Desperately need advice on upgrading my slow mixed network (SRP541W)

[walkabout]

@walkabout - You're on the right track. Considering your goals, budget and the current supply chain constraints, I'd recommend a full TP-Link Omada stack of managed components (ie. all VLAN-capable, which is what you need for proper network segregation), including an Omada router/firewall, which may likely give you enough feature that you may not need a pfSense box, while giving you a single, centralize control plane over all component layers (WAN, LAN and WLAN).

After setup, I would test firewall functionality inside of your return window, and if it falls short, simply return and swap in whatever firewall solution floats your boat (Firewalla Gold, NetGate SG series, Untangle Z series, a Protectli/Qotom do-it-yourself box, etc.).

If the above sounds agreeable, then here's your materials list (I'm making an educated guess on switch sizing):

• Router/Firewall: TL-ER605 ($60) for desktop or TL-ER7206 ($150) for rack-mount
• Core Managed PoE Switch: TL-SG2428P ($500)
• X# of Managed Access Switches: TL-SG2008/2008P ($67 ea / $90 ea) -- Example: (2) 2008's = $134
• 2+ Wifi 6 APs (one on each floor, minimum): TL-EAP660HD ($180 ea) -- x2 = $360
• OC200 Omada Controller ($90)

So, for about $1100 or so, you can have a fully VLAN-aware, SMB-grade network with Wifi 6, all controllable from a single, local (non-cloud) interface. It may not be supported quite as long or as thoroughly as a full Cisco stack, but it will be close, and certainly viable enough for almost any home need, IMHO.

Here's a pretty thorough Omada setup video. Note: the ability to opt out of cloud connectivity completely (shown at about the 3:45 mark).

If you have any further questions or want more guidance, feel free.

This is great info. Exactly what I need. I'll start reading up on them and make a choice between the different models. Yeah, NO cloud is my number one priority, so I'm glad I that's not forced.

I think the only question I have is what's the point of the OC200 Omada Controller? Doesn't the router have the software I need to manage the network, or did TP offload all of that to a separate machine/cloud? My Cisco everything is in the router. This is a new concept for me.

 

[Trip]

@walkabout - Very welcome.

Regarding the network controller, TP-Link uses the same discrete approach as Ubiquiti UniFi, offloading it entirely to a standalone install, which must be reachable from management subnet of all controlled devices [router, switch(es) and AP(s)]. The controller can be run in any number of ways -- baremetal install on an always-on PC or server, VM/Docker if you have a virtualization environment already, or via the "easy button", aka the pre-fab appliance (OC200 for Omada, CloudKey for UniFi). You can certainly run the controller any way you like but the nice thing about the OC200 is the ready-to-go, turn-key nature and the fact that it doesn't share a failure domain with anything other than itself.

TL;DR - The main alternative option to discrete controller systems are embedded controller systems, where the control plane is integrated into the firmware of the nodes themselves (router, switch and/or AP). Examples of this would be Cisco CBS/CBW, Ruckus Unleashed and Aruba Instant/Instant-On. The benefit is you typically get the highest reliability of the controller itself, with things like multi-master failover (ie. the controller instance can be instantly failed over to another node, promoted as the new "master", if the current controller master fails), but the limiting factor in the space (at least of right now) is that there really aren't many (any?) ecosystems available that offer control over all component layers (WAN, LAN and WLAN) like you get with UniFi and Omada, at least none that are local-admin only. So, if simplicity and fewer control planes are of high appeal, the discrete approach is usually the better way to go, at least in this segment (full control via embedded controller is more present in enterprise-class stuff, but it's MAJORLY expensive, and really way too overkill for any home setup, even if budget is no issue).

Sidebar #2 -- here's an example of something more disjointed, that still runs well, but you an see the difference in controlability. For my setup, I run a Ubiquiti EdgeRouter (would not recommend at this point, as they're about to EOL it), HP 2530-series switching (enterprise class, admin via CLI) and Ruckus Unleashed APs (the absolute best APs you can buy, period, but really expensive if not purchased refurb/eBay). It all works beautifully, but I wouldn't recommend it to the average Joe, as it's three separate control planes to administer (for example: every time you want edit a VLAN across the entire network). With something like Omada, it's many, many fewer logins and clicks.

Hope that helps to clarify your question, and then some!

 

[Tech Junky]

* COMCAST 1200 Mbps connection
* Motorola MB8600 DOCSIS 3.1

I use the same setup and lag 2 ports into the MB8600 to get the over provisioned speeds.

