On home network setup and router software choices...

[homenet]

Hi Folks! I am building out a home network and am looking for some direction/opinion/advice on how to set it up, router hardware & software choices etc. I am a software application developer, with a, IMO, good understanding of networking concepts. But once I started to list my requirements, I realized that I need to dabble with VLANs, QoS etc. and so, here I am!

Anyways, here is a description of the situation and a list of specific requirements for my home network. I have my QUESTIONs below and appreciate your take on them.

Situation:
* ISP connection comes in to a junction box
* The house has CAT-5/5e LAN cables running from the junction box to various rooms (living room, kitchen and each of the bedrooms - one LAN cable/room)

Plan:
* Build out several VLANs
with internet access:
o Main - Basic ad-block firewall rules, access to file-server (current plan is samba in stand-alone mode)
o Kids - Basic ad-block & more restrictive firewall rules, access to specific home folder on file-server
o Guest - only internet access through wireless SSID
o Sublet - only internet access with bandwidth cap
intranet only:
o Internal - Security cameras that record & save to file-server. Also, play multi-media from file-server on DLNA/VLC client devices

Given tradeoffs between security & convenience, I can't think of a better way to authorize devices than whitelisting device MAC address to each VLAN. Devices used in the house (by me, wife, kids, tenant and security cameras etc.) should be fairly static. However, I will have to whitelist guest device MACs on guest VLAN, when needed.

QUESTION: With this setup, I hope to have the flexibility to get any device (mobile or otherwise) on any VLAN via a wired or wireless (see details below) connection. Does this big picture and approach look right? Is there a better way?

* Wireless
Plan is to use Ubiquiti Network's Access Points with support for multiple SSIDs to extend the VLANs to respective wireless SSIDs

QUESTION: Is this feasible and right way to go about it?

* QoS
o Bandwidth cap on SubLet VLAN
o Give highest priority to VOIP/Skype traffic
* Other basic router functionality
o Status & Stats
o Monitoring & Alerts
o Firewall / Ad-block
o VPN (possible future requirement?)

I did a little bit of research on the available router softwares and came up with this short-list.

* ClearOS
* OPNSense
* ZeroShell
* VyOS

QUESTION: Does anybody have experience with any of these router OSes? Can any of these do all I am looking for? Any specific suggestions given what I need? Any other router OSes I should look into?

With regards to router hardware, I leaning towards a linux mini-pc that I can buy (https://www.amazon.com/dp/B01AAKGRSS/?tag=snbforums-20).

QUESTION: At $198, I can't think the price can be beat. But, if I am wrong, would love to hear about alternatives.

Again, mucho thanks in advance.

 

[System Error Message]

for your network segmentation you dont need that many vlans. Parental controls can be applied per device. If you had a printer shared on the network pretty sure you want both your devices and your kids to be able to use it.

You only need 3 vlans, your main household LAN, guest and security for cameras and such. The problem about having your security on a seperate vlan is that you record to a file server. That file server has to be part of LAN and security so the question is whats the point of a seperate vlan for cameras if you want another network access to the feeds? Can the camera configuration be accessed from a network? If you want to protect access to camera than it is good to have it on a seperate vlan but if you want to be able to view feeds/live feeds than you may not want them on a seperate vlan unless you can some how proxy the feeds.

When it comes to building a router you've missed many OSes. Even a normal linux desktop/server OS can be used as a full fledged router even more so than what any specialised OS offers but it is more of a pain to set up as you have to control every package you want installed, configured and to remove ones you arent going to use. You also forgot pfsense. Ideally with the hardware you want intel NICs for performance and driver reasons. In terms of QoS most specialised linux OS dont offer the level of configurability that a normal linux OS or even mikrotik does as they allow you to create a complicated chain of various algorithms and buffers for QoS so you can take the limited priority of 8 and make it become as many priority levels as you want, as many min/max/burst bandwidth chains you want. Making a really good router is tedious but it can pay off if you are willing to spend the effort.

Avoid big chip celerons. Celerons that come from the desktop CPUs are cut down versions that arent worth their price. If it is a celeron that is from an intel atom that is fine. So if you want a desktop like chip than you're looking at pentium and i3s for budget, if it is intel atoms than you're looking at atoms, celerons and pentiums. If you choose to go for the intel atom make sure it includes hardware encryption that the bigger CPUs have (this feature would be cut out from the bigger celerons along with many other things).

