Question Do I really need two switches?

[Popna]

A local vendor has provided a quotation to help setup my home network. I would appreciate it if anyone could comment on the efficiency of this setup as well as whether or not two switches are really needed.

All networking equipment will be located in my laundry room.

• 1 Starlink router
• 1 Asus AX86U router with wireless disabled, to be connected to TorGuard’s VPN service for US TV access
• Cat6A cabling run from the laundry room to 1) living room; 2) master bedroom; 3) guest bedroom; 4) living room TV; 5) master bedroom TV; 6) guest bedroom TV.
• 1, 2, 3 to be connected to Cisco 10-Port Gigabit Managed Switch 1 in the laundry room, and to UniFi WiFi 6 Long Range Double Band access points on the other end.
• 4, 5, 6 to be connected to Cisco 10-Port Gigabit Managed Switch 2 in the laundry room and to Apple TV devices on the other end.
• Switch 1 to be connected to Starlink router.
• Switch 2 to be connected to Asus AX86U router, which will have a WireGuard VPN connection to TorGuard.
• All of the equipment in the laundry room to be housed in a TrueEdge Wall Mount Enclosure (this will be a bit tight, so if anyone has a better idea, I’d love to hear it).
• A PoE Ubiquiti adapter is also included on the quotation.

Thank you everyone for your help. I appreciate it.

 

[kanewolf]

A local vendor has provided a quotation to help setup my home network. I would appreciate it if anyone could comment on the efficiency of this setup as well as whether or not two switches are really needed.

All networking equipment will be located in my laundry room.

• 1 Starlink router
• 1 Asus AX86U router with wireless disabled, to be connected to TorGuard’s VPN service for US TV access
• Cat6A cabling run from the laundry room to 1) living room; 2) master bedroom; 3) guest bedroom; 4) living room TV; 5) master bedroom TV; 6) guest bedroom TV.
• 1, 2, 3 to be connected to Cisco 10-Port Gigabit Managed Switch 1 in the laundry room, and to UniFi WiFi 6 Long Range Double Band access points on the other end.
• 4, 5, 6 to be connected to Cisco 10-Port Gigabit Managed Switch 2 in the laundry room and to Apple TV devices on the other end.
• Switch 1 to be connected to Starlink router.
• Switch 2 to be connected to Asus AX86U router, which will have a WireGuard VPN connection to TorGuard.
• All of the equipment in the laundry room to be housed in a TrueEdge Wall Mount Enclosure (this will be a bit tight, so if anyone has a better idea, I’d love to hear it).
• A PoE Ubiquiti adapter is also included on the quotation.

Thank you everyone for your help. I appreciate it.

The 10 port switches may have been chosen to fit in the enclosure. You could ask about a 19 inch 24 port POE+ switch with a larger enclosure.

 

[Popna]

Thanks for your reply. I see that TorGuard (through its affiliate Private Router) sells the Asus RT-AC88U, which comes already flashed and has 8 LAN ports. If I bought that router instead of the AX86U, could I forego both switches, have the Starlink router plug into the AC88U, all of the 6 LAN cables into the AC88U, and configure AC88U to route traffic from 3 of the LAN cables through TorGuard VPN and the other 3 through Starlink?

 

[kanewolf]

Thanks for your reply. I see that TorGuard (through its affiliate Private Router) sells the Asus RT-AC88U, which comes already flashed and has 8 LAN ports. If I bought that router instead of the AX86U, could I forego both switches, have the Starlink router plug into the AC88U, all of the 6 LAN cables into the AC88U, and configure AC88U to route traffic from 3 of the LAN cables through TorGuard VPN and the other 3 through Starlink?

I don't fully understand if you have one or two ISP. You say you have starlink, but you also mention the VPN. Does that VPN connect to a different ISP or to the starlink?
It seems like the original proposal had two switches to completely separate the VPN (TVs) from all other traffic. I don't understand why. It could be done with VLANs or even as "split VPN" configuration.
BUT, I would always recommend a switch, so that when you do change your router, or your ISP, there is only one cable to move. Not multiple.

