I am seeking advice on a router/switch/access point option(s) to replace my ISP combo one. I am currently trying to build my first NAS system (TrueNAS). I would like to be able to manage it over the network at home, set up specific folder/database shares for specific users at home, and potentially stream movies through Jellyfin or something similar, and maybe music. I would also like for these to be able to be done remotely through wireguard or something similar where the NAS isn’t being directly exposed on the internet.
I am looking for a networking setup, ideally with 2.5 gig LAN, though I am willing to compromise (2.5 gig for the NAS so it can have multiple users on it, the other connections don’t have to be that fast), and be able to handle 2-3 people out of the house accessing it for streaming and backing up files. I am interested in making sure I have proper security updates and traffic monitoring/intrusion detection, and am fine getting my hands dirty setting it up, but I want it to be able to stay up to date and run without much effort. I have seen people use open source software on consumer routers, but I’m not sure how firmware security updates work with them and whether they are necessary so long as the software stays up to date, as well as the support/security/update cycle length, and which solution to choose. I really like the idea of something like the UniFi Express, since I’ll need WiFi (and ideally two additional access points, 1 especially of which I’d prefer to mesh instead of have a cable run though), though it doesn’t have traffic monitoring/suspicious activity features, which makes me concerned. Should I be worried about this? It’s also unfortunately not 2.5 gig, though I can live without that if necessary. I also only need a single ethernet port for the NAS (ideally with one or two more for futureproofing, though I can tolerate no ethernet ports at all if you find a WiFi solution you believe sufficient). The rest of the household is running/can run off of WiFi. I would also like to avoid any privacy issues/tracking from companies like Amazon, and Chinese equipment for privacy reasons (unless you recommend adding my own software on them and think that is sufficient or otherwise not a problem).
My current aging ISP router also has an ONT port for accessing the internet, though I’m fine with putting it in bridge mode if necessary for the router.
So if you can recommend a solution for my home network (router/switch/access points) that can work with a solution(s) for accessing my NAS, that would be great. Lower power usage/cost is preferable, and I’m able to buy pfsense or other hardware used/on Facebook Marketplace if necessary.
Most routers can run a VPN that will let you do this, but I am still a big fan of Ubiquiti Unifi for home networks. They are nice and stable and have good performance and great security options.
Don’t get the Express; it’s extremely nerfed. No IDS/IPS and maxes out at 4 managed Unifi devices. UDR is a good option or you can go with the Cloud Gateway Ultra to separate out the switch and AP.
Wireguard is fully supported now (server and client) so remote Jellyfin is super easy. I installed a Unifi Express at my parents’ house and configured a Wireguard tunnel so they can access my Jellyfin server through their Roku.
The Unifi Gateway Ultra is probably a better buy than the Dream Router. More IDS/IPS options and higher throughput. Its downside is that it has no built in wifi so you buy an AP separately. And as GTwannabe said, avoid the Unifi Express.
If you want 1 switch with 2.5gb then that would likely be the Pro Max 16 PoE ($399). It gives you four 2.5gb ports that also have PoE++ on them. So that means in the future you could run higher end APs off them and have up to 2.5gb wifi speeds, as well as connect a NAS at 2.5gb, or use the fiber ports for a 10gb NAS connection.
Or, you can get a regular Pro Max 16, which gives you 2.5gb ports for NAS and stuff, and an extra Switch 8 Lite PoE to run your wifi APs on, but wifi will be limited to 1gb (still fast for wifi). This method is a little bit cheaper overall, but limits you slightly down the line.
You can’t use proper monitoring and intrusion detection unless you have a fast connection to the internet (1 gigabit down and 1 gigabit up). When you add proper tracking and intrusion detection, you need more bandwidth.
I am a big fan of the OpenWRT project. I recommend purchasing a consumer router on the supported OpenWRT page. Maybe your current router is supported; it is with a look.
With respect to the Unifi options, I think I’ll stick with the Unifi Gateway Ultra or the Dream Router, with wireless access points. I have a few questions:
How do the IDS/IPS options differ and are they significant?
I currently have 500/500Mb, though I could get gigabit if necessary. Can I scrape by with that for the IDS/IPS system and can you explain a bit more about the data requirement.
How does the management software work? I’ve seen stuff about cloudkey or running a management app locally (hopefully on the TrueNAS system), but also conflicting comments on compatibility and questions about feature parity.
Some Unifi models have either no IDS/IPS options at all, or are “security lite” and have around 1/3 the options of the higher end “pro” type models. This is typically because it also severely limits bandwidth when turning IPS on. The Dream Router is the same as the Dream Machine when it comes to IDS/IPS categories, which means it gets 11 threat categories to check. The Ultra is the first one of the cheaper priced options to include all the category options for checking traffic that the Pro models have (35).
If you expose a NAS or Plex server, etc to the internet for cloud access to it, you will get intrusion attempts on the open port. So the extra IPS is useful IMO. This does not apply to secure VPN into the network first to then access it, only for exposing a server to general cloud access.
In addition to how many types of traffic it looks at for intrusion scanning, Dream Router is limited to around 700mbps and Gateway Ultra is 1gbps.
