We’re renovating a house and I’m looking to add some smart home devices in the home. This gives me a perfect excuse to renew my current home network setup. I currently have a simple setup: my ISP router + an unmanaged 16port switch with 2 Unifi AC Pro APs (feed using PoE injectors). I want to give the 2 Unifi APs to friends of mine so I’m looking at a total newal of my network.

I have a homeserver which runs 25+ containers, some for home use and some that I expose to the internet as well.

Since I’m adding smart home appliances (most z-wave but I will have to use some Wifi devices as well) to the network, I’d like to isolate these devices and give them minimal access to the internet and my own network. Since this will require me to setup VLANs I also want to setup multiple VLANs for various needs (see below).

As I’m not a network expect (I have basic knowledge) I like SDN setups. I was doubting between Unifi and Omada, after reading many posts I’ve got the feeling that Unifi isn’t the same company it was 5 years ago, the router solutions Unifi is selling don’t really seem to fit my needs (dream router/machine). The older Unifi routers feel like a better fit, however I’m worried that they will becom EoL and will no logner receive security updates. After learning that the Omada APs support PPSK without RADIUS - which allows me to use 1 SSID and have clients added to a VLAN depending on their passphrase - I decided to give Omada a chance.

I want to buy a smart doorbell (reolink), I don’t plan on recording 24/7 or having any security camera’s however I do worry that if I do get them I might hammer my router since the traffic streams will have to be routed between VLANs. However L3 switches are way pricier so I’d like to try with my current setup and upgrade if need be if/when the time comes.

I read that Omada routers are also not that great (I would primarily be using it to configure the routing between VLANs). And was doubting between opnsense or mikrotik, I got the impression that the Mikrotik (while harder to configure initially) is more a set and forget solution with enough capacity for my needs.

I want to buy the following hardware (fanless is a must):

  • MikroTik RB5009UG+S+IN
  • TP-Link JetStream TL-SG2016P (16 ports will be enough, I expect to require 3 PoE ports)
  • 2 * TP-Link EAP650 - I like their small form factor and PPSK

I want to configure the following vlans:

  • VLAN 10: 192.168.10.0/24 - management vlan
    • Contains: pihole, VPN server, network devices, omada controller
    • Access to: all vlans
  • VLAN 20: 192.168.20.0/24 - private services vlan
    • Contains: server containing 25+ containers and home assist server
    • Access to other vlans: 30
  • VLAN 30: 192.168.30.0/24 - shared services vlan
    • Contains: chromecasts, printers, other services I would like to expose to guests and home users
    • Access to other vlans: none
  • VLAN 40: 192.168.40.0/24 - smart home devices vlan (via wifi or wired)
    • Contains: smart home sensors/devices + home assist server
    • Will not have access to the internet
    • Would like to have client isolation if possible/feasible
    • Access to other vlans: none
  • VLAN 50: 192.168.50.0/24 - smart home devices vlan with internet access (via wifi or wired)
    • Contains: hopefully nothing, devices that require internet access to function
    • Would like to have client isolation if possible/feasible
    • Access to other vlans: none
  • VLAN 200: 192.168.200.0/24 - Home users (via wifi or wired, mac address whitelisted?)
    • Contains: home users
    • Access to other vlans: 20, 30, 210, 220
  • VLAN 210: 192.168.210.0/24 - VPN users
    • Contains: VPN users Access to other vlans: 30
  • VLAN 220: 192.168.220.0/24 - Guests users (wifi only or wired)
    • Contains: guests
    • Access to other vlans: 20, 30, 200, 210

I plan to assign 3 VLANs to my home assistant server so it can be reached by the smart home devices and it can be reached by home users, however there might be better solutions to solve this.

I’m also wondering if it would make sense to split my 25+ containers over multiple vnets (putting containers reachable from the internet in a seperate VNET).

Any feedback is greatly appreciated!

  • tvcvt
    link
    fedilink
    arrow-up
    5
    ·
    1 year ago

    This promises to be a fun project!

    It sounds to me like you have above-average demands on your network and I’d agree that UniFi (and therefore probably Omada) are not what I’d consider great as routers/firewalls.

    I’m a fan of pfSense/OPNSense for that purpose, which you can install on pretty much any x86_64 hardware. They’re both wonderful and you can fine tune to your heart’s content or get them set the way you like and leave them.

    If you really like a dedicated router appliance, I do like the Mikrotiks, too, but you’d have to study their sometimes-peculiar way of doing things.

    To my tastes, UniFi does great at switching and wireless, but any of you’re unhappy with that direction, I’ve heard good things about Omada and the Aruba stuff is fantastic. I recently have been playing with some used iap-325s from eBay. I picked them up for $25 and they’ve been terrific.

    • Transient Punk@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      I agree. The Unifi firewall leaves a lot to be desired, but their switches and access points are great!

      I’m currently running pfSense on one of these, and I have that connected to Unifi PoE switch with two Unifi APs connected to it, as well as several PoE IP cameras. It runs great, and I have no complaints.

      If I were redoing it today, I would grab a more modern version of my firewall hardware, preferably with 2.5g nics, but pretty much everything else is great!

      • TableCoffee@lemmy.ca
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        Very similar to my setup as well. I have a Qotom with 5x2.5Gb NICs. It’s got a lower end processor - Intel Celeron J4125 but I haven’t noticed any performance issues with my 1.5Gb connection.

        I’ve got my proxmox cluster and my workstation on one interface with a 2.5Gb unmanaged switch, and then on another interface a Unifi 8 Lite PoE switch with 2 Unifi AP’s where all the streaming devices, wife’s and kids devices live.

      • tvcvt
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Your setup is actually very similar to mine at home, except that I’m running pfSense on a used thin client with a quad-port NIC. I agree the UniFi switches and APs have never given me a problem.

    • Rora@feddit.nlOP
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      I almost went with the opnsense route as well, the versatility of this device and the fact it can run on lots of hardware configs makes it hard to find a hw/feature combination that will serve my needs with low power usage and no fan. Also I hope that mikrotiks fw updates have a lower chance of breaking my setup as I’ve read some bad experiences with pfsense/opnsense updates in the past.

      None the less I do like the opnsense setup and might add an additional opnsense vm in the future to play around with!