some iperf3 numbers for it say 200mbps, I guess as long as it’s faster than your Shaw connection.
Zero.
risk’s quick and dirty wtf is a VLAN guide.
Without VLANs, and even without overlapping subnets, every machine is exposed to multicast and broadcast traffic from every other machine, can learn their IPs and can access whatever credentials are stored on the machine, or whatever credentials it might sniff out from the user to try and spread.
(I don’t know how much of today’s malware actually takes advantage of LANs, it was a big deal back when universities and companies ran "one big lan"s for entire buildings with a bunch of windows machines sharing local folders. )
With VLANs, you’re segmenting the network into separate LANs. (Think like 2 physically separate networks). “Virtually”, in this case means you can dynamically assign ports on a switch to each LAN (also called “access ports” - ports where hosts plug into); it also means if you have a pair of VLAN capable switches or a VLAN capable router you can designate ports as “trunk”, and prefix each Ethernet frame being received or sent over that port-cable with a VLAN tag header.
What do VLANs let you do? For example, you could just dust off that raspberry pi 3 or raspberry pi 4 with that single gigabit port, attach its only Ethernet port to a trunk port of a VLAN capable switch, and make it a router. It would be configured with a number of virtual interfaces parented by that physical real interface. On that trunk port (cable), one VLAN carried would be e.g. Shaw_WAN, another one would be DADS_LAN, and another one would be MY_LAN.
You’d then plug your modem into another switch port configured as an access port for SHAW_WAN, and the port next to it could be the access port for your dad’s desktop. And a port next to it could be the access port for you. Wifi accesspoints could connect into a trunk port, and accesspoints themselves would then unbundle this trunk into separate Ethernet interfaces, and would then have a separate SSID for each VLAN.
(btw: rpi3/rpi4 are a bad idea for OpenVPN, they’re like the only 64bit arm CPUs out there without some AES acceleration).
What happens when you connect a plain old device into a trunk port carrying tagged traffic? This can happen intentionally or unintentionally. In either case, a VLAN aware switch can have a PVID (physical vlan id) configured on a port telling it to “treat all untagged traffic as traffic belonging to a VLAN with some id you choose”. Symmetrically, you can ask a switch to not tag one of the VLANs being emitted from a trunk port. In all of these cases you’ll have a mix of tagged traffic and untagged traffic - we call these hybrid ports, or hybrid trunk.
A desktop/workstation computer plugged into a hybrid port could either ignore tags altogether, or ignore all tagged traffic. It’s a bad idea, tagged (trunk/hybrid) ports are most useful for network devices. You could also have a VLAN for untrusted VMs on your workstation, but then your host OS needs to deal with networking for that VM, in my book that makes it a network device as well.
Anyway, I think Merlin supports VLANs via CLI… It’s just not as clicky-clicky-follow-the-web-wizard as it would be in any of the ubiquiti stuff.
There’s just too many options for how to configure networking, sadly on either AC68 and on AC86 anything but Merlin just sucks.
Options:
-
UDM (it’s an all on one, if your house is not 4000sqft and you’re ok with a few hundred Mbps VPN performance on it, throw Asus into the skip).
-
UDM + another unifi AP - for extra range.
-
router on a stick : Some VLAN capable switch + rpi4 as a router/firewall/wireguard VPN thing… Yeah, can work. It’s a bad NAS because no crypto acceleration makes HDD expensive, but Wireguard works at 500+ Mbps. Use Asus/Merlin for multiple-ssid wifi.
-
Openwrt on R7800 (Netgear xs4), it’s got VLANs and OpenVPN in GUI, pretty good wifi.
-
small x86 with aes-ni with many ports like them qotom boxes that pfsense people like to use. Merlins for wifi.
-
router on a stick: odroid h2 (x86 with aes-ni; small; add storage and ram and it’s $200; two gigabit port) add a VLAN capable switch for more ports - there you go. Use Merlins as multi-SSID APs.
-
router with many ports: ryzen 3 on a B350 in an el-cheapo case / psu with a tiny bit of ram and some storage ($200), add a 4 port gigabit PCIe nic, or add a $20 10gig SFP+ and use a $130 mikrotik 24 port gig switch with 10gig SFP+ uplink to your Ryzen as a many port breakout box. … could be a nice nas.
-
Bunch of mikrotik or a bunch of ubiquiti stuff or a bunch of opensource everything stuff, or a pfsense + ubiquiti for wifi stuff or a pfsense plus Merlin or pay a few thousand per year for your salesmen friendly HP/Aruba corporate subscription licensed rent-a-gear wifi bs solution…
I find UDM (or a UDM + nanohd or flexhd for garden/outdoors or for more wifi) reasonable for home VLANs for a not-deep-into-diy-networking guy, all things considered.