Local Network Setup

I'm interested to hear about peoples approach to how they setup their local network and why. I am thinking about thinks like separation of devices into separate networks / VLANs, Wi-Fi setup, use of Mesh networks, etc. Aside from reasons why a particular choice was made, any issues or limitations would also be useful.

I'm reluctant to get too bogged down in the exact brands / devices themselves, more the concepts of why you would set things up the way you have. But I'm not going to strict about this, just see it as a guide.

In terms of my own setup, it is relatively basic, a modem / router with 2.4 and 5G Wi-Fi, an unmanaged switch, plus a rpi providing local DNS and WireGuard VPN access. I have wired in as many of my hubs and devices as I can, leaving my 2.4GHz WiFi for smart plugs, older chromescasts, my Bond bridge and probably a few other things... I put as many other devices on my 5GHz channel as I can, like my mobile, tablets, work laptop, etc.

I am interested to get a separate of this setup, most likely into IoT and the rest. Not for any major security concerns, more just to reduce the impacts of any changes or maintenence I may do from time to time.

Any if nothing else, it felt like it was an interesting topic to bring up after reading a few recent questions / conversations on the Community.

Simon

I keep mine relatively simple. I will lay out hardware simply for understanding. I do use Unifi ap-ac pro's throughout the house for wifi access because they have a gigabit backhaul. This give me overall better distribution for wifi. For a firewall I use a watchguard T35. It's one of the best security appliances out there for business class use. I do site to site vpn for several clients as well but that's an aside. For the general network I don't implement vlan's at home simply because I can get very granular with my firewall rules and I'm not overly concerened about segmenting it to vlan's because face it, if the network goes down, it's going to be hardware related and everything will be affected one way or another on such a small home network. (I'm not running redundant switch stacks and T3 or fiber connections to other parts of a building or sites)... Overall I try to keep things pretty simple and humming along. Oh I do have a guest network, and my wifi names are completely inappropriate but my outdoor AP blasts them to the neighborhood

I have all our IOT equipment, including the Hubitat devices, Lutron bridge, and cameras, on a separate VLAN and SSID from everything else. I do the same (another VLAN/SSID) for media devices, and yet another for guests. That leaves my wife and I to our own VLAN (no kids at home now). I implement it all with a Peplink router and Pepwave APs, and a Unifi switch. Apparently I can add up to 12 more with this equipment but I don't think that's going to be necessary.

Other than the guest network, this is all probably unnecessary, but I set things up this way after the discovery a few years back that certain security cameras were easily hacked and even "phoning home". We live on an island in a very rural area and I can't actually remember the last time we locked our doors except at night when sleeping, so cybersecurity and weather preparedness are really my only security concerns most of the time. Well, those and coyotes, skunks, and porcupines, to keep the dogs safe. The humans are easy to fend off!

Google does (or did) make a little device that replaces the power cord and mini brick that has an Ethernet jack so that the Chromecast device becomes wired rather than WiFi. I converted all my older Chromecasts to Ethernet using them, which I ordered direct from Google’s store.

They seem out of stock now.

Here are the things I do to maintain the responsiveness of my Internet LAN connections.

1. Make sure you have an up to date router. The routers currently recommended for home use are WiFi6 (AX) routers. However, if you have older devices that will not connect natively at WiFi6 speeds, you can either upgrade your WiFi adapters or stick with WiFi5, aka AC routers.

2. Everything that can be plugged into an Ethernet port should be wired. My primary computers are on the second floor and my router is on the first floor. I have a 16 port Ethernet switch near the modem and an 8 port switch near the computers with a CAT6 cable going between the two switches. Use WiFI connections only when necessary.

3. If you have Chromecast devices, the Ethernet adapter suggested above will allow you to wire the device rather than using WiFi. Streaming video is one of the most significant consumers of bandwidth, so you do not want it to be WiFI unless absolutely necessary.

4, Most home automation devices use very little bandwidth. Although the Hubitat hub is wired for Ethernet, the adapter runs at 100 mpbs. You can put them on a different subnet if you wish, but it won't affect performance of your LAN.

5, I have a couple of video cameras for surveillance. One is a 4K device, so it consumes a lot of bandwidth. I have a DVR that records the cameras 24/7 using POE connections. The DVR assigns IP addresses on a different subnet so the cameras do not interfere with the primary LAN. If you have multiple cameras on the primary subnet, it can slow things to a crawl. That is why I use POE cameras rather than WiFi cameras.