 

[homenet]

System Error Message... firstly, thanks for the informative reply.

* I wanted to enforce parental controls at the network-level primarily because its a single place for definition and enforcement. But you bring up a good point with shared printers.

* Another good point is about having a separate security VLAN. I will most probably start with the main-LAN carrying that traffic. As pointed out, that should help with accessing feeds easily. As long as I can lock down security camera admin functionality, I should be just fine.

* My preferred linux distro is CentOS. I should probably start with a minimal CentOS install and play with it. Based on my requirements, I need to be able to (a) create & administer VLANs (b) Enforce bandwidth caps on VLANs (c) Set priority on certain traffic VOIP/Skype. In your opinion, how easy/difficult is it to configure this on, say, CentOS. I see the rest of my needs (firewall, status, stats, monitoring & alerts) as easily doable on any linux distro.

* How easy/difficult is it to map various VLANs off of a single LAN port to different SSIDs in a wireless access point (say, Ubiquiti APs... I've read good reviews on them)?

* Thanks for the feedback on hardware. Qotom (http://www.qotom.net/category-29-b0-Micro+PC.html) has quite a few micro-pcs to offer and I will keep your suggestions in mind.

 

[System Error Message]

If you're using x86, intel NICs are the best in terms of performance and driver quality. Realtek chips are good with latency but use more CPU and their drivers arent as great. Marvell has terrible latency but lowest CPU usage.

Im not sure about centOS, i imagine you would need to install the software and configure. VLANs for linux are usually done by the CPU so you will have some configuration files to go about. linux network configuration tutorials are widely available. I prefer OpenSUSE, it has worked best for my normal uses but as long as you use a general purpose linux distro your options will be open.

For Qos there are 3 types of identification. Their layer 3 protocol (such as GRE, TCP, ICMP), their layer 7 hash (the software hash which is the most effective way to identify a program like skype) and their layer (layer 2 multicast, TCP/IP, layer 4 (such as VPNs)). Your QoS is only as effective as your configurations and identification. Dont forget to perform QoS on all the other traffic you dont specify.

Regardless of which linux OS you use the configurations will be very similar.

When using active vlans, they must terminate somewhere other than clients if you dont wish to configure clients. If using a single port you will only have 1 passive and the rest active on the router. You may need a managed switch. Not sure about mapping vlans from APs but you can use a managed switch for that instead. Usually some APs apply guest network using layer 3 instead.

Switches, APs can have any IP and still function as their function is layer 2.

 

[Nullity]

I would choose pfSense over OPNSense, mostly because pfSense is a more mature project with a larger user-base.

ZeroShell seemed far too complex and focused more on embedded hardware, so I would not choose it.

I would add IPFire to your list.



If you want the most modern QoS/traffic-shaping, choose Linux (IPFire, VyOS). Linux has fq_codel and the newer "cake" along with many other queueing disciplines.

FreeBSD (OPNSense, pfSense) is often said to have the most respected network stack, but it evolves more slowly, which may or may not be preferred.



For alternative hardware, I would look closely at Ubiquiti (EdgeRouter Lite and EdgeRouter X, particularly) and MikroTik.

 

[homenet]

Whoa... did some reading up and re-learned what System-Error-Message meant by "Making a really good router is tedious but it can pay off if you are willing to spend the effort." !!!

I actually thought my requirements were fairly "standard" (besides the 'SubLet' VLAN)! Any family would like to set up something similar with a samba file-server. I am stunned to find out that all of this has to be built out as a DIY project. 20 years ago, when in my 20s(!), I would have had all the time and more zeal to build out my fine-tuned network. Not so sure now... I wish there was a marketplace for such custom home-nets and SNB would have been an ideal place to offer such a portal. Someone like me comes in with a home network requirement, which gets hashed out in a forum thread and one or more folks bid to get the project hardware + configs, tests and provides as solution. I would be more than willing to shell out $s to get it done.

Anyway, just a thought.

