Networking/hardware newbie, Router Switch AP setup

So as some of you who read my other thread, my router died. Someone suggested to me that I could just buy different part and build my own thing. I must say this could be interesting and quite educational. Now, I never was a networking guy, I find subnet mask and stuff complicated

There is a mix of hardware/software configuration. I didn't want to create 10 different threads for a newbie trying to figure out how the basics works.

Let's say I use a raspberry pi 4 with 4GB of ram, a TP-Link TL-SG116 16-Port switch and an EnGenius EAP1300 AP.

Keep in mind, I'm coming from a simple all-in-one router using dd-wrt. I would like to replicate what I had, but with dedicated hardware for each function.

Let's see if I get this topology right.

Modem <-> Raspberry Pi (router) <-> Switch <--> AP <---> Wireless clients (2.4, 5GHz)
                                 |->Wired clients    |-> 2.4 GHz Isolated virtual AP (for iot devices)

The router is the DHCP server.
I must use a switch capable of VLAN (so ""smart"" switch is needed.

Port 1 on the switch is connected to the router), VLAN 1
Port 2 is connected to AP, VLAN 2
Other ports are used for computers, nas, etc., let's say they all use VLAN 4
VLAN 3 should be assigned to the virtual isolated AP, along with a port on the switch (Home Assistant)

0. Does the hardware make sense? Any suggestion?
1. Can I put 2.4GHz from the AP on a separate bridge from 5 GHz with a VLAN (let's say port 3)
2. Can I QoS/shape traffic going from VLAN 3 to VLAN 2? Or from/to specific devices? (prioritize/block certain port)
3. Does all internal traffic goes through the router (I know I sound dumb), or do the packets takes the shortest route?
4. Can I use the GUI for most of the configuration for this setup?
5. The 16-port switch from TP-Link have a Jumbo Frame of 9KB instead of the standard 15KB, will this affect gaming, streaming, uploading performance?
6. Do you think it's worth all the "trouble"? (It is less expensive than a good mid-range router, consumes same amount of electricity, I love spreadsheets)

I did read a lot of documentation available on the wiki, but I'm never sure of anything, so I'm sorry if I got something wrong.

Wow you made it thanks!

EDIT: Modified question 1. to reflect the real term, I used de word VLAN, I meant bridge.

I'll skip #0 as I've already expressed my concerns around using a Raspberry Pi elsewhere. Some of the concerns about the topology you posted are around the single-NIC Raspberry Pi.

Can I put 2.4GHz from the AP on a separate VLAN from 5 GHz? Or are VLANS only available/configurable on the switch?

VLANs are only an Ethernet thing, so literally speaking, 802.11 isn't "on" a VLAN. Practically, you can associate individual 802.11 SSID interfaces with a bridge that covers a specific Ethernet VLAN as well. This is common practice for "guest" and "IoT" subnets.

Can I QoS/shape traffic going from VLAN 3 to VLAN 2? Or from/to specific devices? (prioritize/block certain port)

You can shape and filter traffic coming in or out of any interface. You can filter traffic between two interfaces. Typically the two places that are "worth" shaping are the connection to the ISP and the tunnel interface of a VPN. The other interfaces are generally fast enough and have low enough latency that there is little benefit. (Note that nothing that only goes through the switch can be filtered or shaped at that point.)

Does all internal traffic goes through the router (I know I sound dumb), or do the packets takes the shortest route?

Shortest route -- if the switch can handle the delivery of the packet, it does so. (There is some subtlety with STP and election of the root bridge when there are multiple switches involved.)

Can I use the GUI for most of the configuration for this setup?

LuCI is pretty full featured, so most of the OpenWrt configuration can be done with LuCI directly. Finding a decent "vi cheat sheet" is valuable to learn enough about how to

• Quit without saving
• Save and quit
• Change from command mode to insert mode and back again
• How to delete and insert lines and characters

(Or install nano, which many find more approachable)

The 16-port switch from TP-Link have a Jumbo Frame of 9KB instead of the standard 15KB, will this affect gaming, streaming, uploading performance?

