Question Router/Firewall + POE WiFi Access Points?

Mr Bob

Golden Member
Sep 6, 2004
1,750
5
81
I'm currently updating a fairly complex / device-rich network at our house. When we moved into a new house, I had to quickly deploy 4 Google WiFi points just to setup an inexpensive network with WiFi, having full coverage. The new setup will be mostly hard wired, with POE runs to 2-3 areas for WiFi coverage.

Hard wired to modem is just below gigabit speeds via the ISP, so I'd like to keep the wired network as close to that as possible.

So now I need a router / firewall / gateway, as well as 2 or 3 POE WiFi access points to provide coverage, and with only 1 device running, being able to pass that gigabit speed through to the router.

I've looked around, it seems like Cisco has a few cloud solutions, Zyxel listed a handful of routers but they weren't true gigabit when the firewall was enabled. Kind of pointless to lose that much bandwidth...

Any suggestions? The more management options/information, the better... Ideally, I'd like to keep it under $1k.
 

SamirD

Senior member
Jun 12, 2019
897
121
66
www.huntsvillecarscene.com
When reading what you've already done so far, I thought you might have already thought of these--ubiquiti. Your setup almost screams for them as many people have done similar wired configurations just for a full ubiquiti setup.

To keep prices low, watch for used gear as it is usually in very good shape and only being sold due to upgrades.
 

Mr Bob

Golden Member
Sep 6, 2004
1,750
5
81
Thanks!

I've only heard of Ubiquiti, but haven't actually done much research. I'll check them out and see what they have.

I assume I could start my network with another router/DCHP (still TBD) and run ubiquiti separately to provide WiFi / access to the existing network?
 

SamirD

Senior member
Jun 12, 2019
897
121
66
www.huntsvillecarscene.com
Thanks!

I've only heard of Ubiquiti, but haven't actually done much research. I'll check them out and see what they have.

I assume I could start my network with another router/DCHP (still TBD) and run ubiquiti separately to provide WiFi / access to the existing network?
Research them and I think you'll see why your setup is just oozing for their components and system.

You can, but it's just better going all ubiquiti as you get some features you won't find outside of enterprise equipment. :)
 
  • Like
Reactions: mxnerd

mxnerd

Diamond Member
Jul 6, 2007
5,286
583
126
Yeah, Ubiquiti USG probably is what you want.




 
  • Like
Reactions: SamirD

boomerang

Lifer
Jun 19, 2000
18,894
638
126
If you do go with the UniFi line of Ubiquiti products, remember to include a PoE switch to power your AP's unless you plan to power them with injectors.
 
Last edited:
  • Like
Reactions: SamirD

Mr Bob

Golden Member
Sep 6, 2004
1,750
5
81
Thanks everyone. I did briefly look into running the Google WiFi behind my firewall/router and it didn't seem like that was actually supported.

I also really want to ditch a system that requires me to be ONLINE to test network/internet related things. Just baffles me there's no admin interface to play around in.

New setup includes a 16 port POE switch, as well as a 48 port patch panel, 24 port gigabit switch, and another 16 port gigabit switch.

Looks like Ubiquiti may be the best route for the WiFi APs, but not sure about the main router/firewall just yet.

I see a lot of mixed results on gigabit speed tests. Folks losing half the bandwidth when enabling some of the firewall features. Seems like the USG Pro 4 is the better option, but still reports of 20-40% bandwidth lost. Reference: https://freetime.mikeconnelly.com/archives/8893
 

SamirD

Senior member
Jun 12, 2019
897
121
66
www.huntsvillecarscene.com
The loss of bandwidth really depends on what you have enabled in the firewall. Almost any firewall (except enterprise ones) will suffer some sort of loss like this depending on the features enabled.

That being said, losing 200Mbs and having 800Mbps is still a lot for a home. I have ipsec vpn tunnels that don't have that type of bandwidth. :eek:
 

mxnerd

Diamond Member
Jul 6, 2007
5,286
583
126

boomerang

Lifer
Jun 19, 2000
18,894
638
126
If you've enabled IDS/IPS on the hardware you have now you'll probably want it in whatever you move to. If you've gotten along without it so far though, you may want to question why you feel that you need it now.

I just tried to talk a friend that had his router fail on him into a replacement that was a great bang for the buck as well as having top tier throughput on the built in switch but he decided that he wanted a far more expensive model that had more antennas. This, after he admitted to me that he had little real use for wireless.

Sometimes we humans make decisions based on things that are not rational.
 
Last edited:
  • Like
Reactions: SamirD and mxnerd

Mr Bob

Golden Member
Sep 6, 2004
1,750
5
81
Thanks again for all the insight folks, glad to have some ears/viewpoints on this. I've been out of the networking world for a while :confused_old:

I think I'd try to find a happy medium between disabling security features on the firewall VS throughput.

I don't foresee the need for every security feature, but it seemed like with all else off, enabling IPS dropped things to 25%. I don't need things like DPI, but it would be odd to buy a firewall and only use few of the available features. Not a huge deal if it's not being used though.