I use all Unifi equip, router, switches and access points. I have no wifi6. My network is segregated into vlans. "Admin" for all iPhones, iPads and iMac computers. "IOT" for all HA devices. "Camera" for 9 different cameras. All of my Access Points and hardwired and work well. Any device that I can hardwire I will.
This network has been running since March of 21 and it works very well with all my IOT devices including my HE hub.
One of the major perks is that the UDM Pro allows me to set up a Radius VPN so I can access my HE and control my HE when away from home.

Like others here, I have everything except my computers and NAS on a separate IOT VLAN and SSID, set for device isolation so nothing there can talk to anything else. Main reason for that is that I don't trust any of them, and if something gets hacked at least it can't get to my computers or NAS. And if anything can be hardwired without a lot of difficulty, it's hardwired.

My previous router was flashed with OpenWRT so I could create as many APs as I wanted. But we needed a new router at our rental property so I put it over there and bought a Wifi 6 router for the house. Although it has great coverage and is very fast, I'm less than thrilled about its dumbed down consumer level interface and lack of options. But I can't justify spending a lot of money on something like a Unifi system, at least not right now.

With the new router I only have two SSIDs available, the regular one and the guest one, so I use the guest one for the IOT stuff. We rarely have guests that need access to wifi, and I don't really see a need to have multiple IOT networks.

Thanks for the tip. I have one Ultra which has this built-in to the adaptor, so will look at getting an Ethernet cable up to this one. I have a Gen 2(?) one that does not include this. Looks like this UGREEN adaptor may be an option, even for other devices like Google Home Mini's as well....

https://www.amazon.com.au/UGREEN-Network-Adapter-Chromecast-Ethernet/dp/B0773NKLTD

A little off topic, and I'm guessing you already know most of this.

Rather than the type of network, my focus has been on how best to retrofit cat 6 cabling into existing structures with little to no remodeling effort. As others have stated, wired wherever possible has been my main goal with 1GB switches (2) to tie everything together. Basements and attics are your friend. While I haven't gotten too fancy on the switches yet with VLANs/etc, I'm currently running a Cisco 10 port managed switch in my office and a Netgear switch inside a central media panel which ties our rooms together.

I'm military, so we have lived in many locations with different floor-plans, including several military housing locations including our current home. We've been lucky that military housing was smart and has recently put CAT 6 wiring in their homes back to a media panel. I just had to terminate the connectors in a couple locations.

My most aggressive project is a two story home we own in N. VA with a finished basement. When we bought the house each main room/bedroom had a single COAX cable exiting the side of the garage in a single bundle where the cable box was supposed to go, and standard copper telephone in a ring through the house.

While most of the basement was finished, the exception was the utility room where a single, larger, HVAC unit supplied the entire house rather than a dual unit like many other homes this size. This became the central location to access most of the house with CAT 6. The central HVAC unit was below a plenum which went through to the attic where the air handler distributed to the upstairs. I dropped in a 2 1/2" conduit from the attic to the basement (had to cut in a 6"x12" drywall access on the 2nd floor to drill a hole to go through to the 1st floor) and used that to reach most of the house.

The primary media panel is in the utility room, with a second media panel in the garage where the original COAX tied together. 8 COAX and 8 CAT 6 lines tie the media panels together with some low voltage flexible conduit also between the two and from the garage panel to the attic. That was a bit more challenging to put in, but well worth it.

Each room has a minimum of 2 COAX and 2 CAT 6 in a single wall plate. 2 COAX since I started the project before DirecTV used their single wire SWIM adapters and DVRs required 2 connections. Besides, COAX is a great alternative to CAT 6 if necessary using MoCA. Office and media center locations have a minimum of 4 CAT 6, 4 COAX (media center), and a 2nd wall plate with 2 CAT 6/COAX for alternate TV locations or printers. Even most of the 1st floor drops (primarily an office) was reached through the attic, and a small drywall cut near the 1st floor ceiling / 2nd floor - floor, to get between floors.

