What's needed for a decent home network?

[Archer]

I will be moving into a new home later this year, so it seems like a good time to think about a long term home network solution. My biggest question is what level of security is really needed for the average Joe consumer? I at least want to separate guests from my network on WiFi (that's easy), but do I really need to go further and add a dedicated firewall or make virtual networks, etc. And are any consumer grade routers capable of this already? My current ISP provides a Zyxel T50 which I hate because of a non sensical interface and dismal wifi performance, I swear the darn thing can only connect one wifi device at a time. Anyway, what other things should an average Joe being doing? And note I don't want the be tinkering with this thing, I'll happily spend a week or two setting it up but after that I want to forget about it

No real preference on hardware, but cost is always a factor. I guess 300-400 Euro is a starting point. I will need at least 2 hardwired APs since the home has three levels, with the floors being reinforced concrete.

We're a family of 4 with about 10 devices I want to keep wired split across all floors (think its 3-5-2 from floor to attic), and then about 20-30 wireless devices, and its only really cellphones and tablets that would have high bandwidth requirements, the rest is smart home / IOT stuff. I don't expect to add cameras or WiFi based smart lights (too far into the Hue ecosystem already).

 

[powermzii]

You're on the right track going with hardwired APs - you COULD keep the T50 for routing, turn off the Wifi and supplement it with the APs - have recently implemented Unifi APs here at home and they are pretty easy and just work. In terms of firewalls / VLANs -that's really up to you. I currently do not have separate VLANs but my Mikrotik has a number of firewall rules to limit what traffic goes in etc

 

[KevOfGoodHope]

I will be moving into a new home later this year, so it seems like a good time to think about a long term home network solution. My biggest question is what level of security is really needed for the average Joe consumer? I at least want to separate guests from my network on WiFi (that's easy), but do I really need to go further and add a dedicated firewall or make virtual networks, etc. And are any consumer grade routers capable of this already? My current ISP provides a Zyxel T50 which I hate because of a non sensical interface and dismal wifi performance, I swear the darn thing can only connect one wifi device at a time. Anyway, what other things should an average Joe being doing? And note I don't want the be tinkering with this thing, I'll happily spend a week or two setting it up but after that I want to forget about it

No real preference on hardware, but cost is always a factor. I guess 300-400 Euro is a starting point. I will need at least 2 hardwired APs since the home has three levels, with the floors being reinforced concrete.

We're a family of 4 with about 10 devices I want to keep wired split across all floors (think its 3-5-2 from floor to attic), and then about 20-30 wireless devices, and its only really cellphones and tablets that would have high bandwidth requirements, the rest is smart home / IOT stuff. I don't expect to add cameras or WiFi based smart lights (too far into the Hue ecosystem already).

I think Unifi products would be a safe bet, and should be within your budget of 400 Euro.
Just get UDM + 2 AC/WiFi6 APs, you should be covered. The UDM replaces your current Zyxel T50 as a router and Wifi AP for a floor, and the two APs be placed in each of the two other floors.

Unifi Controller interface should be easy enough to configure for your needs:

• Guest WiFi with bandwidth control
• Separate VLAN for network segregation
  • Allow IOT device traffic to Internet but blocked/partially allowed to internal network
  • Block Internet for any devices that you do not want to allow Internet traffic and restrain them to local network only, e.g. IP camera
• Basic firewall setting to block unwanted traffic from outside

I believer most of the members on the forum who uses UBNT equipment can agree that we don't have to tinker a lot once it's been setup (properly), sometimes I almost forget about them because they've been so stable and working properly over the years.

 

[HavocXphere]

do I really need to go further and add a dedicated firewall or make virtual networks, etc. And are any consumer grade routers capable of this already?

Security is a bit like car/computer tuning...first little bit of gains is easy...and every additional gain becomes harder and the payoff becomes less obvious. Diminishing returns. So picking a middle and calling it good is perfectly valid in that regard.

I think Unifi products would be a safe bet

That is indeed the most common middle ground. Worth keeping in mind though: They just tried to cover up all customers being globally exposed for 2 months, are forcing cloud integration (the cloud that just got compromised) and also started placing ads into their management console. I can see the appeal on products...but that company appears to have bought a one way ticket to the dark side.

No easy way of getting the same integrated type system without some tinkering though as best as I can tell.

If up for a bit of tinkering, custom hardware with Openwrt (or pfsense on x86) plus a wifi 6 mesh would work. More control & much better specs...but fiddly.