 

[sfx2000]

Thanks for the feedback on hardware. Qotom (http://www.qotom.net/category-29-b0-Micro+PC.html) has quite a few micro-pcs to offer and I will keep your suggestions in mind.

For HW - consider ADI Engineering - nice x86 based boxes, designed in the US, and very high quality...

http://www.adiengineering.com/products/

They are the OEM for Netgate, which is a development parter with the pfSense team.

 

[System Error Message]

Whoa... did some reading up and re-learned what System-Error-Message meant by "Making a really good router is tedious but it can pay off if you are willing to spend the effort." !!!

I actually thought my requirements were fairly "standard" (besides the 'SubLet' VLAN)! Any family would like to set up something similar with a samba file-server. I am stunned to find out that all of this has to be built out as a DIY project. 20 years ago, when in my 20s(!), I would have had all the time and more zeal to build out my fine-tuned network. Not so sure now... I wish there was a marketplace for such custom home-nets and SNB would have been an ideal place to offer such a portal. Someone like me comes in with a home network requirement, which gets hashed out in a forum thread and one or more folks bid to get the project hardware + configs, tests and provides as solution. I would be more than willing to shell out $s to get it done.

Anyway, just a thought.

You might be better off with one of the specialised linux OSes. If you know your needs than you could just use a specialised OS like pfsense but pfsense does not have NAS or SAMBA capability (you can actually do it on pfsense but it is complicated). If you get a quad core x86 you can run WMware and run NAS specialised OS with pfsense. Still none of these specialised OSes offer the capability that a general linux OS does but it all comes down to planning and research. If you have skill and experience than you can plan by checking all of the software you will need to install, what configurations you would need to do and how to secure the box. With a specialised linux OS its more plug and play with less research to do so if you cant find an OS or setup that is easy for your requirements than you would need to spend effort. However some of the fun things you can do with a general linux OS is using monitoring software that provide graphical data that may not be available for a specialised OS.

Generally it is easier to use a general linux OS to do things that you cant normally do with a specialised linux OS. For example using NAS on pfsense but what a specialised linux OS does much easier than a general linux OS is when it comes to the things it is specialised in. I would consider pfsense as easy to configure as any other prosumer router when it comes to the features they both have.

 

[KenZ71]

... I wish there was a marketplace for such custom home-nets and SNB would have been an ideal place to offer such a portal. Someone like me comes in with a home network requirement, which gets hashed out in a forum thread and one or more folks bid to get the project hardware + configs, tests and provides as solution. I would be more than willing to shell out $s to get it done.

Anyway, just a thought.

Be glad to help you spend way more than you need. But why not pickup one of the well ranked routers then look into dd-wrt or merlin's firmware and see what you can do. If you need more then look into the roll your own varieties mentioned above.

 

[Nullity]

It might be best to use a managed switch for all your VLAN stuff.

 

[sfx2000]

Be glad to help you spend way more than you need. But why not pickup one of the well ranked routers then look into dd-wrt or merlin's firmware and see what you can do. If you need more then look into the roll your own varieties mentioned above.

I think OP's requirements are probably beyond consumer grade router/ap's - they might be capable, but are they stable? Even with 3rd party firmware?

There's a price point that folks are willing to step over, and we should respect that...

 

[kvic]

Very good point in general on stability and robustness.

are they stable? Even with 3rd party firmware?

No and no.

From consumer routers I've used, nothing can beat Apple airport basestation in terms of stability and robustness. People like Apple or not, it just runs without crash. I once have an airport running non-stop for more than a year.

There is a market for stable and robust FW at a cost of slower growth of features. And the development model shall be adapted to such goals...

 

[sfx2000]

From consumer routers I've used, nothing can beat Apple airport basestation in terms of stability and robustness. People like Apple or not, it just runs without crash. I once have an airport running non-stop for more than a year.

Robustness is a side effect of good design up front... Airport's were very much part of Jobs' goal of universal access... and as far as being routers/ap's - they just work...

Fun story - but something all should consider... simplicity is easy to explain, but hard to execute, as features always creep in... this is about a DVD authoring/burner program, which if one has ever done anything with DVD's, it's never as easy as it looks - it's more that just putting an mp4/avi on a dvd-rom/dvd-rw...