Over the course of living in the house 2x during DC tours, about 10 years, and a basement remodel which opened up some access to other parts of the house and a basement bedroom,, I've put in over 2000' of CAT 6 cabling. Verizon brought in FiOS to the neighborhood several years back, with the flex conduit from the garage to the basement to the utility room, I had them run the fiber all the way to the basement utility room where they installed the fiber media adapter right next to the media panel. You can see the edge of the fiber media panel in the basement photo below, and the black box to the right of the SWIM in the garage is the fiber splice.

Basement

IMG_20441512×2016 892 KB

Garage

IMG_20761512×2016 990 KB

Besides this house, I've put in a similar, wired CAT 6 drops in my in-laws single story home through the attic back to a single switch point in the garage, and I'm adding a larger single media panel CAT 6 / COAX in a rental home remodel that is in progress.

Bottom line - I've invested in the extra time and effort to add the backbone hard-wire. Any home ultimately can be done, some just take a little more drywall work than others, but it's worth the effort and allows you to do any / all of the above options discussed, wired, mesh, VLANs, etc.

Next step up will likely be a central media rack vice just a panel. That will be for the retirement home in a couple years when we figure out where that's going to end up!

Nothing is off topic on the lounge... I'd rather see discussion on this thread than people feel constrained....

Sounds like a military operation.... Executed as such....

Nice work. Totally agree putting the effort in definitely pays off in the end. Can't claim to have always done that myself, but certainly something I support.

House is an 1892 Queen Anne, about 4,000 sq feet. 2 residents, about 50 wireless devices, a couple dozen hard wired. 1gb fiber connection to the Internet.

I recently ripped out all my Linksys Velop crap and oh what a difference it has made. I think if I had only two pieces of advice to give I would say (1) use commercial grade or at least prosumer gear, not the consumer stuff. (2) wired backhaul works SO much better. In your case multiple VLANs will drive you away from the consumer stuff anyway.

I have a rack in the the basement that houses a Ubiquity UDM Pro, a 24 port PoE switch acting as a distribution switch, and a UPS. There are 4 access switches in all, 1 on the 1st floor, 2 on the 2nd floor, and 1 oil the third. Four access points, one on each floor, each PoE. Every device that can be conveniently hard wired is. All the switches are fully managed.

I ran cat6a home runs to every managed device. In other words the AP does not connect to the access switch on the floor but does a home run back to the distribution switch. Cat6a will siupport speeds up to 10gb though now the electronics is all 1gb. But it is much easier to swap out electronics later than replace cabling. All of my cabling runs through interior closets and raceways. My contractor spent about 2 weeks trying to figure out how to do that in a 130 year old house but he managed!

I have 6 VLANs: management, guest, user, IoT, HA, and gamers. Firewall rules prevent access across VLANs and some of them also use device or port isolation. The HA VLAN is mostly HE and its partner devices, with no wireless network associated.

The ubiquity console is a tad quirky (some might say "buggy") but the network itself has been rock solid. The firewall is not the most feature-rich but it's good enough for what I need,

When I first installed it, I plugged the legacy Velop network into it and was shocked to see lost packets and retries through the roof. RTL from my house in Rhode Island to my company's primary VDI farm in MN was about 150ms. Now packet loss is essentially zero and RTL hovers around 37ms.

I did have to do some tweaking to help wifi devices that don't support the 802.11 standards for wifi roaming. The Nintendo Switch is notorious for hanging on to a weak wifi signal 3 floors away when there's enough wifi from a nearby access point to cook an egg. I had this problem on my old Linksys network but because of the lack of network management was never able to address it. With Unifi I was able to adjust the minimum RSSI on each of my APs to resolve the issue.

PoE has turned out to be a real plus, too. I use PoE splitters to bring power to all my hubs (3 HE, a luton, and a hue). If I ever have to power cycle a hub I can do it right from the network management console. And it cleans up wiring immensely.

IMG_8104 (1)1804×1466 813 KB

IMG_79621512×2016 725 KB

IMG_79741512×2016 904 KB

Received this through the week and tested it this morning in a more convenient spot to where it normally lives. The adaptor seems to work well, as far as I can tell. I plugged the USB-A connector into a 5V 1A port on the TV, ethernet into the adaptor and the micro-USB into the chromecast. Was able to confirm the chromecast connected through the wired connection and not Wi-Fi. Didn't really stress test it too much, but was able to cast from YouTube on my phone. Now I just need to run the ethernet cable, which it a pain because the crawl space above it is pretty tight... Should try and do it before the Summer hits.