Home networking setup

I’d like to share our home networking setup transformation from a basic and very limited ISP provided modem with integrated WiFi to what I consider a pro-sumer setup.

Old networking setup

Our ISP provided router with integrated switch and WiFi has served us well over the past years and I’d still consider it to be a good setup for an average customer. It’s a single integrated box that does everything: routing, switching and providing a wireless network. However, there are a few shortcomings for people that demand more from their network:

  • No separation between network devices, so IoT devices can access every device on your network
  • Ability to block ads managed through a single gateway for all connected devices
  • Local management of firewall rules - the ISP provided solution is only accessible online. No internet connection means no network management
  • Insights into the network traffic
  • It just needs to work!

With us, my wife and I, working from home and two teenagers having online classes it became apparent that the simple setup just wasn’t sufficient enough anymore. Since we also planned to move out to a larger home, it was the ideal opportunity to look for something that would offer more stability, reliability and meets the expectations of the house of the future.

Intermediate setup

Before moving, we already wanted to upgrade the networking setup. After doing a lot of research, I settled on Ubiquiti gear, based on online reviews, pricing, availability, etc. So we started out very simple:

While this setup served us very well for the six months it was in place, it was obvious from the start that we needed an even bigger setup to provide the best service in our new house.

Current networking setup

For our new house, the requirements were:

  1. Whole home WiFi 5GHz coverage
  2. Fast ethernet connections to both office spaces and children bedrooms
  3. Robust, setup once and forget configuration
  4. Separation between main network and IoT devices, security devices, etc.

Taking the above requirements into account, I settled on the following network configuration.

The setup

Network cabinet Network cabinet with UniFi Dream Machine Pro, Switch Pro 24 PoE, Synology NAS DS212j, Raspberry Pi4 running Home Assistant, Philips Hue bridge, Niko Home Control hub and ISP router

This setup is quite simple essentially. Everything is centrally managed. All ethernet sockets come together in this rack, terminated in one of the patch panels and connected to the 24 port switch. The switch provides PoE to the APs which are located in garage to cover the ground floor, there’s a nanoHD on the first floor and in the attic.

Both offices have their own switch (Flex Mini and Lite 8 PoE). The Switch 8 60W is located at our media cabinet, providing network connections to multiple devices that make up our media center (TV, ISP IPTV box, AV receiver, etc.) Our doorbell, the Ubiquiti G4 connects over WiFi. Security cameras are also PoE and directly connected to the 24 port switch.

All these devices are managed through the network control software available on the UniFi Dream Machine Pro. On average we have about 25 connected clients on the network: hubs, printers, smart watches, laptops, mobile phones, computers, some raspberry pi devices, etc.

Using VLANs to separate IoT and security devices

An important factor in our decision to go with Ubiquiti gear was their support for VLANs. VLANs, or Virtual LAN, allows you to separate your physical network into several logical networks that through firewall rules are allowed or denied from communicating with each other.

So I created several networks, each with its own purpose.

Network Trust Capabilities
LAN Full Connect to the internet and all other devices on the network, without restrictions
IOT Minimal Connect to the internet and respond to requests from the LAN network
SEC Zero Can only connect to other devices on the same network (other cameras, NVR, …)
Guest Zero Connect to the internet

After creating these vertical networks, I created similar WiFi networks that belong to those networks as well. Then it’s just a matter of placing devices either on a certain WiFi network or setting the network port on the switch to a specific network. Doing so makes sure that everyone on the LAN network can access all devices, but that compromised (or snooping) IoT devices don’t have access to our NAS for instance, or the security network.

It takes a bit of effort to setup and get everything to play along but once it’s up and running, it requires zero maintenance.

Using VLANs for IPTV (Telenet digicorder)

Since our IPTV box is now behind a Ubiquiti switch and not directly connected to our ISP modem, we had an issue. Becomes the interactivity with box only works when this IPTV device receives an IP address directly from the ISP modem. Thanks to the excellent article by Angelique Dawnbringer1 I was able to get it working in no time.

The switch in our media cabinet has a trunk port on port 1, with a direct connection to the main 24 port switch in the rack cabinet. I created a VLAN only network, and connected a second LAN cable from our cable modem to the switch and assigned that VLAN to the port. As a last step I connected the IPTV box to one of the ports on the 8 port switch and assigned the same VLAN profile to the network port.

The whole LAN network is 192.168.10.x, while the IPTV box correctly receives an IP address directly from the ISP modem in the 192.168.0.x range.

The other networks are 192.168.20.x for security devices and 192.168.30.x for IoT devices, each time with .1 being the gateway for the network, and .2-.100 reserved for static IP addresses.

Pi-Hole for safer browsing

Another great resource while building my network setup was Ben Balter2. He operates a Raspberry Pi running Pi-hole. It allows you to filter out ads and trackers on the network itself instead of having to configure each device individually. The Pi-hole machine works as a DNS server, sending blacklisted domains to a sinkhole before passing your requests to an upstream configured DNS.

I use Quad9 (filtered, DNSSEC) as the upstream DNS server.

Future upgrade plans

We’ve both been working from home for the past year and our teenagers had online classes for the majority of the past year as well. This setup has been working like a charm. No dropped connections, while consuming vast amounts of data. Because with four adults, a typical day involves a lot of video meetings (Microsoft Teams), streaming music (Spotify), streaming video (Youtube, Netflix, TikTok) and gaming. Our monthly average internet data usage is well above 1 TB of data. But our network infrastructure is now build with professional grade equipment, not even flinching when under load.

So there are no immediate upgrades I’d like to carry out, besides:

  1. Upgrade our old NAS (2012) to a RackStation Synology solution that fits the 19” network cabinet
  2. Add an additional AP to get full garden network coverage

But these are nice to have upgrades instead of a true necessity.

References