[SOLVED] Home network recommendation: router + VPN + AP + home server

[nikola.jajcay]

Hey guys,

I am moving into a new flat in a month or so and thinking about the future home network. It is a 2-story flat, the developer installed RJ45 cables with LAN outlets to each room (I haven't tested them tho, I hope they work!). The best ISP in that area is fibre optics, I am gonna get 300/20Mbps link + static IP (I guess I need one because of VPN?). The ISP requires to take their modem/WiFi router, but I don't wanna use it as a router - I was thinking of turning off WiFi and use it just as a modem.
What I want from my network:

• WiFi everywhere (duh)
• home server (gonna do Raspberry Pi with some external hard drives) - mostly for backups, NAS, maybe multimedia centre in the future (with Kodi) - home server absolutely needs to be accessible from the outside via VPN (because of my files on NAS and backups), hence I guess I need a VPN-capable router
• ideally, the VPN should be IKEv2 protocol, so it's natively supported by Apple devices (also iPhones and iPads)
• router / AP capable of a guest network - i.e. our guests shouldn't be able to see our home server

What I was thinking would work (and here I would very much appreciate any comments / recommendations):

• get a nice VPN WiFi router, e.g. some cheaper DrayTek Vigor series (e.g. this), since they support IKEv2 - any recommendations for another WiFi router with VPN?
• build a server from RPi and connect it via ethernet to the router - set it up, so it's accessible from a local network
• connect the router to LAN inlet in my flat - so I get the "juice" to every LAN outlet in the flat
• get some WiFi AP for the second story in my flat - I was thinking about Ubiquiti UniFi UAP-AC-LITE (because this one will be visible and my wife would kill me if it's not nice ); on the AP I would set the same SSID and pass - it this enough to get roaming with my devices? will my e.g. phone or laptop automatically connect to this AP if it's signal is stronger than the router? The AP would be connected to the LAN outlet in the room.

Some additional questions:

• What if my ISP does not offer static IP? Can I set up a VPN on the router and connect from the outside world even with dynamic IP?
• Will I see all my local network stuff when I am connected to the AP on the second story and not directly to the router (will my laptop see the NAS)?
• is setting the same SSID and pass on AP enough to get reasonable roaming? or is it more complex? Should I look for some features in my router and AP for this? Do they have to be the same manufacturer?
• what about a guest network? Most routers support it, but what about APs? Is it possible to just set our main network and guest network with different SSIDs and passes on the router and do the same setting on the AP and it will just work? Are some additional steps necessary?
• maybe we will get a printer/scanner and if so, I would love to be it also on the network - is running e.g. CUPS on my server RPi enough? Any more modern solutions than CUPS? What if the printer is capable of WiFi? Can I add it to the home network via WiFi (printer would be on the second story, hence connecting to the AP, not directly to the router)?
• in theory, I won't need to connect to my home network via VPN per se, only to the RPi server. Is it possible to not have VPN-capable router and just set VPN server on RPi4 and connect directly to that? Any drawbacks to this? What would you recommend? Whole network VPN (i.e. on the router) or just server (i.e. on RPi)?
• of course, any recommendations for good VPN-capable router and/or AP is much appreciated

Thanks a lot to everyone, have a nice weekend!
N.

 

[kanewolf]

What if my ISP does not offer static IP? Can I set up a VPN on the router and connect from the outside world even with dynamic IP?

Yes. You use a dynamic DNS service, which your router updates when your IP changes. You then use a constant URL for your VPN destination.

Will I see all my local network stuff when I am connected to the AP on the second story and not directly to the router (will my laptop see the NAS)?

If you truly have an access point, yes. APs, by default, don't segregate traffic. They just bridge from WIFI to wired.

is setting the same SSID and pass on AP enough to get reasonable roaming? or is it more complex? Should I look for some features in my router and AP for this? Do they have to be the same manufacturer?