* Separate router and AP hardware. This way I can upgrade my APs independent of the router.

AIO units are simple but expensive to replace. Good choice!

Router should be able to support incoming VPN (in case I set that up), and have a firewall, and allow for setting up VLANs with any number of AP/Ehternet assignments.

This is where a proper Switch comes into play.

• Router/Firewall: TL-ER605 ($60) for desktop or TL-ER7206 ($150) for rack-mount
• Core Managed PoE Switch: TL-SG2428P ($500)
• X# of Managed Access Switches (Non-PoE/PoE): TL-SG2008/2008P ($67 ea / $90 ea) -- Example: (2) 2008's = $134
• 2+ Wifi 6 APs (one on each floor, minimum): TL-EAP660HD ($180 ea) -- x2 = $360
• OC200 Omada Controller ($90)

I built my own "router / FW" using a PC + Linux. My setup is a bit more over powered for simple networking as I'm running multiple "features" on the same box but, you could easily translate it to a networking only solution using a cheaper option.

Taking a PC format mATX setup keeps it smaller / cheaper.

SFF PC - ~$150

NIC for WAN/LAN
4 port 1GE NIC - ~$50
or
4 port 5GE NIC - ~$200

This gives you the foundation for the Router / Firewall / monitoring / etc.

POE switches anywhere from $50+ depending on the speed / density
If you opt to go single switch + POE it's more expensive than breaking it out into 2 switches. Since you don't have a bunch of POE devices currently a 5-8 port would work and if you want to add cameras or more POE dependent devices you can add more switches. ~$200-$250

AP's - I use Zyxel and WIFI 6 options are either $130 for a 2x2 w/ 1GE POE or $160 for 4x4 w/ 2.5GE POE

Total... ~$600-$800 depending on how much speed you want out of it.

Going with my configuration I'm using I can hit 1.5gbps over WIFI on the LAN. With the setup above you should still be able to hit your limit until the next round of tech hits the market. You could go 6E on the AP's but, those are coming in still at ~$750/ea.

For the VPN side... depending on how you're planning on using such a setup the horsepower afforded by the SFF PC option should give you line speed performance with wireguard based options. I use Nord for the past 4 years now WG is about line speed and OVPN is 50% of that. With the Linux setup it auto connects upon boot and protects the entire network. I tested some other providers but, there were some caveats to getting the clients to connect upon reboot such as automating login to desktop to get them to launch / connect.

 

[Trip]

@Tech Junky - Your proposed setup is certainly an option as well. Not sure how much @walkabout wants to get into DIY'ing his own x86-based firewall, but more CPU firepower for your dollar can definitely be had that way, for sure. And Zyxel is also a nice option for SMB-grade, centralized wifi and switching, albeit their most seamless control plane (Nebula) is cloud-based. They can of course be administrated locally instead, which I presume is what you run?

Overall, there are several ways to skin this cat. We've certainly offered up two good ones. *thumbs up*

 

[walkabout]

The controller can be run in any number of ways -- baremetal install on an always-on PC or server, VM/Docker if you have a virtualization environment already, or via the "easy button", aka the pre-fab appliance (OC200 for Omada, CloudKey for UniFi).

Damn. Docker didn't even cross my mind. And there is a very popular image available for it:

mbentley/omada-controller

 

[Tech Junky]

(Nebula) is cloud-based. They can of course be administrated locally instead, which I presume is what you run?

I run them in stand alone mode because it's more private and I don't have to rely on an outside source to be working when I need to make changes. With all of the AWS outages and others relying on external services for controlling things is risky. There are tons of "keys" options yo can use for WLC's if relating to Cisco to offload the centralized control to a dedicated piece of HW.

Since we're talking about a handful or less of AP's the SA option isn't too cumbersome since you set them and forget them until you want to update the FW or adjust the channels / add / remove SSID/VLAN configurations. Using something like SecureCRT to manage them w/ saved sessions works well.

 

[coxhaus]

@walkabout - You're on the right track. Considering your goals, budget and the current supply chain constraints, I'd recommend a full TP-Link Omada stack of managed components (ie. all VLAN-capable, which is what you need for proper network segregation), including an Omada router/firewall, which may likely give you enough feature that you may not need a pfSense box, while giving you a single, centralize control plane over all component layers (WAN, LAN and WLAN).