 

[Zophos]

Netgear Orbi Wifi 6

Enough F-ing around... (Just a suggestion)

 

[Archer]

I think Unifi products would be a safe bet, and should be within your budget of 400 Euro.
Just get UDM + 2 AC/WiFi6 APs, you should be covered. The UDM replaces your current Zyxel T50 as a router and Wifi AP for a floor, and the two APs be placed in each of the two other floors.

Unifi Controller interface should be easy enough to configure for your needs:

• Guest WiFi with bandwidth control
• Separate VLAN for network segregation
  • Allow IOT device traffic to Internet but blocked/partially allowed to internal network
  • Block Internet for any devices that you do not want to allow Internet traffic and restrain them to local network only, e.g. IP camera
• Basic firewall setting to block unwanted traffic from outside

I believer most of the members on the forum who uses UBNT equipment can agree that we don't have to tinker a lot once it's been setup (properly), sometimes I almost forget about them because they've been so stable and working properly over the years.

UDM is 300 bucks all on its own :/ Maybe my question should rather be is there some monumental security upgrade by having a (good) router? For example whats the real difference between a consumer grade router's firewall vs that of the UDM?

 

[Archer]

Security is a bit like car/computer tuning...first little bit of gains is easy...and every additional gain becomes harder and the payoff becomes less obvious. Diminishing returns. So picking a middle and calling it good is perfectly valid in that regard.



That is indeed the most common middle ground. Worth keeping in mind though: They just tried to cover up all customers being globally exposed for 2 months, are forcing cloud integration (the cloud that just got compromised) and also started placing ads into their management console. I can see the appeal on products...but that company appears to have bought a one way ticket to the dark side.

No easy way of getting the same integrated type system without some tinkering though as best as I can tell.

If up for a bit of tinkering, custom hardware with Openwrt (or pfsense on x86) plus a wifi 6 mesh would work. More control & much better specs...but fiddly.

This is partially why I have been considering going with TP-Links Omada system, since connecting to cloud is completely optional. But my understanding is that one can also create a complete Ubiquiti system without any cloud connection although for how long that will still hold is a valid question imo
Nice thing about the Omada range is the EAP235 in wall AP with 3 available network ports, makes the switching part on each floor a bit more convenient. And it's about half the price of the equivalent AP from Ubiquiti

 

[HavocXphere]

one can also create a complete Ubiquiti system without any cloud connection although for how long that will still hold is a valid question imo

Perhaps someone with more practical Ubiquiti experience can chip in but I doubt it frankly given (article linked above):

the company began pushing everyone to use a unified authentication and access solution that makes it difficult to administer these devices without first authenticating to Ubiquiti’s cloud infrastructure.

All of a sudden, local-only networks were being connected to Ubiquiti’s cloud

 

[wetkit]

One thing to remember with concrete is that it stops WiFi dead, especially 5ghz.
I am biased towards Unifi so have 4 wired AP's in my house and using a cloudkey to run them.
They can mesh together if a Lan connection fails, but then the overall throughput is reduced.
So far working very well for me.
If you concerned about safety, use a Microtik RB750 router or similar.

 

[Rickster]

The only reason to keep that Zyxel is if you have a bit of rage you can just smash it to pieces but only once.

My unifi experience is great, its just a AP, no controller or cloud key nonsense.

Fibre->Draytek 2135->Unifi NanoHD

Done.

 

[lkswan747]

UDM is 300 bucks all on its own :/ Maybe my question should rather be is there some monumental security upgrade by having a (good) router? For example whats the real difference between a consumer grade router's firewall vs that of the UDM?

Stability! I have found that consumer grade routers are not as reliable from a wireless connection point of view. I have been running a Ubiquiti USG3P for two years and had it not been for the constant power interruptions it would be running without a reboot (apart from the necessary security updates). Security is also much more configurable on a prosumer router.

 

[Smokey mcpot]

The only reason to keep that Zyxel is if you have a bit of rage you can just smash it to pieces but only once.

My unifi experience is great, its just a AP, no controller or cloud key nonsense.

Fibre->Draytek 2135->Unifi NanoHD

Done.

The only router worse than that is the dlink dir825

 

[KevOfGoodHope]

Perhaps someone with more practical Ubiquiti experience can chip in but I doubt it frankly given (article linked above):

You don't need cloud account to manage Unifi/Unms, I doubt that would change in the future though, makes no sense for cloud only management.