Question Help on what to buy for new condo networking

[Popna]

Hello,

I have purchased a new 2 bedroom condominium in Mexico and I am trying to plan how to configure my home network. It's my first time to attempt a setup that is more complicated than mesh, so I am grateful for any feedback you guys can provide.

I intend to have the telephone company install my fiber optic modem in the laundry room, which is where the telephony cabinet and breaker switches are located. I would like to have everything mounted and flushed onto that wall. I anticipate having the following equipment:

• 1 fiber optic modem, provided by the Mexican telco. I am considering either a 500 MBPS or 1 GBPS plan.
• 1 TP-Link Deco M5 router, which has been flashed for VPN use. I use this only for streaming TV services, since the condo is located in Mexico.
• 1 or 2 switches (Is it possible to have 1 switch that can handle 2 networks, the Mexican Internet network provided by the Telco and the US VPN network provided by the TP-Link Deco M5 router)?

I intend to have ethernet cables for both networks (Mexican and US VPN) run to various locations throughout the condo. Some of these will run to the back side of my televisions so that I can hook the television and Apple TV devices up via Ethernet cable. Others will run areas of the bedrooms and living room where I would like to have wifi nodes to be able to use my wireless devices to connect to the Mexican network provided by the telco. I don't need to access the US VPN network via wifi. I tend to run the ethernet cabling for both networks to all locations however, just so that it's available in case I need it in the future.

Questions:

1. Am I thinking of the right configuration / equipment requirement for what I am trying to achieve?
2. Can anyone recommend an organization system to mount everything to the wall in my laundry room in a neat and orderly manner?
3. Will I be needing 1 switch or 2 switches? Can you recommend suitable switches that will work with 500 MBPS or 1 GBPS fiber optic plans? I am anticipating running the ethernet cables to 6 different locations for each of the 2 networks. It might be good to have a switch with at least 8 ports for each network (16 ports total) just to allow for extras in case I need them late on.
4. What equipment do you recommend for the wifi nodes?

Any other thoughts or comments would be greatly appreciated. Thank you!

 

[bill001g]

It is messy but if you have limited devices that use the vpn you could overlap the 2 networks.

A easier way to do this is to use a single router that has vpn and the ability to run what is called split tunnel. You would put in a list of ip of devices in your house that you want to use the VPN and let others go directly to the internet.

I am not sure about the tplinks ability to run as a vpn client and I don't know if it can run split tunnel. If you are running third party firmware it might work but be aware you quickly hit cpu limits. Most routers are lucky to do 30mbps vpn.

I generally don't recommend a specific router but in this case I will. The asus ac86u and I think the ax86u has a cpu chip that support hardware based encryption. It can get 200-300mbps openvpn sessions. You want to run the merlin firmware on the router. The merlin firmware for sure has the ability to run split tunnel but asus may have put this into the factory image.

Pretty much if it is just say the tv you would put that IP in a list to use the vpn and all other devices go directly wan port which then connect to the telco router.

..................so if you want to do it the messy way.

You would plug your vpn router wan port into the telco router lan. You would then plug switches and whatever into the telco router. The "messy" part is you would now plug the lan port into the switches also. So you now have the lan and wan on the same network which in general does not work.
The way you make it work is turn off the DHCP server on the VPN router. Assign the IP on the lan to some other subnet. So if the primary network is 192.168.0.1 set the lan to 192.168.50.1.....or whatever you like. Now on the end devices you want on the VPN network you would manually assign a IP like 192.168.50.200.
So technically there is nothing that prevent device with the 192.168.50.x network from talking to the main ISP router BUT they are too stupid to know it even exists. This only works when you are not worried about someone hacking since you can assign any device to either network by changing the ip address.

A third way would be to do this correctly and use vlans and special routers that support multiple networks but will be costly and is not exactly a beginner network project.

 

[Popna]

Thank you very much bill001g for taking the time to reply and share your expertise.

I have 3 TVs that I will want hardwired to the VPN router and nothing else for the moment. The challenge with the VPN router is that I am not the one who configures it. There is someone locally who provides the service, and somehow by using his VPN server, his customers can access Hulu Live+ without having to deal with geolocation trackers. He doesn’t want to provide the settings to allow customers to configure their routers on their own (and most wouldn’t know how to do it either). He typically works with the TP-Link Deco M5 or the TP-Link Archer C20. I am not sure how he setup his VPN server to bypass the Hulu Live+ geolocation checks, but if I could figure it out I would just replicate the model and do it myself so that I could have full control, even if it costs me more.

I like your idea of having fewer devices - the cleaner the setup the better. I’m trying to understand how using the Asus AX86U router that you recommended would simplify things. Because if it replaces the Deco M5, won’t I still need the ISPs modem and one or two switches to be able to run Ethernet cables throughout the condo? So effectively the same number of devices, unless I am missing anything.

I don’t mind spending a few hundred dollars for a better setup and using the services of a local supplier to help me with installation, if needed. I will need their help anyways to run the Ethernet cables.

Thanks again for your help.

 

[bill001g]

I guess to a point it depends on if what you are calling a "modem" is just that or if it also has a router function. You obviously need some box to hook to the fiber.
Many of these boxes are routers also. If it has wifi it is a router. For your average consumer this is all they need.

It is pretty much the same number of boxes since you need a vpn device and you need some device to hook to the fiber. The number of switches might be less.

If you want to do it all physically you can hook a switch to the VPN router and a different switch to the ISP router. Then you would connect the device manually based on if you wanted to use VPN or not.
The problem is say you have a tv and a pc in the same room but only have a single cable running to to the remote room. Even if you were to place a switch in the remote room the other end of the cable could only be plugged into one router.......I will ignore the discussion of setting up vlans to solve that.

I do not know the details about hulu but the way you get past the geolocation for say netflix is fairly straight forward. One of the very common vpn services people use for netflix bypass is nord. This is one of the largest VPN and netflix could block them if they really wanted.

All you do is tell the router to connect the vpn tunnel to some data center in the USA. At that point you would get a IP address that geolocates to the city where the data center is. The larger services are trivial to setup. They have small config files you directly load into the more popular routers. All you need is your userid and password.

So if we take a extreme example of china which tries to prevent vpn. All it would really take is for them to buy a account and then connect to each data center and find all the IP block the vpn service uses. They could then black list any connections coming from the subnet. Netflix for example is very strange they block some vpn and not others. Last I hear they do not block Nord which is the largest one around.

Now the way you get past this in say china is to buy a vpn server from amazon or google. This is your own private vpn that you can locate in any city that they have a data center. It would be impossible to block every IP that amazon or google uses without shutting down massive amounts of web sites.

Many times the video service providers only pretend to stop vpn. They of course want the money from everyone no matter where they are located but the actual video content owners want to limit what countries can see their stuff...guess they can charge more in some countries. So most times as long as you can pay for the say netflix with a credit card located in the USA they will assume you access it from the USA. Hard to say I use vpn and run into captcha garbage all the time and other sites that completely block me like newegg for example. It is very hit and miss.