I finally have my desired VLAN-based setup running (Linksys WRT1900 as a router, not using its AP; 2x Netgear R6220 as AP, 1x TP-Link WDR-4300 as AP, using 3 SSIDs with dedicated VLANs/LANs, OpenWrt 22.03), but I found that mixed WPA2/WPA3 doesn't run in a stable fashion.
So now I need 2 or 3 cheap routers or access points that can run OpenWrt to replace my existing APs. My requirements are as follows:
rock-solid WiFi on both 2.4 and 5.0 GHz; 802.11AC on the 5 GHz band would be sufficient, a better standard would be preferred
I need to support at least 25-30 devices (roughly 10 on two APs seach, plus 5 on the 3rd AP)
must support VLANs
only 1 Ethernet port strictly required (but 2 or more would be a plus)
16 MB flash or more
128 MB RAM or more
must support multiple SSIDs (I use 3 right now, but ideally they would support 4 or even 6)
WPA2/WPA3 mixed mode must be supported and stable
I've tried to find recommendations here in the forum, but I've not yet found a device that seems to definitely fit the above requirements and is ideally still available for purchase on Amazon (but I would also buy "used", if nothing else).
Can you make a recommendation? What about the TP-Link TL-WDR4900, would it fit my requirements? (Not available for purchase as "new", of course...)
I'm not sure about the WPA2/3 mixed mode (because I have not tried, its thre but I don't know about stabilit) but everything else should be overed by Zyxel M1 / WSM 20.
It has 128MB flash, 256MB RAM, 4 rj45 GBit ports, 802.11ax on both, 2.4GHz as well as 5GHz. I'm running 10 vlans and 6 SSIDs with no problem.
I currently ony have 5 devices on a single AP, but I see no reason why that should be anywhere near the limit.
They can be had for 120€ for a pack of three at amazon.it and amazon.fr at the moment. Amazon.de wants 130€. Amazon.co.uk charges £90 plus tax for them, which should be roughly the same ballpark.
I got mine two weeks ago for 80€ for a pack of three on amazon.es, but there they are back up to 200€.
Mixed WPA2/WPA3 mode really is essential for me, so before I shell out the money I need confirmation from someone that this device is really stable and "compatible" in this mode. (When I set this up on my R6220 then many devices are unable to connect, it's really weird... Found something here on this forum, it seems to be a well-known issue...)
I believe you're right. A combination of protocols is only as secure as the weakest link -- and that would be WPA2 in my case where I "require" WPA2/WPA3 combined.
So I tend to agree that setting it up to use WPA3 for my as-strong-as-possible "home" network and to use WPA2 for my IoT network (which is "data-link layer-separate" from my "home" network as I use VLANs) would be advisable.
The problem is unfortunately that not all my (supposedly "secure") home devices can actually do WPA3. I have a pretty old printer that can only do WPA2. So I guess I better put it into the "IoT" VLAN and only allow very specific routes to pass between the "IoT" lan and the "home" lan...
FWIW, WPA2-PSK combined with Force CCMP (AES) is plenty secure for my purposes with a proper password.
Sure, high end graphics cards can brute force guess billions of passwords per second today, but I don't think a password with ~5*10^25 combinations - one that includes upper case, lower case, numbers, symbols and 13 or more characters - is going to be cracked in any time frame that matters.
Currently my "home" and "IoT" lans are completely separate (at least in the direction of "IoT" -> "home"; I can connect from "home" to "IoT", though). That would allow me to "print" to the printer, but the printer (multi-function center) can also scan documents and upload them to my NAS with FTP. To make that work I would need to allow (just) the printer to pass thru the firewall for SMB to reach the NAS.
Of course, that would be a risk again (if the printer is compromised, someone could access my NAS...). "Perfect" solution would be to throw away the printer and purchase a new device, which would mean a cost of several hundred Euros... ;-(