After setup, I would test firewall functionality inside of your return window, and if it falls short, simply return and swap in whatever firewall solution floats your boat (Firewalla Gold, NetGate SG series, Untangle Z series, a Protectli/Qotom do-it-yourself box, etc.).

If the above sounds agreeable, then here's your materials list (I'm making an educated guess on switch sizing):

• Router/Firewall: TL-ER605 ($60) for desktop or TL-ER7206 ($150) for rack-mount
• Core Managed PoE Switch: TL-SG2428P ($500)
• X# of Managed Access Switches: TL-SG2008/2008P ($67 ea / $90 ea) -- Example: (2) 2008's = $134
• 2+ Wifi 6 APs (one on each floor, minimum): TL-EAP660HD ($180 ea) -- x2 = $360
• OC200 Omada Controller ($90)

So, for about $1100 or so, you can have a fully VLAN-aware, SMB-grade network with Wifi 6, all controllable from a single, local (non-cloud) interface. It may not be supported quite as long or as thoroughly as a full Cisco stack, but it will be close, and certainly viable enough for almost any home need, IMHO.

Here's a pretty thorough Omada setup video. Note: the ability to opt out of cloud connectivity completely (shown at about the 3:45 mark).

If you have any further questions or want more guidance, feel free.

I think it is a bad decision to spend $500 on a TP-Link switch. Look for a used Cisco switch or buy new. The Cisco switch will be much better.

 

[walkabout]

I guess I have another question. You mention both Core Managed and just Managed switches. Why the TL-SG2428P? That's not exclusively for PoE cameras, is it?

• Core Managed PoE Switch: TL-SG2428P ($500)
• X# of Managed Access Switches

 

[Trip]

By "core", I meant your root-most switch, closest to the internet (ie. directly cable to your router/firewall). In the proposed setup, that would actually be the built-in switch on the TL-ER router itself, but discretely it would be the TL-SG2428P, into which you'd want to directly home-run as many endpoint devices as possible. In general, you want the widest backplane handling as much of your LAN as possible, keeping local traffic efficiency and throughput as high as possible.

By managed "access" switch(s), I was referring to any switch downstream from your core switch, uplinking any wired endpoints that may have to share a single backhaul wire (ex: providing multiple ports to your apartment tenant, uplinked over a single ethernet run).

 

[Tech Junky]

If you want to do VLAN's you need to use Managed switches for the additional control / tagging They can be as cheap as $50.

For the AP's / VLANs an unmanaged switch hanging off the pricier managed switch is fine as it just passes the packets upstream to be handled by the higher end switch. This is where the POE portion would be handled at a cheaper cost per port.

 

[walkabout]

I think it is a bad decision to spend $500 on a TP-Link switch. Look for a used Cisco switch or buy new. The Cisco switch will be much better.

I see a bunch of used Cisco switches on eBay, such as WS-C3560X-24P-S, WS-C3750X-48PF-S, SGE2010, etc. Which one would you recommend for the main switch?

 

[Tech9]

Stick to Omada SND switches, if you are going to build Omada setup. Follow @Trip advice.

 

[walkabout]

Stick to Omada SND switches, if you are going to build Omada setup. Follow @Trip advice.

Makes sense, and that's what I'm doing. I'll look at B&H now for that hardware.

 

[Tech9]

I told you already in post 18 I would perhaps go with Omada because of price/performance ratio. You may need more access points, depending on apartments layout and building materials, but you can add them later.

 

[coxhaus]

TP-Link's code is crap. They rarely finish fixing it before they out date the hardware.

 

[Tech9]

@walkabout, don't get distracted by retired Cisco employees.

 

[walkabout]

@walkabout, don't get distracted by retired Cisco employees.

HAHA

 

[walkabout]

TP-Link's code is crap. They rarely finish fixing it before they out date the hardware.

I've been reading up. It seems TP and Asus have that in common.

 

[Tech9]

TP-Link Omada is a different class product. Don't confuse home routers with SMB. It works properly and gets the necessary updates. If you read SMB more you'll find @coxhaus knows nothing more than Cisco and mostly old products. When he retired Gigabit Ethernet was a new technology.

 

[walkabout]

TP-Link Omada is a different class product. Don't confuse home routers with SMB. It works properly and gets the necessary updates.

If I can find them! Where do you guys shop? I need something other than Amazon, but my normal place (B&H) doesn't have everything recommended. USA-based shopper, here.