For virtually all home users, jumbo frames don't traverse their ISP connection. As a result, it only improves things within the network. A specific example would a file server on the local network with clients that also support jumbo frames. You're looking at about a 5% improvement on throughput over GigE, so its never been enough for me to configure at home.

Do you think it's worth all the "trouble"? (It is less expensive than a good mid-range router, consumes same amount of electricity, I love spreadsheets)

Yes, I've run managed switches, x86_64/AMD64 routing, and discrete APs for years.

0. As long as you find software that you're comfortable with the RPi4 should do just fine in terms of performance if you're fine with ~400-450mbit. Just setup two different VLAN "interfaces", one that faces WAN/Internet and one that for your LAN. It'll work as two separate NICs however the bandwidth will be shared and it also requires a "smart" switch which the TP-Link isn't. I'm however not sure if there's a distro what supports the RPI4 and has a web interface for network configuration.

#1 As jeff mentioend you can "map" a specific SSID to a ethernet port or just tag the traffic so you can keep the networks separate if you want however if you want to venture into VLANs you more or less need a "smart" switch not one that just doesn't strip VLAN tags.

#2 You can limit transfer rates but it makes little sense to do so on a home network unless you have bandwidth hog. Under normal circumstances it makes little sense to apply QoS within a home/residential network as you don't usually run out of available bandwidth and most of the time devices will "balance" themselves if you were to use all available bandwidth. You can however apply QoS to traffic going over WAN which is usually enough in most cases. Do not overengineer, approach it the other way around.

#3 In general yes however if you want to apply QoS and use VLANs on your internal network you may end up routing all traffic via your router which may not be ideal depending on your hardware. This is one of many reasons why you'd want a smart switch as it can process VLAN-tags if needed (there are edge cases but simplified). Some switches are also able to rate limit ports, might not be as "nice" other QoS variants but it is what it is.

#4 Depends on what you're going for, no idea how good the support for RPi4 is using OpenWrt but I guess it should work fine.

#5 Jumbo frames are mainly use to lower load on devices because of the less "processing" of packets. You'll most likely never use jumbo frames as long as the hardware works, it'll also break wifi as the standard can't handle such large packets.

#6 It depends on your requirements, if you want something similar to sophos utm, pfsense, opnsense, untangle etc then yes... If you don't care then probably not. I personally run AMD64/x86_64 boxes running various software and services off a "full" distro but the RK3399 boards are looking tempting (paired with a dual NIC or so) to keep costs down and separate APs running OpenWrt.

Oh damn, yea, I just remembered, I meant bridge oopsie.
In DD-WRT I had wl1.1 and vlan 3 on bridge 1 and I assigned a seperate DHCP server and was isolated from the other LAN (shared wifi)

I'm on the nano team

Thank you very much for the time and effort you took to answer me today - it was very enlightening. And thanks for not judging me

Oops, I meant the SG116E which is suppose to be smart.
The D-Link is PoE which is quite more expensive than the others. The ZyXEL 8 and 16 ports is affordable.

I always prioritize video game consoles in DDWRT QoS, but now that I think about it, you are right, this is done for the WAN, not the LAN

@jeff and you convinced me now, I won't bother with Jumbo Frame.

Running an ITX build with amd64 arch would be expensive though. And would consume way more energy. I'm not sure I would do that (but I would love to)
The ODROID H2 seems to be a cheap and easy point to start. I already have a Synology NAS (Way too expensive for what it is when I think about it)

I appreciate the time you took to give me some pointers.

So far I really enjoy this community.

https://www.tp-link.com/us/home-networking/16-port-switch/tl-sg116/
It's not a smart switch at least according to TP-Link =)
Neither of the linked switches supports PoE

By RK3399 i meant something like RockPro64 paired with a dual NIC but support is in early stages
https://www.pine64.org/rockpro64/ + https://www.ebay.com/itm/Fujitsu-D3035-A11-Dual-Port-Gigabit-Ethernet-Network-Card/264291129562

My iTX builds have run well under 20 W at the wall for years now (Celeron SoCs from several years ago). My current AMD64/x86_64 builds, with dual, mirrored SSDs and multiple, active Ethernet NICs idle under 10 W at the wall (PCEngines APU series and ODROID H2 running server distros and, in the case of FreeBSD, multiple service jails with active services). This is less than many all-in-one routers (many require more than 1-2 A at 12 V, so that's 12-24 W, not counting losses in the wall wart), even adding in a few watts for an AP and a switch (I recall that my Cisco SG300-28 and -52 switches idle around 10 W at the wall).

