help me build most secured Home Network to last a decade.

Excellent thread and kudos to you guys adding value and insight to this! This is why TE is great.

On a lighter note - I sheepishly admit I have work to do on network security! Can i outsource it to any of you guys? :p
Please open a new thread and share the details.
 
My home network is little dated and its time to update it.
Security is the primary focus, looking for absolute control over the devices in network, should be able to define which client can access internet and what not.
Planing to build something which could last a decade.

my current setup looks something like:
View attachment 106016
With time, new clients added in network and few are outside my home network unable to access server, as well as open for ISP to snoop into.
It's time to update the network :) here is what i came up.

View attachment 106019
Power line already gone and replaced by cat6 to Zone-C (all future device in home will go in that zone ).
Please suggest if anyone finds a mistake or way to optimise it even more.
Not sure at which point i need to plug the pi-hole (coming soon).

Now looking for the main router ans network , which would help me isolate my home network from outer world.

Firewall/router (R)- I'm thinking to get this Ubiquiti USG (https://www.multilinkonline.com/Ubi...i-Security-Gateway-3xRJ45-Gigabit_p_1306.html)
I've seen in one review, that USG gateway don't provide us as much flexibility to configure and it over heats while heavy data transfers.
In that case what other option i do have ? -- (i would like to avoid configuration via CLI, i don't have that level of passion left at this point of life.)

other option ( will continue to list down, for my notes as well):
--> Linksys LRT224

Switch (S) - thinking about this https://www.multilinkonline.com/NET...witch-Desktop-101001000Mbps-GS205_p_1440.html , also was searching 10 GbE switch for future proofing, unable to find any. is it going to be overkill ?

Wireless network:
Will connect a Mi router, lying somewhere around in house directly to ISP router and make it open for guest and neighbours in wifi-n mode. Isolating totally form my home network. wil only keep in on when required.
Later (next year) i will replace the wifi router (AP) with a switch and attach a dedicated wifi AP ( something like UniFi nanoHD -https://store-ui.in/collections/unifi-network-wireless/products/unifi-nanohd-us ), separating wired and wireless networks. I will schedule it somehow to keep wifi during active only 10-12hrs a day.
Wifi point has to be in Zone -B for optimal coverage, going to have only 1 wireless device, n-mode for all mobile/tabs, and isolated ac-mode only for the wireless workstation which need high speed connection to home server. or probably something available which has dual non interfering AC broadcast. all the device in home can run ac network.

Pints to note:
1. Discourage consumer grade equipment and mostly looking for Uni/Cisco/netgear. (open to other stuffs which i'm not aware of but are budget friendly)
2. Don't want to spend a huge enthusiast level budget.
3. Will prefer devices with small form factor, which can disappear in the environment/hide in the cupboards.
4. Power consumption and heat produced - both should be minimal given they will be on 24x7x365.

List of important vidoes/link for future use (self-note):
1.
If you're choosing a mesh wifi system , i would suggest the Asus Zenwifi ax xt8, it is very expensive but i have 2 of the xt8 big nodes and 2 of the mini nodes , i have the 4 nodes placed across the house , one of the mini nodes is in my room and i connect my gaming setup to it using ethernet , and i get 395mbps and very low ping even through 3 walls, it has wifi 6 and the range on these are really good , if you're willing to spend alot it will definitely last a very long time
 
I would suggest to go for a multi gigabit switch for future perspective....i am myself looking for one....
For router you can look for used cisco one's also..
 
@rsaeon
Edgerouer doesn't seems to be available anytime soon, so thinking to go with Mikrotik within a day or two.

do you see any major benefit of getting RB4011 over hEX S, in a home environment ?
I believe mikrokit router dont allow to install any adition software into it, is there any benefit of 1400mhz processor, 1Gb ram & 512bm storage ?
comparison - https://mikrotik.com/products/compare/RB760iGS+RB4011iGSplusRM

do you recommend to bite the bullet and get hEX S, and get a 5 port gigabit switch. to fullfil the port requirement.
 
