of packages like VPN, adblock, etc.; can RT3200 handle these well? How does it compare to the frequently recommended Netgear R7800?
Yeah, it's fine in my opinion. 802.11ax as well. You can probably drop one of the APs and use the RT3200's radios on whatever level of your home the modem is on as well.
I see that RT3200 has Wifi-6. My current APs only support Wifi-5. Will that create a conflict between different floors if I use the RT3200 to cover wifi radio for one floor, and two of the APs for the others?
And is Wifi-6 support dependent on hardware level (meaning installing latest version of OpenWRT doesn't magically allow my APs to use Wifi-6)?
Definitely. I'm glad darksky pointed that out in case you are looking to support all of a full Gigabit line in the future.
It is worth keeping in mind though that an RT3200 will get most of a Gigabit using fq_codel/simple.qos SQM with irqbalance and packet steering active. Here it is reported to handle 832 Mbps on a 900Mbps line with average latency ~14ms down and up and 95th percentile latency below 30ms down and up using fq_codel/simple.qos: https://forum.openwrt.org/t/e8450-rt3200-gigabit-speeds-tweaking/121983/5?u=eginnc
The RT3200 is going to struggle with CAKE SQM (~450 Mbps), but that 800+ Mbps fq_codel/simple.qos SQM performance ain't bad at all, especially considering Gigabit line rate tops out around 930-940 Mbps anyway.
His post led me to consider that I've yet to connect to WiFi at 800+ Mbps on anything but advertising copy and that I test bufferbloat on an inconveniently located thin client connected by wired Ethernet that I use for little else.
The manged switch with either a NanoPi R4s or PI4/Dongle are options to consider instead of the Belkin RT3200.
and that I test bufferbloat on an inconveniently located thin client connected by wired Ethernet that I use for little else.