The ODRIOD H2 has enough power to build OpenWrt in a reasonable amount of time from source (running Debian as OpenWrt is not "self hosting").

https://www.tp-link.com/us/business-networking/easy-smart-switch/tl-sg116e/
Here it is.

Strange, the first time I visited the D-Link url, it says it was PoE, maybe I didn't open the right tab.

For RK3399, thanks I was looking into it right now.

Ahh, I should clarify, by smart I'm referring to a managed switch

Thanks for that! I'm looking into ODROID H2 with shipping to canada. the only website I found is out of stock.

So for the router, I just install Debian or CentOS for example and follow the guide to compile? I guess I'll ask those questions once I decide on the hardware though.

I'm looking into APs right now. You are right that I shouldn't buy something too expensive as the technology is about to change and become less expensive.

I have a hard time justifying PoE as I don't run an IP camera farm or have a swarm of SIP phones.

If you're power-sensitive (I am, as we have regular power outages where we are and need to run off UPS until I can get the generators up and running), it seems inefficient to convert from mains to 12 VDC to 48 VDC to 12 VDC for the convenience of running PoE.

Aww RIP. So I would need to configure OpenWRT on the router, manage the switch, and manage OpenWRT separately on the AP (3 interfaces)? Wow, this will need some getting used to.

You are right. I prefer to invest in a good UPS, mine died a couple of months ago. And the electricity in my building is sensible and fluctuate. We also have a power outage once every 2 months which is a pain.

I think what @jeff meant is that you can compile OpenWrt on the H2 for your APs. OpenWrt isn't selfhosting which has both pros and cons. I guess you could run VMWare or something similar and virtualize everything but again overengineering it way too much

As far as APs goes, most if not all of your clients are only can only do 2T2R at best so they'll never do more than 867mbit anyway (11ac).

You're most likely not going to see cheaper hardware, just better for the same amount.

The H2 comes and goes for availability. Being somewhat unique in its class, it's in high demand. I've worked with Ameridroid here in the US and there is the direct option with Hardkernel as well.

I choose to run server OS on my AMD64/x86_64 devices, but, except for my routers and firewalls, I load them up pretty heavily. If I didn't have the past experience with `nix systems, I'd probably run OpenWrt on a single router for the ease of configuration.

For UPS, I've picked up some used APC SUA750 and SUA1500 units off eBay/Craigslist, as well as the later generation (I forget the model number). They have reasonable support with apcupsd over USB. A fresh set of batteries is around US$80-90, delivered. I get several hours of run time with those, longer than Comcast can keep their end of the cable up and running in a power outage.

Not that it is how I'd do it, as I think a VM on a desktop (or dedicated Linux-based box) is a better plan. More that it is a "real computer" in capability, one that will likely give 5-10 years of solid use, even as demands on hardware increase.

Edit: I purchased the ODRIOD H2 to replace one of the PC Engines boards, as the 1 GHz AMD64 SoC wasn't enough to build the toolchain and package repos for a server OS in a reasonable amount of time for my desires. It also lets me "retire" my last J1900 board (c. 2013), not because of lack of processing power, but because of concern about it joining the others in the "no beep on boot" bin.

I'm not sure I'm following you here, are you suggesting that he runs OpenWrt on the H2? If he's going for x86 it's probably more "useful" to run a distro that is more aimed for x86(64-bit) and get UTM etc "for free" if we're still taking something that is managed using a WebUI.