 

[johnbl]

fyi: nice chart on this page and info on wifi 7
What is WiFi 7? WiFi 7 Routers - NETGEAR
I hate getting hardware and having the next generations released at the same time.

 

[Popna]

I don't fully understand if you have one or two ISP. You say you have starlink, but you also mention the VPN. Does that VPN connect to a different ISP or to the starlink?
It seems like the original proposal had two switches to completely separate the VPN (TVs) from all other traffic. I don't understand why. It could be done with VLANs or even as "split VPN" configuration.
BUT, I would always recommend a switch, so that when you do change your router, or your ISP, there is only one cable to move. Not multiple.

Just one ISP - Starlink. The reason for the VPN is to be able to stream US TV content since I am outside of the US. The VPN router connects to TorGuard over Starlink.

 

[Popna]

fyi: nice chart on this page and info on wifi 7
What is WiFi 7? WiFi 7 Routers - NETGEAR
I hate getting hardware and having the next generations released at the same time.

Thanks for sharing. I appreciate it. The website says to be introduced in 2024 though. Isn’t Wifi 6 adoption still very slow?

 

[johnbl]

Thanks for sharing. I appreciate it. The website says to be introduced in 2024 though. Isn’t Wifi 6 adoption still very slow?

vendors always release their versions before the spec is finalized. then they later apply a firmware update.
may not be a issue if you use a slower device like starlink wifi 5

most wifi 6 devices are discounted now and you pay more for the 6e devices.
I expect the 6e devices will drop in price when you can get the wifi 7 routers.

i picked up a cheap wifi 6 router when the 6e came out but I was mainly looking for the ability to find my own wifi channel that is not being used by any of my neighbors in our condo. My laptop can see 76 different routers. Lots of neighbors run on the same channel and try to increase the signal to drown out the other routers. LOL this does not work. I should take a photo of the channel collisions it is pretty bad.
funny the cable company loves the problem, people complain to the condo board, then buy a high powered router, then pay to upgrade the service speed. All they really need to do is carefully select the wifi band channel.
wifi 6e opens more bands, wifi 7 adds 2.4 gHz band again. (for old devices)

funny i just looked at the 2.4 band and it was so crowed there was no point in taking a photo to share, i could not read any peak but one. LG_WASHER access point on channel 11 with the largest spread and peak signal. phones and pc have and regular routers have to limit the signal strength. Guess a stupid smart washer does not have a signal strength limit.

Archer BE9000 can be preordered and should ship 1st qtr 2023
not sure about the cost, heard it was going to be $600 -700 us

 

[bill001g]

Thanks for your reply. I see that TorGuard (through its affiliate Private Router) sells the Asus RT-AC88U, which comes already flashed and has 8 LAN ports. If I bought that router instead of the AX86U, could I forego both switches, have the Starlink router plug into the AC88U, all of the 6 LAN cables into the AC88U, and configure AC88U to route traffic from 3 of the LAN cables through TorGuard VPN and the other 3 through Starlink?

I like kanewolf thought maybe you were using 2 switches to physically split the network but from your answer it is pretty standard vpn stuff.

I know nothing about a firmware image that torguard uses, I have always used merlin for vpn on asus routers. In general this plan will work. The VPN router will need to know which traffic goes via the vpn and which traffic goes direct. Many more advanced forms of vpn client can do this but I have not seen any that can do it based on a physical port. Although they manufacture it all on one silicon now days they way it works is there is basically a small switch chip that runs the lan ports. It also has connections to the wifi chips. This chip then connects to the router chip. The router thinks all the devices are connected to this single port. You can't even do stuff like say wifi traffic should do something different than ethernet. The router has to use other methods to determine which traffic is selected.

The simplest is to use IP addresses. You would want to assign static IP or use the DHCP static IP assignment feature to give the devices you want to use the vpn a fixed address. There are other fancy ways like using vlans or maybe the class of service tags but all those require a lot more effort and sometimes more hardware.

 

[Popna]

Thanks everyone for your valuable input.

