Home Network Topology Critique

[BeachBum]

I’m trying to plan out my network set up for my new home thats being built. Below is a diagram of what I have I’m mind, do you think this is a good setup or do I need to change things?

My goals:
Phase1

1. Wired Network
2. Wireless Network
3. Guest Network

I am going to have 2 wireless POE APs, 1 on each floor of the house. How do I handle the wifi guest network separation?

Phase 2

1. Wired Network
2. Wireless Network
3. Guest Network
4. Security Camera Network

Phase two add a security camera network. I will need a POE switch for this if I didn’t get one in Phase 1. How should I best implement this?

1. Add it on second NIC on pfSense box? (if I’m using it for the APs then can’t do that?)
2. Add it off the main LAN switch?
3. How do I make the NVR or Synology RAID server accessible from/to both networks, but not the IP cameras? Or should I not do that and keep the NVR also separate? If so, how do I manage/view footage?

 

[abailey]

Personally I think your plan is exactly what I would do. I would use layer2 switches and let the router route between networks. To me it is simpler to do all routing/firewall, etc at one device, for home use. There is nothing wrong with using a layer3 switch in your setup and doing the routing there but it makes it a bit more complicated and I don't think you will gain much of a performance boost in your environment. Now for business networks I usually like to do internal routing on a layer3 switch. Anyway I would just use a separate VLAN for your visitor network. Then use your pfSense to put whatever rules in place you want as far as what from one subnet can see what from another subnet.

 

[cobra_shipwreck]

Not too terribly dissimilar from what I was going to do at the house once I got some things installed.

 

[sfx2000]

I assume those CAM's are regular CATV style, eh?

 

[BeachBum]

I assume those CAM's are regular CATV style, eh?

I don't have a specific model picked out yet, but the plan is for 1080p POE IP cameras. Will start off small, probably 4 then build from there..

 

[sfx2000]

I don't have a specific model picked out yet, but the plan is for 1080p POE IP cameras. Will start off small, probably 4 then build from there..

I would recommend standard CCTV style, and put them on a dedicated DVR - IP cameras can saturate a network... unless they're on their own dedicated distribution - e.g. VLAN's won't fix that...

 

[BeachBum]

Hmm. I'll have to look into that, problem is house is being wired for POE Ethernet to the camera locations, not coax. If saturation becomes a problem maybe I'll have to dial them down, 720p @ 15fps or something like that.

 

[abailey]

Even if you run 1080p with High quality (low compression) and 30fps you are looking at around 12Mbps. My cameras run at 1920 x 1080 at 25fps with moderate compression and they use only 6Mbps each. Even at 12Mbps that would be 83 cameras on a Gigabit link. Now there is other traffic so you could not do 83, but you get the picture. With a Gigabit link you should be able to do as many as you want for a home.
That's one of the things I liked about your diagram. You have the cameras on their own physical LAN back to the router.

 

[BeachBum]

Ok thats good to know. Everything I'm getting for the network will be Gigabit btw...

 

[jarpilles]

Greetings BeachBum,
Your Phase 1 topology is similar to what I have just implemented. A general question to you (and all others), should I disable the firewall features of the ISP modem and use only the router's firewall? I currently have both enabled and am vexed by having to configure both to open selective ports. Is there a downside to using only the router's firewall?
Many thanks in advance.

 

[BeachBum]

Greetings BeachBum,
Your Phase 1 topology is similar to what I have just implemented. A general question to you (and all others), should I disable the firewall features of the ISP modem and use only the router's firewall? I currently have both enabled and am vexed by having to configure both to open selective ports. Is there a downside to using only the router's firewall?
Many thanks in advance.

I will be using my own modem and not any equipment from my ISP. Never had good experiences with the ISP's equipment. To answer your question, yes you should disable all the firewall features and use your own firewall (assuming you have the equipment)..

 

[jarpilles]

I will be using my own modem and not any equipment from my ISP. Never had good experiences with the ISP's equipment. To answer your question, yes you should disable all the firewall features and use your own firewall (assuming you have the equipment)..

Many thanks for your reply - it's what I'd hoped for, but it's always nice to get some corroboration.