This was an interesting read: https://community.ui.com/questions/USG-IPS-performance-hit/d437c445-9115-4adf-9af5-6dff8ce12764

At the end of the day, this network will never really be a public network, ever. So I cannot actually come up with a use case that would require any of these inbound security features to be utilized (IPS/DPI)... all my security focus, essentially, should remain within the network. Content filtering, mac filtering, managed/dead ports, access control lists, etc...

Unfortunately it looks like QoS enabled may limit that USG. The Pro version has a faster CPU, but still a limit when QoS is enabled. That's somewhat important to maintain quality VOIP phones. Reference: https://community.ui.com/questions/SmartQueue-on-USG-QoS-vs-Bandwidth/8c7a03a8-2fce-4271-9821-878810fe78b4

Now I'm reading up a bit on Sophos routers...
 

SamirD

Senior member
Jun 12, 2019
897
121
66
www.huntsvillecarscene.com
Great research you're doing and I'm glad we're helping. Since you're leaning toward some really nice gear, definitely consider the fortigates, et al that used come pretty cheap. Even open box you can find them pretty cheap if you look and wait long enough.

Another consideration is to build your own with a pfsense box.
 

Mr Bob

Golden Member
Sep 6, 2004
1,750
5
81
Just to note, the overall devices are: 4k poe security cameras, couple nas, handful of laptops/desktops, poe VOIP phones, HDMI over Ethernet, Raspberry Pis, Chromecasts, WiFi APs, WiFi Thermostats, plus a dozen or so mobile devices. A few devices run over 10GBe on a somewhat separate network. Then at any given time, may have another 15-30 additional mobile wifi devices connect. Usually only a dozen or so on a regular basis though.

Now on to fortigates...

Do these folks require a yearly subscription fee to keep the device patches updated???
 

mxnerd

Diamond Member
Jul 6, 2007
5,286
583
126
VOIP applications shouldn't be an issue since each line only use 128Kbps and guess Ubiquite USG already prioritizes it?

==

Ubiquiti just got a new Security Gateway -

UniFi Dream Machine Pro

It's performance chart is confusing however. Looks like it's ruuning on 10G SFP+ WAN port, not its Gigabit port.

==

Now on to fortigates...

Do these folks require a yearly subscription fee to keep the device patches updated???
Yep.
 
Last edited:

Mr Bob

Golden Member
Sep 6, 2004
1,750
5
81
Looks like SG-3100 may be able to maintain gigabit throughput. Or possibly the SG-5100. VPN throughput isn't a big deal.
 

mxnerd

Diamond Member
Jul 6, 2007
5,286
583
126

But here it show it can hit 900Mbps with Suricata on.

 
Last edited:

Mr Bob

Golden Member
Sep 6, 2004
1,750
5
81
Thanks. I don't foresee any use cases for needing that level of security downstream from a home ISP. Thoughts?

I do have some ports forwarded for various applications, such as AXIS Camera Station or Plex Server.
 

mxnerd

Diamond Member
Jul 6, 2007
5,286
583
126
I personally really don't see the need for IPS/IDS/DPI for a home router even if you have Plex Server and some security cameras, unless you are running your own websites/databases.

Others might have different opinions though.
 
Last edited:
  • Like
Reactions: SamirD

Mr Bob

Golden Member
Sep 6, 2004
1,750
5
81
It's a pretty hefty price jump between the 3100 and 5100. I called Netgate and they're really pushing the 5100, but mainly for the IPS/IDS related functionality, that doesn't seem like something I would be using. Talks about higher performing /different class of CPU. At the end of the day, as long as the end-to-end ports can maintain close to ISP speeds, that's really what I'm trying to enforce.

Tough shoving out that much for 1yr warrantied hardware. Can't have everything I guess :rolleyes:
 

SamirD

Senior member
Jun 12, 2019
897
121
66
www.huntsvillecarscene.com
Just to note, the overall devices are: 4k poe security cameras, couple nas, handful of laptops/desktops, poe VOIP phones, HDMI over Ethernet, Raspberry Pis, Chromecasts, WiFi APs, WiFi Thermostats, plus a dozen or so mobile devices. A few devices run over 10GBe on a somewhat separate network. Then at any given time, may have another 15-30 additional mobile wifi devices connect. Usually only a dozen or so on a regular basis though.

Now on to fortigates...

Do these folks require a yearly subscription fee to keep the device patches updated???
Yeah, you definitely need a ubiquiti or enterprise-ish solution for all that. I thought I had a lot of dhcp devices. :eek:

Yes, Fortigate and most other enterprise equipment will require some sort of yearly fee for support/warranty.
 

SamirD

Senior member
Jun 12, 2019
897
121
66
www.huntsvillecarscene.com
Ubiquiti just got a new Security Gateway -

UniFi Dream Machine Pro
I forgot about the Dream Machine. It's supposed to be really slick for one stop management and I think would be ideal coupled with some of the access points for the OP's setup and use-case.
 

Mr Bob

Golden Member
Sep 6, 2004
1,750
5
81
Oh wow.. now we're talking a price range I can sleep better with.

UniFi Dream Machine Pro, with a 3 pack WiFi AP bundle puts me right around $1k. Reading more about it...
 

ASK THE COMMUNITY