It sounds like I will configure as follows:

• Internet to come through Starlink router, set to bypass mode.
• Starlink router in bypass mode to connect to Asus RT-AX88U, flashed with Merlin, wireless disabled and antennas removed.
• AX88U has 8 LAN ports, so CAT6A cabling will be run directly from the AX88U to the 3 UniFi access points and 3 Apple TVs.
• The AX88U will be configured to route Apple TV traffic through the TorGuard VPN WireGuard connection, and everything else directly through the open Starlink Internet.

Now, apparently, I will need 3 POE injectors for the 3 cables that will run from the AX88U to the 3 UniFi Access Points. This is going to be messy because I will need to plug all 3 POE injectors into electrical outlets, right?

All of this needs to be organized as neatly and as nicely as possible on a wall in my laundry room as there isn’t enough space to put in a proper server rack. Any suggestions as to how best organize everything? The local installer was recommending a TrueEdge Wall Mount enclosure but it’s very big, will block the laundry room door from opening completely, and I’m not even sure how awkwardly shaped devices like the Starlink Router and the AX88U will fit into it properly. Plus the wall mount costs $1,160.

There is a small server rack built into the wall already but it seems too small to do anything practical with. The conduits for running the cables are located at the bottom of the built in rack. I’m going to try to attach a photo.

 

[bill001g]

First be sure the AP you want to use use standard PoE power, 802.3af/at. You could then buy a small switch to act as the poe injector reducing the number of devices. I suspect something like a 5 port tplink poe switch will work fine. You need to verify the power your AP need verses the total power the switch can provide.

You should be able to get a router and small switch in that box, likely even a patch panel instead of loose RJ45 cables coming from the rooms.

 

[Popna]

First be sure the AP you want to use use standard PoE power, 802.3af/at. You could then buy a small switch to act as the poe injector reducing the number of devices. I suspect something like a 5 port tplink poe switch will work fine. You need to verify the power your AP need verses the total power the switch can provide.

You should be able to get a router and small switch in that box, likely even a patch panel instead of loose RJ45 cables coming from the rooms.

Thanks for your reply. The installer is suggesting UniFi Access Point U6 Long-Range access points, powered by PoE+. Is that going to be a problem?

 

[bill001g]

So looking those up unifi ap they want 18.6watts of power max. A tplink sg1005p can do 65 watts total with each port up to 30 so it will work but you can't add a 4th ap. The cost goes up a lot when you can't use basic poe devices like these that can say provide 100 watts.
Netgear has a 8 port one that can do 85watts that is about $20 more than the tplink

 

[Popna]

After doing some more reading and research, I am thinking an even more efficient configuration might be:

Starlink -> Asus RT-AX88U -> 3 Ubiquiti PoE+ Adapters -> Cat 6A wiring to the outlets behind each of the 3 TVs and connected to Ubiquiti Access Point U6 In-Wall devices. Those have LAN ports in them so I can hardwire the Apple TV devices to the access points and use the AX88U policy settings to tunnel Apple TV data to the VPN and the rest to the open Internet.

Any thoughts on that setup? That cuts the number of APs down to 3 from 6 and there’s no need for any switches. Thank you!

 

[Popna]

I also want to mention that a few people have suggested that I do away with the Asus VPN router and put in a complete Ubiquiti system, but from everything I’ve read it doesn’t seem to support WireGuard client connections. The installers are insisting that they can make it work but I’m not sure that I want something that isn’t fully supported. Any thoughts in that? Thanks again.

 

[bill001g]

You plan will work it is unusual for ap to have a extra ethernet port. It in effect should be a 2 port switch. The ubiquiti router is nice if you have lot of AP you want to centrally manage but you can load that software on your pc if you want.
In general all a home user needs is a router to do is the NAT function which all routers do. I have not read the doc lately on ubiquiti routers if they have any feature asus does not. Maybe they support vlans or something since they are more commercial focus.
When if comes to running vpn on a router the merlin image tends to be one of the best. Some vpn implementation for example can not do what you propose and allow some traffic to bypass the vpn they just send everything to the vpn.

 

[failboat]

You shouldn't need two. CISCO is expensive too.