My new house is 3 floors, 2300 square feet. I’m looking at a usg, a 4 port Poe switch and 2 ap pros? I’m kinda broke or. I’d buy a dream machine and nano HD’s lol. (If anyone is selling any of this used lmk)
I’m having trouble understanding a vlan for iot. My raspberry pi with home assistant and my pi with homebridge and my Hubitat need to be on my real network? What about my Apple TV for HomeKit and such?
I was thinking instead of making an iot vlan, only make one for those cheap Chinese smart plugs and such? If I do that, how can I make it so Hubitat and HomeKit and homebridge on my main network can reach them?
The IoT VLAN concept is you create a new Layer 2 VLAN/network on your switch and map that to your upstream firewall/router. Then you have devices like the HE hub on your primary LAN and talk to the devices on the IoT LAN. With the idea the firewall forwarding policy between the two VLANs is selective in only allowing the traffic that is essential and not having it wide open which might as well live on the same network if you do that.
Honestly, I would not break your back trying to put in an IoT VLAN. It's more for someone with a really good networking fundamentals and I question how much value it gives to the average home user.
The key question to ask is: does the router support Multicast DNS relay? This is so the devices that need to talk between subnets can still connect if they use mDNS discovery. I found that I had to have my NAS on the same VLAN as my Roku's along with my Tablo TV tuner for various discovery processes to work between them.
I am running Unifi Switching and AP's but my router is from a different vendor because the Unifi security router/gateway doesn't support some advanced features I needed. You will need to brush up on L2/L3 networking if you really want to do this since it takes time and knowledge to debug connectivity issues.
I did this primarily to isolate my IP cameras initially but then moved to my IoT devices to reduce their ability to compromise my network. I found the Logitech base was scanning all my devices and making calls back to the mothership and I didn't like that at all. It was the first to be placed in the Iot VLAN with firewall rules with strict access.
I just switched to a EdgeRouter X and a couple unifi switches to replace TP-Link Deco M5s. Setting up the correct rules to open up firewall so some devices can talk to another across subnets or VLans was daunting but The Hook Up videos are good. I also recommend videos from these 3 guys:
If cost is a major consideration and you’re not deploying a very large network, then you might get a lot more bang for your buck from ASUS. With Merlin firmware there are a lot of advanced configuration options that might meet your needs.
Besides the interest in setting up VLANs, what else made you decide on Unifi?
This is a good observation. I run Unifi with an Edgerouter, and I don't see the point of a VLAN on my home network. If I did anything I'd just use a different subnet...but I just don't see the value given the relatively low utilization of my network by anything that's not streaming related...and even it isn't that high.
Security---well, that's a different question, and my Router and Fingbox seem to do well enough to provide a reasonable layer of protection...that and banning Echo/Google Home devices...lol
S.
FWIW, I run a EdgeRouter 3 Lite (no USG) -- which has a bit higher throughput that the USG of the day did, 3 UAP Hot Spots (2 AC Pro, and 1 AC HD) a few US-8 Switches, a 16 port US8-Lite a US8-Lite or 2, and a number of the 5 Port Flex Switches ($29) for point of use switching (media cabinets, computer desks, etc).
I also have a Cloud Key Gen2 Plus for Unifi and Protect. I have about 3000 Sq Feet on 3 floors , and my UAP's are roughly placed one over another, one on each floor.
Coverage is fantastic. But frankly, two Hot Spots would probably have been more than sufficient.
I'd still go with an Edge Router over the USG, and I would avoide the Dream Machine, but that's because I'm older, and have been bit by the "all in one" thing far too many times to consider one. Separate devices for each function seems better to me.
Your choices however are solid. Just be sure to pull Cat 6 to everyplace you might want something during your house build, as it's always easier now than later. I'd even double up the cables wherever you could.
I think you'd set up your Guest Network on the Unifi interface unless you wanted a Guest LAN. The UAP's and Unifi would handle the Guest WiFi (and it's not hard to setup). If you wanted a Guest LAN, you'd do that in the ER interface.
I found the ER interface to be a little inscrutable at first, but there are plenty of online resources to help setting it up. I use the web interface from my Android tablet all the time to set up Static DHCP reservations, and at one point had 2 mutually routeable subnets, including a 192.168.0 net to screw with "dhcp" devices that are dhcp only on that subnet.
I use an ER3 Lite, let me look at the $60 one you are referring to and let you know.
I do use a Cloud Key Gen 2 plus for my Controller (Unifi) -- for all my switches and the UAPs -- it also provides the Protect interface for my Ubiquiti cameras. The only thing I lose with the ER is some of the status information on the main Unifi Controller page.
lo and behold ... my new udmp arrived today and I happen to have a USG3P that will be out of commission by tomorrow. I also have some US-8, US-8-60W, US-16-150W that I could also part with.
The Unifi Controller App sets up the WiFi network (and Guest Network) which are built off the base Subnet you set up in the router. The UAP's get a network address on your LAN (assigned by the Router) and pass DHCP requests to the Router from WiFi devices. I think (and I'm not presently running one), the Guest Wifi is simply a different SSID and password, and the UAPs can restrict bandwidth to those devices, but they aren't on a separate subnet by default. I'm not 100% on that though, as I don't use a Guest Wifi network in my home. It's all or nothing here.
By a Guest LAN, I was suggesting that if you wanted seperate physical LANS (e.g. in a Guest room or public spaces of your house) the Edgerouter supports multiple LANS on differing subnets.
The ER-X has pretty low throughput, (IMO) so I'd recommend an ER3-Lite or ER4 if you can swing it.
The USG 3P that @jkp is listing would be a better choice than the ER-X and similar (if not better) in performance than the ER3-Lite as well -- new its $139 so it's similar in price to the ER3. You'd also be able to manage everything in the Unifi Controller app as well, which is kind of a plus, and I think in all honesty the userbase of the USG line is bigger than that of the ER line and you'd likely find it easier to get assistance with the USG.
