How to best make use of my existing kit, with minimum purchase/re-wiring, to achieve best results and fully utilise the new 1Gbps internet? My network: The blue box is the study where most computing power resides. The new fibre is in green box, comes in next to my switch. Thin connections are not directional and they signify wired connections. My thinking is that I can use Linksys as main router and the newer Asus AX router as AP. One thing I'd like to do is to segregate IoT devices into its own network that cannot access my NAS/desktop. Reading online, it seems having a secondary router layer with IoT devices will still allow those to access primary network devices. But putting NAS/desktop into secondary layer router would create double NAT situation for my main devices. Any pointers? I'm open to buying a higher grade gateway (VLAN for IoT separation, more configurable), put it near the 8 port switch, and use existing consumer grade routers as AP's. Any recommendations?
Is your switch managed? Iot devices use wifi or something else? If iots use wifi, do they only need to access internet or talk to each other or some other server/device on you network? Can they connect to one specific AP or do you need multiple APs for coverage? How willing are you installing third party FW such as asuswrt and using cli? Do you have some old laptop or nuc that can be used for pfsense/opnsense?
Very important questions, thanks for pointing those out. The switch is "smart", not fully managed. But it does support what looks like very basic port based VLAN configuration. All IoT devices use WiFi. They need to be able to talk to Home Assistant and the internet, which is running in VM on the proxmox box. I know this complicates VLAN setup (port based VLAN not useful here). I think IoT devices can connect to one AP. They can all be on a single 2.4 GHz WiFi. I was an avid user of Asuswrt-merlin (and DD-WRT in .11g era). I can find my way around CLI, so no problem on that front. Though routing configuration in some of Asuswrt forum posts look like wizardry. The Proxmox box should be able to run pfsense/opensense. It is i7 7700t 4c/8t and 16GB RAM. Though it only have a single 1 GbE port and in mini-STX form factor so can only use 2 remaining USB3 for expansion. Edit: Just had a look at installing pfSense or OPNsense as VM, it's rather difficult getting the network interface through into VM, and then configure the virtual interfaces correctly to other VM's. I also have concern about this approach on the proxmox machine, if it goes offline, not only loose home automation, the whole house would be back to the bronze ages. I think I prefer something more robust by the fact it is a COTS product.
It sounds like it might be something like two separate vlans and a separate hidden IoT ssid to segregate the two networks, then poking holes through via port numbers (udp/tcp) so it's only one-way communication. As for configuring it, that's part of the adventure
honestly havent really worked with asus stuff, so can only guess how hard/easy its to do anything on them. Running pfsense as VM is not that hard, though you'd need to play around with vlans. But yeh, router is best be run on a dedicated machine and you single nic would limit you internet throughput. Do asus or linksys routers allow setting guest networks on lan ports? If yes you could set guest wifi and one guest lan port, set separate vlan on one of the switches ports as untagged and connect it to routers guest port, then pass that vlan to proxmox/HA vm as tagged - basically HA VM would have access both to guest and regular lan, put all IOT stuff on guest lan. You would loose one of the switch port, but wouldn't need to delve into creating vlans/subnets on router through cli. All my administered stuff is either pfsense, routers running openwrt or ubiquity APs, so cant really recommend anything COTS (apart from pfsense appliances, if you can get one), mikrotik maybe?
No, neither consumer router allows setting guest network to LAN ports. Linksys is just basic “so you don’t have to share your password and can disable this WiFi SSID” option. Asus also provides option to segregate traffic from main network, but this is guest WiFi only, Proxmox box doesn’t have WiFi. I could re-purpose the old Asus AC router for VLAN with IoT devices? For that approach, one thing I’m not sure is how to set up Proxmox box single GbE port for Home Assistant to access both VLAN’s. Is this the tagged approach you speak of? I’ve had a bit more play with Linksys router provided. The spec says it’s tri-band but there is absolutely nowhere to configure the other 5Ghz band. The guest network configuration also doesn’t have features on Asus router out of the box. I think current plan is to see if the AX86S dual core can provide 1Gbps NAT for my devices. No change to network topology. Then run a wire from switch back to HA Proxmox box for VLAN as suggested and use the Linksys as AP for IoT devices. Plan B is to use Linksys as main router, because I prefer using Asuswrt.
So I've connected up my Asus AX86S as main router as plan A, it needed disabling a bunch of features I don't really use, as per this thread: https://www.snbforums.com/threads/performance-issue-with-1-gigabit-an-router-rt-ac68u.41562/ I am able to get max 1 Gbps speeds over ethernet and 300-500 Mbps speeds throughout the house. At max speed, the router CPU goes to ~70% single core used. So there's still small amount headroom. Next up, wiring up VLAN and use the provided router for IoT devices. One interesting item I observed is that the provided Linksys router gave me an IPv6 address by default whereas I need to set it up in Asus. Which option do I choose? Any good easy-to-pickup learning sources for IPv6 home use?
Please can I get some help with VLAN configuration on the switch? I'm confused as to how to configure so that IoT devices can access both internet and internal VLAN: Ports: 1 = IoT router (the provided Linksys) 2 = (To be connected to Home Assistant later) 3 = Asus Ai Mesh node ... 7 = My desktop, currently set to configure the router 8 = Up-link to main router If I don't include port 8 in VLAN configuration, then VLAN 02 cannot access the internet. But if I do include port 8 in VLAN configuration, I can still access devices connected directly to the router, where Home Assistant is currently connected. Am I missing anything? Does this mean anything up link from port 8 (the main router and its Wifi clients) will always be visible to everyone, because the router is not VLAN enabled/aware. But the mesh node and its Wifi clients connected to port 3 will be safe and separated from IoT devices on another VLAN.
Thanks for the VLAN suggestion. I've now got this all set up: Blue boxes are accessible to all devices. Meaning can access everything. Router and connected wireless devices are also here. Green box is AP for IoT devices. 2 dozen all re-connected to this one. Purple devices are wired to the switch, where it's got its own VLAN. Valuable devices are here (mainly NAS) and hidden from IoT devices. So now, if I connect to green IoT AP and I do a LAN scan, I no longer see my NAS and computer, only all the wireless devices. Similarly, if I do a scan on my desktop, I no longer see any IoT devices. Home Assistant can see everything. This is what I wanted so that it acts as bridge and UI for general usage. To answer my own question, Port 8 has to be enabled across both VLAN so that all devices can access the internet. But it would expose all devices connected to the router to both VLAN. This is a limitation to simplistic port based VLAN configuration. Really need to use 802.1Q configuration and a VLAN capable routing device (eg. pfsense) to properly isolate devices.
