Padre, Bryan, and fellow KitAs

[G+_Chad Lawson]

Padre, Bryan, and fellow KitAs,

 

I'm looking to re-build my home network using some tips I picked up from the recent KH networking episodes.

 

I'm looking to create a network with four "zones" if you will:

1) Personal devices. My laptop, my wife's laptop, a desktop computer, our phones, tablets, etc. Things with an actual driver behind the wheel to handle updates and the like.

2) A guest network.

3) Server devices like a file server and such.

4) iOT devices that may or may not be secure. (I built a few of them, myself)

 

Ideally I'd like for zone 2 and 4 to ONLY be able to see the internet and, if realistic, not ever see other devices in that zone. I'd like zone 1 to be able to see and administer devices in all the devices, but for the other zones not to be able to see back into zone 1 unless necessary.

 

As for hardware, I already have my own (non-cable-company-provided) modem, and I'm wide open on make/models for the router to handle the above.

 

For wireless, I need at least 3 APs to provide coverage for the house. I'm able to run ethernet to each of the APs rather than using repeaters if that's better.

 

My budget for this project is around $500, but as usual, lower is better.

 

My tech-savvy level is pretty high so I'm open to either using a pre-canned system or building something using DD-WRT.

 

What are your thoughts?

 

[G+_Travis Hershberger]

Wired is always better when possible, so stick to wired for at least the access points.

 

For that price I'd get a Ubiquity ER-POE @ $150, and 3 UAP-AC-LITE @ $80 each. I'd normally recommend the UAP-AC-PRO, but those are $150 each, so would put you over budget.

 

Take care of all the VLANS with the router, it provides power to each of your access points, and the last Port for a switch, you should be Golden.

[G+_Chad Lawson]

Thank you, Travis Hershberger. I'm looking at those now. I'm not opposed to going over budget if it's the right solution.

[G+_Travis Hershberger]

Chad Lawson?. The big difference between the two is the pro models use multiple radios, whereas the lite only had a single radio.

 

One gotcha with the lite models is that Ubiquity has changed the PoE standard they use in the latest production runs, so those could be either the 24v or the 48v PoE standard. The pro models have always been the latest 48v standard.

[G+_David Wiggins]

Even with VLANs, you should make sure the firewall/router explicitly blocks the traffic from the guest and iot zones.

 

Also, I can't post on a networking topic without evangelizing pfSense.

 

pfS is a free BSD firewall that handles this kind of thing beautifully. If you have an old PC and spare network card, it can handle router and firewall functions (As well as goodies like traffic analysis and VPN server).

 

As long as the network card can read them, it supports tagged VLANs.

 

You can set up aliases for custom firewall rules and routes. The forums and subreddit are great, too.

[G+_Benjamin Webb]

Yeah looking at your setup it looks like you have only two real zones. Stuff you trust which is file servers and personal devices (guess you could separate these and only bridge for whitelisted devices but that can be done at the authentication level with samba).

 

Then there is the stuff you don't trust IOT and guests. I just put these on a guest wifi network and have the flag set with openwrt so that the devices cannot see each other and only see the internet (Think DD-WRT may also have this). Granted wifi is slower than a wired connection but I don't know many people that let guests jack into their network and most portable devices or IOTs lack the jack anyway nowadays.

 

Short of spending a bunch on money on enterprise grade equipment or endless custom configuration I suggest the setup above.

 

Could I configure a four zone network with bridges to a file server, yes but would need a high end switch to handle the bridging to only let select devices see the servers and then there is the chance of making a mistake as there is nobody there to audit you.

 

You could do 2 VLAN(trusted, guests) with one device isolated wifi for IOT and guests, and one normal wifi. Only the bridging to the servers and isolated the IOT devices from everyting but the internet portion makes your setup impractical with normal consumer hardware. You could do this with a VLAN aware switch and a flashed router.

[G+_Ben Reese]

I haven't tried their router yet, but I love the Ubiquiti APs. If you have the $$$ to spend, Travis Hershberger's suggestion probably gets my vote. It's the closest to an out-of-the-box solution and Ubiquiti makes good hardware regardless. Depending on the size of your house, you may only need one AP. Some reviews are reporting a 150 ft radius outside their house with 1 AP. I'm covering most of a 22,000 old school building with 2 older model APs and I have a 3rd to fill the gap if I ever get around to it.

 

I've yet to play with pfSense - though it would great place to start too. I just came across this on Reddit giving a good comparison between pfSense and Edge Router: https://www.reddit.com/r/HomeNetworking/comments/4tmpft/ubiquiti_edgerouter_x_vs_custom_pfsense_box_for/

 

I'm about to move into a larger house, so I may be right there with you on the network upgrades. My next AP will be Ubiquiti and my next router probably will be too.

[G+_David Wiggins]

I read the thread on pfS vs edge, and it seemed the one guy was saying pfS can't be a router. It is an excellent router with great traffic analysis.

 

That said, he made an excellent point. If you don't have surplus hardware and a second NIC, go ahead and get the edge.

 

Also, it depends if you like to tinker.

Edge had a lot of great features and has small form factor, a ton of Switch ports, and can set it and forget it.

 

pfS has more granular control and extra services. If size and power are a concern, PC repurpose isn't a good fit (although low power/profile options are available)

 

As always, it's mostly a matter of personal preference. The statement in that that motivated this post was the of idea that there only useful pfS use was modem-pfS-edgerouter-switch. A router behind pfS is overkill. I'll admit I was annoyed by that. Sorry for venting here.

[G+_Travis Hershberger]

David Wiggins Actually, the EdgeRouters can do everything pfSense does. It's just not all given to you in the gui interface. They're actually more powerful because they can use ASIC processors for a lot of features that a pfSense box can't.

[G+_Chad Lawson]

I’m sorry I didn’t get back to this post earlier. I did end up getting the Uniquiti Edge router and APs. I really like the system. Thank you all for your input.

[G+_Chad Lawson]

My next question for Travis Hershberger and anyone else who knows EdgeOS, can you point me to the best way to accomplish my zones. I have the two networks, and each can get out to the internet. I managed to get NAT working from (we’ll call them) Home and Guest networks but I can’t get data back.

 

Am I needing more NAT rules each way or Firewall rules to make it such that Home can talk to Guest but Guest can only reply to Home?

 

I feel like I’m close but I’m clearly missing something. What’s the right way to handle this?