As far as UPSes goes, I picked up one of these from Amazon a while ago
https://www.deltapowersolutions.com/en/mcis/1kva-3kva-single-phase-ups-gaia-series.php (1KVA version)

If I were reasonably new to network design and implementation, yes, I'd run OpenWrt on the H2 as a primary router/firewall. Its ease of use and support community for home-router applications are strong advantages over server distros.

(As much as I enjoy working with FreeBSD and tolerate Debian, I'd not want to try to get home-networking support from either of those forums.)

@Extarys' enthusiasm and meaningful conversation have locked them out of further replies as a new user for "11 hours".

Well, looks like I'm back - stupid thing.
Good morning people! Made a lot of research. This is a two-in-one post. Lots to talk about. Sorry for the longer post.

What I'd like to run on the router:

Requirement: x86-64 or aarch64 (as suggested for long-term support)
1000mbps downlink at most (current ISP dl speed is 400mbps)
200mbps uplink at most (current ISP ul speed is 50mbps)

• OpenWRT as the router, duh
  Probably could run the following on the router instead of separate?:
• WireGuard <3
• IDS/IPS (Snort, others?) - I plan on having fun with python and some libraries and educate myself with IDS methods, eventually... maybe just on a seperate Pi.
• PiHole/DNS server/Tracker blocker
• AES-NI capable - I love my crypto
• 1000mbps downlink at most (current ISP dl speed is 400mbps)
• 50mbps uplink at most

I might eventually also try OPNsense, looks awesome to play with.

Is it standard/normal to run those services on the router? I previously used a Pi for DNS. I never used WireGuard (I mean, on my phone yes with MullVad, but that's it)

Also, should I take into account that I might run FreeBSD/NetBSD/CentOS or something and spin up OpenWRT separately? I haven't decided but if I dont go down that route I may not be able to do everything I want.
I believe Jeff and some others are doing that. I guess it gives you more control over the hardware.

I'm afraid of packet loss, latency etc. My boyfriend would be so much angry at me if the network is not 99.9999% reliable (I must respect the SLA!)

SBC - This is mostly what I'm having trouble with

• ODROID H2 is out of stock pretty much everywhere for now - Also more expensive, but I guess it can run all of that? It's also good for many years as @jeff said.

• PC Engines wouldn't be powerful enough for everything? Also I'm having a hard time comparing the models, their website is garbage too. No AES-NI. I read it tops at 500/500mbps?? This would be good for a simpler firewall/IDS between a modem and an average router I guess.

• Mini ITX build - consume too much power (60+w?), harder to find everything + deals etc, fiding a good case blahblah

• • Motherboard/Cpu: ASRock J4105-ITX Intel Celeron 4 core J4105 M-ITX 146 CAD.

• Found some chinese stuff, but shipping is slow, bunch of stuff I don't need with it too, can be quite expensive for less or similar specs to ODROID H2.

• I ordered a usb to ethernet adapter and use a pi just for openwrt until I order the components for the router. I had a chinese one but I can't find it.

• I don't want to spend too much

• Need to justify the expense to boyfriend who thinks this is getting expensive because last time I paid 500 CAD for a router it lasted only 3 years

Now, I have a WRT32X arriving today - I had to, I need a router.

I will return the WRT32X to amazon next week - it is quite expensive when you think I can get a 16 port (!) managed switch and an AP for a similar price.

Current selected hardware (In my cart):
Making sure I get the community seal of approval before ordering - I really don't have the budget to mess this up.

ZyXEL GS1900-16 Switch - 165 $ - Max 10.5w

• Link Aggregation for my NAS
• VLAN capable
• Fully managed
• It's a switch, it'll be good for many years, normally... I think...
• Expensive, but I need at least 6 ports, 7 to be comfortable. If I add the AP and eventually another device, I'm screwed, so 16 ports.
• PoE too expensive, I'll just run an additional cable
• Lifetime limited warranty

EnGenius AP (EAP1300) - 115 $ - Max 9w

• Seems to be a trusted brand
• Not THAT expensive
• Good CPU/Chip
• It should still be good in a few years
• Compatible OpenWRT
• Dedicated AP at that cost must be better than a regular 115-150$ router's wifi
• Nice aesthetic

Ubiquiti looks too good, I'm afraid I'll want to stick with their ecosystem and buy expensive stuff. Also, I love open source. They look like the Apple of networking.

