Help me set my local network up

Hello there.
I’m in need of advice regarding my local network.
My home is not particularly small and articulated on more levels. I already had set the network up in a crude way, but I want to tidy it up. Te need for this cam up due to issue with printing from some computers and my roomba loosing its position from time to time.

I have some hardware on hand that includes the modem-router provided from my FTTC ISP, a FritzBox 7590 modem-router that I’m currently using as a switch/extender, two Unifi wireless repeaters, a couple of older spare TP-Link/Netgear modem-routers for ADSL/FTTC, three TP-Link TL-SF1005D 100 Mb/s switches.
The ISP currently only provides up 100Mbps down 20 Mbps up on paper, about 55Mbps down 20 Mbps up typically.

My current network setup is the following:

TIM ISP Wi-Fi 5 router → Main floor WI-FI network 1

  • FRITZ!Box 7590 → Main floor WI-FI network 2 (same name and password as WI-FI network 1)
    ** My personal laptop connected either via 1 Gpbs Ethernet USB-C adapter
  • Main-floor TP-Link 100 Mbps switch
    ** Epson printer
    ** Unifi Wi-FI module → Second floor WI-FI network
    ** Basement TP-Link 100 Mbps switch
    ** ↳ Unifi Wi-FI module → Basement WI-FI network
    ** ↳ HP printer
    ** ↳ A desktop computer

As you can see, the network is a mess. At the mooment, the main issue is with the main floor having two different networks with same name and password. I don’ t know if they currently work as two access points to the same wi-fi networks or if the two network actually enter in conflicts. It may be the reason why the roomba gets lost, lately.

I want to tidy up and my main objectives are:

  1. Unify the different wi-fi networks so that any device can seemlessly switch between access points and stay always connected on the network, in particular for smartphones and my roomba
  2. Be able to access every other device in the network from every other device unless each individual device is set up in a way not to be accessible (e.g. for privacy reasons)
  3. Be able to print to the Epson printer and possibly from the HP printer from every device in the network
  4. Have the network configuration resilient to general blackouts and to blackouts in specific parts of the household: if the light goes out, when it reboots it needs to remember its configuration. It doesn’t mean that the network needs to be up when a general blackout happens, but has to be online when, for example, the electricity is abruptly shut off in the basement.
  5. Have the network (relatively) easily upgraded in the future (FTTH is in sight, Wi-Fi 7, 10 Gbps Ethernet…)
  6. Be ready for a future NAS addition
  7. Make it possible for a specific computer to be made accessible via SSH from the outsidem, and have its MAC/IP static so that if the light goes out or the network needs to be rebooted, the specific computer can be accessed again with same information as soon as the network is back up and running
  8. Easy connection procedure to the wi-fi network

The constraints are the following:

  1. Reuse as much of the available network hardware and possibly buy no additional hardware
  2. Limited space for wiring in the walls, so for example only one wired connection to the basement (two floors down) is possible.

Can you help me learn how to set it up, both from an hardware and software point of view? Thank you very much

1 Like

First thing to do is for all routers (except the one connected to the ISP) to switch off DHCP by enabling bridge mode. This allows the DHCP server in that router to have full control of the entire network. When you succeed, WiFi loosing connection will be a thing of the past.

At least in theory :stuck_out_tongue:

3 Likes

Thank you, I will look at that. I think it should be in “Internet” or “Network” submenu, not Wi-Fi, right? Maybe a “LAN” submenu if it’s there?

No, not in WiFi settings. It’s a general setting so start looking for it there.

With the same network name and password that might already be possible. If not, look for an option in your Unifi Wifi-modules to run them in “mesh” mode. I use different Wifi-APs, so I can’t provide any more specific advice beyond tha, since this is very specific to your Unifi hardware.

Ordinarily access control on the network level is provided by having different subnets for devices with different access profile. That means both your router as well as the switches that are involved need to support VLANs, which usually means managed switches. Within a subnet you can’t really control network traffic very well, because each switch can forward them on their own without any involvement of the router (or another central device). The only level of access control you have in such a case is password protection on the device you want to protect.

That should be easy enough. If you have multiple VLANs/subnets, you might have to add the appropriate forwarding rules in your router. In any case I recommend assigning static IP addresses to all of your “server” devices (which include printers) and I suggest doing that on the router, so you have a central point of management for those static assignments.

That is pretty much a standard feature. Some expensive routers and switches distinguish between the “running configuration” and the “saved configuration”. So if you change your configuration on those switches there is an extra step to save them from the running configuration to the saved configuration (assuming the configuration works of course).

Of course that depends on the gear you are using and it’s hard to give general advice. E.g. I started my 10Gbps journey with a cheap Mikrotik CRS305 switch and two Mellanox Connect-X3 NICs, to give me 10G between my desktop and my NAS. Now I have multiple switches that have 10G ports and the backbone of my home network is all 10G.
For the 10G upgrade: I strongly recommend gear with SFP+ ports rather than 10G via the standard Ethernet connector (RJ45).