"We had about three weeks to prepare," Evangelist says. He and another employee went to work creating beautiful mock-ups depicting the perfect interface for the new program. On the appointed day, Evangelist and the rest of the team gathered in the boardroom. They'd brought page after page of prototype screen shots showing the new program's various windows and menu options, along with paragraphs of documentation describing how the app would work.

"Then Steve comes in," Evangelist recalls. "He doesn't look at any of our work. He picks up a marker and goes over to the whiteboard. He draws a rectangle. 'Here's the new application,' he says. 'It's got one window. You drag your video into the window. Then you click the button that says BURN. That's it. That's what we're going to make.' "​

That's what I appreciate about pfSense - it is pure in it's intent - it's a router/firewall, it does it well out of the box... there are knobs/levers to tune/tweak, but the defaults are generally what most folks need...

With routers, gateways, and firewalls - within the SNB scope - simple is better than complicated...

 

[kvic]

That's what I appreciate about pfSense - it is pure in it's intent - it's a router/firewall, it does it well out of the box... there are knobs/levers to tune/tweak, but the defaults are generally what most folks need...

With routers, gateways, and firewalls - within the SNB scope - simple is better than complicated...

Interesting tidbits on Jobs.

pfSense is a competitive offering. It receives lots of praise. No doubt about it. My only problem is its requirement of relatively powerful HW. More likely than not over powered for home use. On one hand people can run more services/applications (e.g. VPN servers etc) on the box. But if you don't, it's unused power. With FreeBSD underneath, it does give people a rock solid foundation (...as robust as macOS lol). And the team behind pfSense has years of experience in tuning its defaults that yields good performance out of the box.

Personally I'm leaning towards a small yet powerful enough box for home use (e.g. ER-X). Lately also read some posts on Mikrotik forum. While our fellow SEM having been promoting Mikrotik over Ubiquiti persistently here, he can't point out one key competitive edge that Mikrotik has over Ubiquiti (which third party developers/mod'ers can borrow too)..

 

[sfx2000]

Personally I'm leaning towards a small yet powerful enough box for home use (e.g. ER-X). Lately also read some posts on Mikrotik forum. While our fellow SEM having been promoting Mikrotik over Ubiquiti persistently here, he can't point out one key competitive edge that Mikrotik has over Ubiquiti (which third party developers/mod'ers can borrow too).

ERL's are under-appreciated, IMHO, and it doesn't help that Ubiquiti seems to pivot the business periodically... but for the price, they are excellent solutions, esp when using their AP's, and things just come together as only a vertically integration solution can.

Microtik's are quite good - I give SEM a good natured hard time every now and then, but I've seen and used them, and they're quite powerful - but not for the amateur - and even as a recovering engineer, some of the settings in their platform are a bit obtuse for me, lol...

Most folks might not know that Airports are based on NetBSD - they have a good QoS implementation, and they're fairly secure - they don't have a lot of options to tune about, and there is no option for 3rd party firmware on them, and some take exception that they're basically Apple devices. And that's ok... plug them in, set them up in a couple of minutes, and let them run.. and forget about them.

 

[System Error Message]

The problem with using dd-wrt is that they do not have UTM features. You cant install an antivirus on it but you can install an anti virus and proxy and other things on edgerouters (though they dont perform those tasks fast), and x86 boxes or any box that can run a general linux OS. If you bought a TILE dev router you could even recompile one of the linux distros you want and install it and use its many cores and total port bandwidth to handle many gigabits of internet and applications, even facebook uses them in their servers to run some of the things such as firewall and apache on 100 core TILE cards.

So its not as simple as what many say as just picking a cheap router and installing dd-wrt on it, you could reuse an old PC you have and not spend a penny and install pfsense on it assuming you get another NIC for it. it really depends on your needs. 3rd party firmware like dd-wrt, tomato and others have their uses and you also have to take into account the hardware that will be used from the RF design, antennas and radio chips used if wifi is what you need to the CPU and RAM used as well. Routers with MIPS CPUs for example do SAMBA quite slowly so just getting a cheap router and putting openwrt on it for using SAMBA is a bad idea. I did it once on a tp-link with a 400Mhz MIPS CPU and my throughput was 2MB/s.