@rsaeon
Edgerouer doesn't seems to be available anytime soon, so thinking to go with Mikrotik within a day or two.

do you see any major benefit of getting RB4011 over hEX S, in a home environment ?
I believe mikrokit router dont allow to install any adition software into it, is there any benefit of 1400mhz processor, 1Gb ram & 512bm storage ?
comparison - https://mikrotik.com/products/compare/RB760iGS+RB4011iGSplusRM

do you recommend to bite the bullet and get hEX S, and get a 5 port gigabit switch. to fullfil the port requirement.

I've recently started to see a lot of networking gear on OLX, including Unifi and Edgerouter stuff, you could try there.

The RB4011 can consistently route at ~10Gbps speeds when configured with 25 QoS type rules while the Hex S drops that down to ~2Gbps. The Hex S ends up being a better value for a home setup, especially with the USB port to take advantage of 3G/LTE backup. I have both of these routers and I feel like I'm barely scratching the surface with either of them.

If you're hesitant about the learning curve, you could try out RouterOS in a VM to get a feel for it, and to see how the Winbox administration software interfaces with it.
 
I've recently started to see a lot of networking gear on OLX, including Unifi and Edgerouter stuff, you could try there.

The RB4011 can consistently route at ~10Gbps speeds when configured with 25 QoS type rules while the Hex S drops that down to ~2Gbps. The Hex S ends up being a better value for a home setup, especially with the USB port to take advantage of 3G/LTE backup. I have both of these routers and I feel like I'm barely scratching the surface with either of them.

If you're hesitant about the learning curve, you could try out RouterOS in a VM to get a feel for it, and to see how the Winbox administration software interfaces with it.
What location is that for unifi stuff? Hardly anything in delhi location on OLX.
 
What location is that for unifi stuff? Hardly anything in delhi location on OLX.
im terrible with olx and quickr as well :( never ever able to find anything. if you see anything please do let me know .

-----------

bad news is - my decade old dell laptop went kaput 2 days back, everything seems to be working except no display. doesn't look user repairable.
it was the last windows machine in house .. and i need it to resurrect if possible or get a cheap setup to run win7.

seems like this networking think will be delayed for some time.
 
Super stable - like 1 yr uptime with zero issues. The X used to hang once every month or so.

For the new house I shall be moving into though, I am moving to a full unifi setup - UDM pro, 2x unifi switches, 6 unifi APs, cameras etc!
Hey did you moved to this setup? I have heard UDM pro is very unstable and has a lot of problems
 
@Ramadhir Singh which model of Edgerouter are you looking for? I recently heard that Edgerouter X (and SFPs) are EOL. https://networkthreats.org/post/edgerouter-x-eol/

BTW, I have Edgerouter Lite, Edgerouter X-SFP and 3xEdgerouter Xs at home. All going strong even after 5 years! I only had to replace Lite's flash twice.

I feel EdgeOS development has stagnated in last couple of years. as @rsaeon said in a post, EdgeOS does come with its own limitations. Getting newer things to work, e.g. dnscrypt-proxy or wireguard, is a bit of a task. I faced numerous crashes with dns service when dnscrypt-proxy support came out for the Edgerouters. Again, the support was made available by users like you and me and not by Ubiquiti themselves. If its matters, I am moving away from Edgerouter to Opnsense (or another opensource firewall).
 
Thanks @bobbyprajan! Do you know if OpenWRT supports hardware acceleration offloading? I use PPPOE (ACT Fibernet) at home on a 400 mbps symmetrical line.
ER-lite has Cavium propreitary offload and it is not supported under Openwrt. You can use software flow offloading though. As per the benchmarks available it should be able to do 400 Mbps symmetric without issues if you are not doing QoS.

The ERx is based on MT7621 and hardware offloading should be supported. Without QoS you should be able to do 500/500 with that
 
Back
Top