Management software is built in to both DR and Ultra. If you ever upgrade your gateway/router to a new one down the line, make a backup config of the controller (should auto backup to your Ubiquiti account anyway), write down the SSH login and pass of your unifi network devices, and then set up the new gateway and import the config. You will likely need to re-adopt your network devices, and to do so it will ask to either factory reset them (shouldn’t matter since the settings config is saved anyway) or type in the login details to bring the adoption into the new controller without factory resetting them.
If you are interested, you could watch this video to see the interface of Unifi, how to set up the network from scratch with a gateway, some switches, and wifi APs, as well as see VPN options and how to do some firewall rules and other config:
It has a different gateway than you are looking at, but same thing setup wise. Management is all the same on all Unifi controllers no matter what model you have, just ahve more or less security options pretty much.
My first suggestion is to ditch the all-in-one device for a true network stack. All-in-ones server a purpose, that purpose is limited and should be confined to very limited and specific use cases. Next, my advice is to pick a single ecosystem for your network. Mine is TPLink’s Omada line, but Ubiquiti makes good stuff as well. Each is uniquely better than the other in certain regards, but both are good.
Odroid H4 + Net Card 2 for H-series – ODROID (they have cheap cases too)?
That’ll give a you a decent low power solution with 2.5G and many options as far as firmware/operating system goes. Pair that with something that runs OpenWrt (Mediatek Filogic based hardware) as a dumb AP and you’re good to go.
I don’t want to get locked into a corpo system so they can screw me later.
TrueNAS Core/Scale is just BSD/Linux and ZFS under the hood. ZFS is open source and everywhere now so you can move your data to another device or system very easily. Easy to admin. No lock-in. Good stuff.
OPNSense on a second-hand business SFF with room for a NIC.
$80-100 +NIC, 10-25W at the wall for most of the more recent 4-6 core “junk” with a reasonable NIC.
A ~$50 unmanaged 5 port 2.5G switch frequently comes with two SFP+ ports nowadays. If you’re going managed, Brocade has a switch for you on ebay. Mikrotik is tempting as a value proposition, but it’s easy to grow beyond the performance limitations of their cheaper hardware and there is a learning curve to their software.
Enterprise APs of your choice.
I run used Ruckus R610s. I’m eyeballing Engenius for a cheap wifi 6 fix, but I’ll probably wait for a deal on a Ruckus R650 or newer model. I’ve run APs from several vendors including Engenuis, and Ruckus really made an impression with the R610.
Yes I realize that Ruckus bought Brocade years back but, they still let you manage their stuff local-only as in it all works without a cloud connection, it conforms to industry standards so it operates with other vendor’s equipment, plus their documentation is good.
Save narrowed ebay searches for notifications and take full advantage of vendors that accept offers. That and patience can save you tons. You may be able to afford way more network than you think if you aren’t in a particular hurry.
For the NAS I will be running TrueNAS Scale. I am taking a chance with 5 used 14 TB enterprise hard drives that I’m currently checking with badblocks and will use in RAID-Z2 (I can add a drive or two as needed in a couple years now that raidz expansion is coming. I have other drives I’m currently using externally I can use for backup, and the other people who will be using the NAS will have their own local copies). I’m a student working on a NAS for the family, and the only tech “literate” person, so cheaper is preferable. I am currently looking at options for ECC Ram/Motherboard/Processor (that I can hopefully get on Prime Day). It will be used to back up our family computers, photos/videos, and my datahoarding preservations (that I won’t be accessing that often). Jellyfin and something similar for music would be a nice to have. And I may make a single virtual machine for running yt-dlp, etc. I wasn’t looking at 10 gig to save on cost (and not sure how much power draw differs), and frankly don’t think there will be enough people on the server given the limited internet connection at once to need more than 2.5 gig locally, and I could tolerate gigabit if needed. I just need a NAS that can be good enough for now, and then when I’m out of school I’ll build a better one and use this one as a backup. Being a student and the only “technical” person, I also need to be able to remotely manage it. With respect to the motherboard/processor/RAM, I am looking for ECC as cheaply as reasonably possible (data integrity is important to me), and with low idle power draw on a budget. I’m not sure whether to go with a motherboard with a mobile processor built in, a server board with a consumer Intel chip (QuickSync sounds great), or Ryzen. I’m still figuring it out and welcome suggestions if that’s not too off topic.
I am going to look at the OPNSense recommendations, and try to see how I should configure it given the options of running it on an old office PC or a router/wireless access point combo.
If I do run OPNSense on an old business PC, are there any security issues I have to look out for with devices becoming end of life?
Right on. Used drives are great, it’s not like new drives never fail. If the seller has a reasonable warranty that’s even better. Get the mobo, CPU, and RAM used too if you’re comfortable with that.
QuickSync is ideal for jellyfin, but Intel mobo + ECC = expensive
A Ryzen 3600 or better on a quality desktop board would do the job for a lot less. Add an Arc A310 for QSV and still pay less than the Intel CPU + mobo from what I’m seeing.
You’ll be able to access anything on the network for remote management via wireguard. If you don’t need to remotely deploy TrueNAS, update BIOS, or type a password to boot the host OS, then living without IPMI will save you a bundle.
On the other hand, if IPMI is a must then the mobo becomes so expensive either way that Intel is back in the running.