Also for printer and scanner sharing general linux is the best because of cups and xsane which means only the router needs the drivers. The beauty of CUPS is that you can have the printer plugged in somewhere else and shared on the network and it will still work just like as if it was connected to the machine.

So if you want parental controls its the same thing, some routers have them built in for easy use, or you could install the software on a general linux OS that has what you want, maybe an attractive GUI of sorts or you can use a service. DD-wrt or openwrt parental controls arent that great as they were made for you to do lots of things not limit you.

 

[homenet]

If you're using x86, intel NICs are the best in terms of performance and driver quality. Realtek chips are good with latency but use more CPU and their drivers arent as great. Marvell has terrible latency but lowest CPU usage.

Im not sure about centOS, i imagine you would need to install the software and configure. VLANs for linux are usually done by the CPU so you will have some configuration files to go about. linux network configuration tutorials are widely available. I prefer OpenSUSE, it has worked best for my normal uses but as long as you use a general purpose linux distro your options will be open.

For Qos there are 3 types of identification. Their layer 3 protocol (such as GRE, TCP, ICMP), their layer 7 hash (the software hash which is the most effective way to identify a program like skype) and their layer (layer 2 multicast, TCP/IP, layer 4 (such as VPNs)). Your QoS is only as effective as your configurations and identification. Dont forget to perform QoS on all the other traffic you dont specify.

Regardless of which linux OS you use the configurations will be very similar.

When using active vlans, they must terminate somewhere other than clients if you dont wish to configure clients. If using a single port you will only have 1 passive and the rest active on the router. You may need a managed switch. Not sure about mapping vlans from APs but you can use a managed switch for that instead. Usually some APs apply guest network using layer 3 instead.

Switches, APs can have any IP and still function as their function is layer 2.

System Error Message,

was re-reading all the posts today and came upon your sentence "Dont forget to perform QoS on all the other traffic you dont specify.". Could you please explain what you meant by it?

 

[homenet]

Whoa... did some reading up and re-learned what System-Error-Message meant by "Making a really good router is tedious but it can pay off if you are willing to spend the effort." !!!

I actually thought my requirements were fairly "standard" (besides the 'SubLet' VLAN)! Any family would like to set up something similar with a samba file-server. I am stunned to find out that all of this has to be built out as a DIY project. 20 years ago, when in my 20s(!), I would have had all the time and more zeal to build out my fine-tuned network. Not so sure now... I wish there was a marketplace for such custom home-nets and SNB would have been an ideal place to offer such a portal. Someone like me comes in with a home network requirement, which gets hashed out in a forum thread and one or more folks bid to get the project hardware + configs, tests and provides as solution. I would be more than willing to shell out $s to get it done.

Anyway, just a thought.

Interesting tidbits on Jobs.

pfSense is a competitive offering. It receives lots of praise. No doubt about it. My only problem is its requirement of relatively powerful HW. More likely than not over powered for home use. On one hand people can run more services/applications (e.g. VPN servers etc) on the box. But if you don't, it's unused power. With FreeBSD underneath, it does give people a rock solid foundation (...as robust as macOS lol). And the team behind pfSense has years of experience in tuning its defaults that yields good performance out of the box.

Personally I'm leaning towards a small yet powerful enough box for home use (e.g. ER-X). Lately also read some posts on Mikrotik forum. While our fellow SEM having been promoting Mikrotik over Ubiquiti persistently here, he can't point out one key competitive edge that Mikrotik has over Ubiquiti (which third party developers/mod'ers can borrow too)..

Ok... given all the mentions of EdgeRouter, I went through the documentation for EdgeRouter X and feel my depression lift a little bit! So, firstly, thanks to you guys for pointing me in that direction.

From the 30,000 feet level, the EdgeOS user guide (https://dl.ubnt.com/guides/edgemax/EdgeOS_UG.pdf) had all the buzzwords I was hoping to see. Traffic Analysis, Routing, Firewall/NAT, Services, VLAN, QoS, VPN and even CLI (yes, I love CLI so I can script!). I had envisioned a SAMBA file-server to be independent of the router setup (if the router happened to be a general linux OS, I could make it dual-purpose), so... so far so good.

Now, I do have a basic, but rather long, question on VLANs in my context. Would appreciate any clarification.