The total power consumption right now is the same as my old R8500. But having dedicated hardware allows more flexibility if something fails. And dedicated hardware should perform better doing their own little thing. Also, if I run PiHole on it, I can unplug a Pi 3B, so I guess this is better

Adding the SBC/Edge router will bring the power consumption up, now I live in quebec so I'm lucky, I pay 0.06 $/kWH. I still like efficient components - less $ and less heat.

I hope I didn't bother you.

CA$0.06/kWh, I'm envious! I pay ~CA$0.40/kWh

Yes, an ITX build with a comparable processor is likely to cost a lot more than the ODROID H2 by the time you count case, power brick, something like a picoPSU if it doesn't take 12 VDC directly, and a NIC (something like a used, OEM-branded, dual Intel i350 server NIC runs $25-30 on eBay -- see warnings on counterfeit Intel NICs). This is one of the reasons why the ODRIOD H2 is so attractive (size being another, as the smallest ITX are significantly larger).

The PCEngines boards are very good in terms of design and fabrication, in my opinion. I own four or five of them running FreeBSD or Debian, depending on if it requires "Linux-only" features (Edit: CAKE SQM and kernel-native WireGuard being two, notable, Linux-only features). However, at their price, their older, less powerful SoC makes them more difficult to justify compared to the ODRIOD H2. My testing indicates that they should be capable of near line rates for routing/NAT without SQM, somewhere around 700 Mbps, aggregate, with SQM. For WireGuard, around 400 Mbps without SQM, 300 Mbps with SQM. Shipping, as I recall, was around $35 USD for a couple of boards, cases, wall warts, and various sundries.

IDS is going to require a significant amount of RAM. At gigabit rates, a huge amount of processing power as well. If I were to guess, you're in the high-end x86_64/AMD64 range to run suricata or snort at those rates. IPS should be approached very, very carefully and only once you've been running an IDS for weeks or months. Otherwise you're likely to end up blocking yourself.

I'm a believer that you shouldn't run any more services than you absolutely have to on your router/firewall devices. I run DHCP, DNS, NTP, ... on dedicated servers or service jails inside my perimeter, not on a security-critical device. Even IDS can be run on a "transparent bridge" between your modem and your router/firewall, or using a monitor port for that line on your managed switch. IDS is also valuable to run on your internal subnets as well, especially those used by untrusted hosts (IoT and all wireless, in my opinion are "untrusted").

Packet loss and latency should be dominated by your modem and ISP, with a sufficiently powerful router/firewall. It's challenging to push enough data locally with a "real world" application for latency to be an issue. Packet loss in your local network, if any, is generally only due to bad cables or hardware.

Yes, I completely agree. It also can ease upgrades and configuration changes by swapping in an "old" unit if things don't go as planned, or swapping in the new one once you've confirmed that it will likely work as expected. (I'm doing that with a Debian 10 build to replace a Debian 9 host's disk array.)

"AP only" devices, at least in my opinion, primarily offer form factor ("aesthetic") and sometimes PoE compared to all-in-one routers. In many cases they have the same SoCs and wireless chips as all-in-ones and may not have as effective RF chains and/or antennas. Remember that the target market for APs is enterprise applications where there are a large number of them to provide capacity and seamless coverage. Home users tend to try to get maximal range out of one or two units. I'm not saying that APs are "bad", but that they aren't necessarily "better" than a comparably priced or less expensive all-in-one.

I have the newer flavour of that ASRock (J5005-ITX) and although a great AV/HTPC board, it would not be my first choice to target as an edge device. The H2 is a better choice, hardkernel is indicating the 22nd as the next H2 ship date, usually takes ameridroid about 5 extra days to get their allotment; best to preorder as they go fast,ameridroid is the most cost effective solution I have found for getting hardkernel product on this side of the 49th.

If you are still considering a non X86 edge device, I've got a rango in a shrink wrapped box that has been sitting here for > 2 years.