Make sure you get a NAS that either has at least one 10G (SFP+) port or a PCI-slot, so you can buy and insert your own (SFP+) 10G network card. FWIW I wrote a guide go purchasing a Synology NAS some years ago, but it might also give helpful pointers for a NAS purchase in general: https://www.reddit.com/r/synology/comments/fqudek/guide_which_synology_model_to_get/

I strongly recommend setting up an internal VPN server for this. I would not allow outside SSH connections in my home network without going through a VPN. If your Fritzbox router doesn’t offer that feature, you’d need to setup another server in your home network to act as VPN server.

No opinions on that, but perhaps your Wifi access points, have to option to sign in via QR-code? Or what are you looking for exactly?

2 Likes

The issue is that my rooftop and basement wi-fi are run off the Unifi access points, while the main floor wi-fi network is splitted between two routers from two manufacturers that are different from Unifi and from each other, so I don’t know if a proper Mesh feature is supported. The FritzBox is supposed to have a Mesh feature that is easy to set up, but I think it’s compatible only with other FritzBox routers/repeaters/powerlines

Yeah, I meant something simpler than that. I just wanted to make some computers visible in the network while other remain hidden, and make the files of some of the visible computers accessible from every PC in the network with some kind of password protection.

Yeah, I managed to get it working even now :slight_smile:

Great, so no problem there

Yeah, my father was planning to rewire everything for fiber optics when the ISP upgrades to gigabit here. It will be great for me because I will probably be able to build an home-lab server accessible via SSH that I can download/upload data on/from at reasonable speeds from outside the local network.

I think the Fritz should have a VPN feature. Protecting the network that way is a great idea, although having anything accessible from the outside is still a weak point in the network

Yeah, I’m more of a DIY guy. I’m hoping to see ATX boards with intgegrated Qualcomm chips coming, or I will use some downvolted downpowered desktop AMD CPU.

I just wanted to avoid ubnoxious network configurations where you are prompted to insert username and password in the browser to connect to the network. I don’t think that similar configurations will be needed, though, so I was worrying for nothing.

Oh, okay it seems that I didn’t understand the complexity of your setup. My bad. You really should have only one router in your network, setting at the edge of it. So those other routers should become switches, ideally managed switches with VLAN support.

As a temporary workaround, you can usually use a router as a switch as well. If it has the option, set it into bridge/switch mode and you should be good to though (though at that point you might not be able to log into it anymore without a factory reset). If it doesn’t have that option, just turn off the DHCP server and only use the LAN ports. Then it should work as an unmanaged switch.

Then I would try and see, if the Wifi connection can “jump” from one WAP to another. Even if it works, it might not be as seamless as with a proper mesh network though.

Well, my point was that this only works by putting those devices you’d like to hide into a separate subnet. Within a subnet network devices are generally visible. Perhaps, if you turn ping response off on that device, it might work, but other computers / switches in that subnet would probably still have an ARP record, so they know how to forward packets to that device.

So within a single subnet your only protection is a password protection. That also goes for network shares. Just because a computer is visible on the network, doesn’t mean that you can access it or its files (if it has a shared folder). You’d still need to provide your user and password to be able to do that.

Indeed, the nice thing about SFP+ is that you’re not limited to copper, but can use all kinds of transport links, including fiber. I’ve never used fiber, but I understand there are two different kinds of fiber cables, single-mode and multi-mode. Just make sure you get the right ones (including the right SFP+ Optical Transceivers that match the mode that you are choosing).

Yes, it is a potential weak point, but with a VPN you’re as safe as you can possibly get. Just keep the firmware of your router/VPN server up-to-date.

Just keep in mind that you might not be able to run Plex with transcoding on such a low-end machine. Though perhaps on the downvolted Ryzen CPU you can. (FWIW I don’t run my Plex server on my NAS for that same reason and use a mini PC for that.)

To the best of my knowledge that feature (called “captive portal”) is usually a thing only for wireless access points that support it. I would never turn on such a thing in my home network and just use Wifi passwords, even in my guest network.

1 Like

I’ve probably managed to do exactly that. Basically I’ve set the FRITZ!Box 7590 in “Client IP” mode in such a way that acts as a Mesh slave even if the primary modem/router is not from FRITZ!Box. It looks like it’s working now.

I need to see if I can replicate this behaviour with the Unifi devices, too. If I manage that, it looks like everything should be working as I intended.

Do you think it’s best to give as many devices as possible, in particular network devices like routers and Wi-Fi access points, a static IP within the local network? Or is it best not to do so?

I assign each router and switch an IP address statically. Then, I allow DHCP to handle IP addresses for all my clients. You may not want to do the extra step that I do, but I assign an IP address to my LAN interface for my networks and then separate my clients by VLANs. I create a VLAN for all Linux clients, another VLAN for Windows clients, and another VLAN for Internet of Things clients.

Yes, I do that for all devices that have some sort of server role (which includes printers, switches, wireless APs, UPS Network Managenent Card). For most of those devices I configure them to DHCP on the device itself and configure the static ip address in my router (running OPNsense). That way I have a central management entry point for static ip addresses.

Thank you for the feedback!

Yeah, it looks like the consensus for doing so is there… on a small sample size of 2 but I already had a positive bias towards doing it. Thanks!

For now, it looks like the network is correctly set up, although the roomba got lost again today, but I’m suspecting it’s an issue with the vacuum itself. The network on the main floor, on the other hand, should be fine.

1 Like