Lets take "hooking up the living room" as the issue on hand, since this is the most complicated.

In the living room, there needs to be
* 2/3 wireless SSIDs (Main, Kids (optional, if I don't combine into Main), Guest) using Ubiquiti APs that maps VLAN-SSID
* 1 wired connection for Main that will be used by a Roku player

Now all these VLANs will be over the single LAN cable running from the router to the living room. Can I and if so, how is this set up? Lets say I have a EdgeRouter X... I assume I have to create those three VLANs (Main, Kids, Guest) and permit all of them on the ethernet interface where the living room LAN cable is plugged in. Then, do I whitelist Roku MAC address in the Main-VLAN? I assume Roku player is not aware of any VLANs... so I am assuming I need to assign it in the Main-VLAN whitelist. If this works, then do I assign the Ubiquiti AP to all three VLANs (Main, Kids and Guest)? I am not sure if Ubiquiti AP is smart/managed and can be aware of VLANs so that it can be mapped to respective SSIDs.

I might be way off with all of this! Feel free to let me know...

Again, thanks for all your help and comments.

 

[sfx2000]

Then, do I whitelist Roku MAC address in the Main-VLAN? I assume Roku player is not aware of any VLANs... so I am assuming I need to assign it in the Main-VLAN whitelist. If this works, then do I assign the Ubiquiti AP to all three VLANs (Main, Kids and Guest)? I am not sure if Ubiquiti AP is smart/managed and can be aware of VLANs so that it can be mapped to respective SSIDs.

The roku itself will just see whatever connectivity you give it, and on any VLAN - I run my VLAN's on a managed switch rather than on the router itself - it's my router and firewall, and simplicity means much there - and I'm running pfSense... and I only run two VLAN's - one for the "trusted" side of my network (things I manage directly) and the "untrusted" side where my DirecTV MOCA span runs, along with my work laptop - we don't cross the streams then.

VLAN's are powerful tools, but at the same time, do try to keep them as simple as possible, as at some point, you might have to go back in for troubleshooting for any reason.

With regards to UTM and the like - useful in the small/medium enterprise, and certain small businesses, but end-point best practices can do the same thing plus more... one area where a UTM might be beneficial, is if one is running one's on mailhost for inbound SMTP traffic - and then perhaps, but even there, better to do on the server side.

Going with the EdgeRouter, a decent managed switch, and a couple of UniFI's, you'll be right as rain - bit spendy perhaps, but like I mentioned earlier, the integration aspects are pretty compelling - single source of support if things need a bit more help.

Last tip - review your requirements and sort them out to needs and wants - needs are a must, and the wants are nice to have - but the nice to have items can totally kill your budget. Take it from me, having worked on very large networks (carrier grade), throw everything on the board, and then start peeling things off that list.

 

[kvic]

Now all these VLANs will be over the single LAN cable running from the router to the living room. Can I and if so, how is this set up? Lets say I have a EdgeRouter X... I assume I have to create those three VLANs (Main, Kids, Guest) and permit all of them on the ethernet interface where the living room LAN cable is plugged in. Then, do I whitelist Roku MAC address in the Main-VLAN?

Surely possible. The three VLANs going through a single LAN cable between ER-X and the living room where a managed switch connects to ER-X as well as fans out the virtual LANs to different devices both wired or wireless. I suspect you need the new per-port VLANs feature to accomplish this task. Also on ER-X, you can limit the three to different access rights e.g. Guest for Internet only, Kids for intranet and filtered internet and Main with everything.

I assume Roku player is not aware of any VLANs... so I am assuming I need to assign it in the Main-VLAN whitelist. If this works, then do I assign the Ubiquiti AP to all three VLANs (Main, Kids and Guest)? I am not sure if Ubiquiti AP is smart/managed and can be aware of VLANs so that it can be mapped to respective SSIDs.

End devices need not know VLANs which are a concept/facility between routers and switches. So I doubt you'll need special setup on Roku. Most VLAN material around Asus forums here are into the nitty gritty inside a switch. People can avoid that level of details with a managed switch and its GUI.

One Ubnt AP's can join multiple VLANs - perfect for Main, Kids and Guest. I would guess three corresponding SSIDs are required. You may have to look into its manual/forums for details...