Help on Home Network Design

[aps]

A new thread that attempts to pull together all the thoughts on a new home network design. Current set-up is an ASUS RT-AC86U running Merlin with 100/50 WAN connection and a guest Wi-Fi network set-up for IOT devices. We don’t access the network whilst out of the home so don’t run a VPN other than when working from home in which case, I’m using a VPN Client connected to the work VPN Server. My requirements going forward are to

• address work requirement to secure work computer from the remainder of the home network (whilst allowing this computer to access specific services on the network, e.g., printer, Roon media)
• address security risks associated with smartphones, laptops that family members use on public Wi-Fi etc. (whilst allowing this computer to access specific services on the network, e.g., printer, Roon media)
• be able to take advantage of a planned infrastructure upgrade that will give a 1GB internet download connection
• simple to configure set-up (concerned that complex config. will result in mistakes and downtime)

I have, then, considered a few main paths forward:

1. Tweak existing set-up via adding a second router that puts the work computer on an entirely different network and take advantage of another Guest network on the RT-AC86U to host the smartphones, laptops etc. This approach keeps me in the consumer domain which is good, but it won’t be possible for the work computer and family devices to access printers etc which is a major issue. Also, it seems as if 1GB might be problematic with RT-AC86U or a replacement.
2. Restructure the network around separate router, switches and access points using VLAN to provide the segmentation. This approach seems like a lot more effort but, potentially, rewarding although I am concerned about my capability to configure (fine to follow instructions and do a bit of problem diagnosis but don’t have the context if things get too complex).

It’d be good to know if my assessment of the two options is correct. Re (1): My default answer in terms of equipment is to use pfSense Router, Cisco SG350-10mp switch and UniFi AP-AC-Pro (which are available from work as used spares at nominal cost). The thinking here is that the reliability of the Cisco switch outweighs benefits from extending the UniFi dashboard to show both the switch and access point portions of the network. I'm not sure if this statement is correct so feedback would be helpful. The bigger question seems to be about the router and, specifically, whether pfSense is a sensible option given that I'd have to follow existing recipes from the community forums and videos as I don't have the base knowledge in networking. I guess an alternative might be something like Firewalla Gold in router mode. Any and all advice on the best path for a router would be much appreciated. Thanks, in advance.

Edit 1. I'm not concerned, at this point, about >1GB WAN connection as this is in our distant future. The idea of 10G switch has an attraction but the value proposition is limited as none of our devices support 10GB and it's rare to push large files around the house other than videos which Plex plus current 1GB LAN seem to handle fine. Let me know if I'm missing the point.

Edit 2 The reason for the separate router and switch (rather than a combined router | switching) is that these are separate tasks that are best done in separate devices. Again if this doesn't make sense then let me know.

 

[aps]

I've been giving this a bit more thought to the design and realise that I don't fully understand the advantages / disadvantages of the different structured networks shown in the picture below. My assumption has been to use Model 1 on the basis that it's more flexible that Model 2 and simpler than Model 3 but, in reality, I don't feel qualified to assess. What are the situations in which each of the these models excels?

 

[aps]

Suspect that original post was in the wrong forum (WAN|LAN) so I've reworked into this forum in the absence of knowing how to move a thread:

I am considering a re-build a home network that is currently built around ASUS RT-86U / Merlin with one goal being to address security concerns via segmenting network for (wired) work computer, (less trusted) laptops & smartphones and (un-trusted) IoT devices. Other goals include being better positioned for a planned upgrade to 1GB internet connection and being able to implement fulsome rules on web-filtering etc. now that our son as a (school) iPad. One option is to stick with ASUS RT-AC86U + Merlin with others being Firewalla Gold and Protectli + Untangle with these latter two supporting VLAN which will be helpful in dealing with segmentation of wired computers of different trust levels. One question as I think through this has been the advantage / disadvantage of the different structured networks shown in the picture below. My assumption has been to use Model 1 on the basis that it's more flexible that Model 2 and simpler than Model 3 but, in reality, I don't feel qualified to assess. What are the situations in which each of the these models excels? Thanks in advance for a

 

[coxhaus]

Model 2 is old school before VLANs existed. Model 1 is classic VLAN structure. Model 3 is what evolved when VLANs got bogged down and routers could not keep up with switched traffic. Model 3 is the most powerful setup.