Just a point of clarification (which might or might not be the case with Ubiquiti) you can control those APs without the Unify/Omada software, it is just easier with it.
With limited functionality and using an phone app so still poor at best 
+1 and those are results on positively ancient hardware (ivy bridge is what, 12y old? ) and without modern crypto acceleration hardware blocks.
2,5 GbE should be trivial on any modern x86 platform nowadays (barring extremely old, ultra low power or most crippled bargain chips).
According to open bench script + results db, even celeron N4500 can do 1,5 Gbps and N5105 touches 2,5 gbps line.
Rpi 5 goes over 2,5 Gbps benchmark.
You get exactly what you are not paying for, and those APs are still head and shoulders above rest of similarly priced soho market without unifi console enabled features.
Nothing also forces you to buy unifi cloud key like device, you can host controller on your own machine for absolutely free and fully on-prem.
Rpm, deb and docker images are freely available.
Please at least lookup stuff before making claims, Wireguard does not support any hardware crypto acceleration unless you’re jumping through hoops ( https://networkbuilders.intel.com/docs/networkbuilders/intel-avx-512-and-intel-qat-accelerate-wireguard-processing-with-intel-xeon-d-2700-processor-technology-guide-1647024663.pdf ).
And? The point is that wireguard performs at 1gbps line speed on ancient notebook power envelope hardware and we have moved on since in both:
- raw frequency and core count
- power use per effective unit of performance
- new instructions that can be effectively leveraged to gain additional performance gains on top of above (SSE and plain AVX)
- specialize function hardware blocks on very high end enterprise hardware or add-in cards.
OPs is definitely not ordering xeon-d with QAT for his home router, so what? Anything modern thank to all point above will be ready to perform at line speed you throw at it.
Benchmark proves it once again, even shit tier 10W celeron from 2021 is capable handling 1 Gbps+ line speed and 2,5 Gbps is doable with minimal marginal investment.
Its good time to be alive.
The point is that your claims are irrelevant and fwiw that loopback benchmark isn’t completely true to actual performance either which is mentioned at the bottom of the page. You likely want to have some filtering on your interface too 
That why we benchmark in standardize and tiered manner. We are trying to know what our hardware can actually process in best case scenario.
First you run naive bench to get outer performance envelope, then you start to get closer and closer to configuration more reminiscent to actual configuration.
Pretty much most modern benchmark are setup up design wise.
What do you mean by attic? Is the space you call an attic been remodeled as living space, meaning you can control the temperature? Heating and air conditioning are available in the attic.
R86S-N305B if you have the budget, with Vyos if you want Linux packet filtering and routing performance and can handle a cli, a netgate 4200 if you want a GUI and support and a validated config but potentially less performance on the same price range
Not going to happen without a rack mount current or last generation xeon/epyc/threadripper anda budget to match
Unifi APs need the Enterprise version for the 2.5gbps versions, these cost a lot of money, equivalent but so does equivalent hardware from others, maybe tp-link Omaha a bit less pricey
Unless you are in a busy environment or have very peculiar building constraints both will do, if you do have a shitty wifi situation than anything other than professionals looking at the problem and charging for it will be hit and miss… But Unifi and tp-link Will be more than enough, just don’t expect to hit 2.5gbit with a single device…
I remember biggest problem with custom routers is switching. You will likely need a separate switch because putting a bunch of interfaces on a bridge managed by a general purpose CPU is not very efficient.
Did that changed?
They’re not really meant for switching/routing data?
Nope two different functions. My OPNSense router has a total of 5 gigabit ports (one for WAN and four for LAN) and it was built this way for VLANs not to be a switch. There is a reason a 28 port switch is behind that.
A router is meant for routing (layer 3 on the tcp stack Internet protocol suite - Wikipedia)
Cheap router appliances nowadays can route at full 1gbit speed across all their interfaces, most of them can route across two of them at 2.5gbps, rare ones at 5 and for 10 we’re already in the 3-400 dollar range for routing alone …
Usually such an appliance is also used for NAT/firewall duty, it is not a given that a cheap appliance will be able to packet filter at full line rate especially with complex filtering rules
Most switches provide Layer 2 services for a local network, basic or complex (vlan), some of them can do layer3 routing, but for line rate routing speeds over 1gbit we’re already talking expensive and noisy ones (mikrotik has been the disruptor in this space with decent performance at decent prices and noise levels, but not the lower tier ones), very few switches can do layer 3 routing at 10gbit speeds and they are Enterprise, expensive unless you buy end of line units, noisy and power hungry. What switches do very well is layer 2 line rate switching using dedicated Basics, as opposed to routers where you need to bridge interfaces together and use the CPU to switch. It can be done, but with much higher CPU requirements and power requirements
A router appliance like the UDMs, pfsense/opn sense/openwrt/Vyos can also act as VPN gateways, performance of which is CPU bound, typically 2-300 mbits for cheap atom/arm based units, 5-600 for wireguard, if you want to have wireguard line speed over 1gbit the meta is to get an Intel n305 or newer/bigger cpu or an old enterprise server.
Smaller cups like the ones in the raspberry 5 can theoretically do wireguard at 3gbit but only over one interface (not routing /firewalling at the same time)
These appliances can also do intrusion detection/intrusion protection, typically using snort or suricata that are traditionally cpu and memory hogs, the >2.5gbps IDs/ips tier is still enterprise only at bonkers prices unless something changes with the last generation of cpus… Most people tend to include this requirement not understanding the amount of work that will be needed to operate snort/suricata properly…
I think you missed the complete definition of s switch chip/ASIC ?
I did mention the ASICs but my phone smart/dumb corrector changed that to basics 
You don’t have to have a router by the ONT though. I don’t at work. ONT is located in the warehouse where fiber comes inf rom street, and I have a cable going from there all the way into offices area where the router is located. You can do the same at home, just cause ONT is in the attic doesn’t mean your equipment has to be. Just use the cable you already hvae there and place the router with the stuff under the stairs.
I would suggest a Firewalla Gold or Gold Plus for you, it seems perfect. Has full 2.5gb IDS/IPS inspection throughput, a non-rackmount form factor, easy to use and manage, low power, fairly decent cost, is nice that all the IPS stuff is pre-set for you and you dont need to tinker with it all like when using pfsense or opnsense.
Edit: actually if you want 2.5gb wireguard that will be a little tricky, not many support that speed on wireguard VPN. The upcoming Gold Pro does, but that costs a lot more just to get this one thing.
Sodola makes a 4 port 2.5gb poe unmanaged switch for $62 on Amazon that you can use to power your APs from.
1 Like
if you were willing to relax the requirement for IDS/IPS …
then, you could get away with a $/€/£ 150 , 5 year old “mini pc” running linux for a firewall. Stick a dual port 2.5Gbps nic in there and call it a day.
e.g. an old coffee lake / 8th gen hp prodesk 600, or some such thing would do the job.
I’m saying this because chances are IDS/IPS is probably not going to add much value unless you spend a couple of hours per week/month maintaining it. Companies often end up paying for some kind of subscription to a third-party vendor to provide them with updates rulesets and so on.
Anyway, on a cheap box, you could run openwrt on it, and spin up a ubiquiti controller, in a container and get a couple of unifi u7-pro for your wifi
1 Like
Thank you all for your input, I really appreciate the advice. It’s been a really busy week for me and I’m going to spend some time digesting everyone’s input and decide which direction I’m going to go.
I know that my requirements weren’t exactly easy to cater for, and I’ve learned some things that may change the direction I go.
I’m happy that I’ve got more than enough information to make a decision, and I’ll post an update once I’m decided.
2 Likes