Unknown. seamless roaming is a very difficult problem. The device is in charge of switching WIFI sources. The amount of time it takes to switch can cause the connection to drop and re-establish.

what about a guest network? Most routers support it, but what about APs? Is it possible to just set our main network and guest network with different SSIDs and passes on the router and do the same setting on the AP and it will just work? Are some additional steps necessary?

Guest networks on APs requires VLANs to isolate the traffic. VLANs require managed switches (if needed) and a VLAN aware router. Most home routers are not VLAN aware.

maybe we will get a printer/scanner and if so, I would love to be it also on the network - is running e.g. CUPS on my server RPi enough? Any more modern solutions than CUPS? What if the printer is capable of WiFi? Can I add it to the home network via WiFi (printer would be on the second story, hence connecting to the AP, not directly to the router)?

Just buy a printer with an ethernet or WIFI built-in. Then there is no "middle man" your client device communicates directly with the printer.

 

[nikola.jajcay]

Thanks for the reply!

Guest networks on APs requires VLANs to isolate the traffic. VLANs require managed switches (if needed) and a VLAN aware router. Most home routers are not VLAN aware.

both DrayTek Vigor router and Ubiquiti APs support VLAN so should be doable after all

 

[vov4ik_il]

I have very similar setup. Those are 3 devices. Maybe 4.

• Router+VPN+Firewall - I use pFsense box based on J1900. Handles 954Mbps/~4.5Mpps (did not have anything faster to test against) and about half that in OpenVPN. Excellent fine tuning and traffic management. Create as many networks as you like, endless tuning capabilities with logging, graphing, access management and lots of other goodies.
• 1-2APs - I use dedicated radios. I repurposed 2 C-75 managed AirTight devices (ported to OpenWRT and set up as bridged access points), one as a main and one limited access for kids) but any other will do fine. You mentioned seamless switching - WiFi does not have a handover (like 2G/3G/LTE on your phone does) so going from one radio to the other is a full disconnect and reconnect regardless of network naming and such. You have to only upgrade those when there is a new WiFi standard out there, the rest of your network remains intact.
• STB+Storage+Media Server - I repurposed a Dell Wyse 5060 Thin Client based on AMD GX-424CC 2.4GHz, it is a strong low power box and you can get one at the same price as the Pi or cheaper (used on ebay) while it is much (much much) stronger performer than the Pi. Paired with a little wireless keyboard or Gyro Mouse it will run windows or linux and fulfill all your needs and then some. In my case it is:
  • a storage,
  • a retro gaming console,
  • a torrent box,
  • a Kodi box
  • a media server
  • all that in 8watt (15w max I have seen on the meter) 100% passively cooled and quiet

I have the Pi too but it is a tinkering device.

P.S Forgot to mention a managed switch with POE out for the radios.

 

[kanewolf]

Thanks for the reply!



both DrayTek Vigor router and Ubiquiti APs support VLAN so should be doable after all

I have an all Ubiquiti setup. I would recommend a FlexHD AP. Unless you can mount like a smoke detector (probably not in a flat), the flexHD is a better choice.

 

[nikola.jajcay]

thanks for the reply and the tips! in particular for the Dell Wyse - I was thinking whether RPi4 could satisfy all the needs. I was going for RPi mainly for consumption and noise (although I plan to put a server into the living room) but when Wyse 5060 can go as less as 8W (sometimes more) that is completely acceptable.

 

[vov4ik_il]

thanks for the reply and the tips! in particular for the Dell Wyse - I was thinking whether RPi4 could satisfy all the needs. I was going for RPi mainly for consumption and noise (although I plan to put a server into the living room) but when Wyse 5060 can go as less as 8W (sometimes more) that is completely acceptable.

There are many other models that have the AMD GX-424CC, verify with the specs, I know the Wyse 7020 does have some model codes that have this SoC too. There are many other brands that have it actively cooled, make sure you purchase what you need. I got mine for 50$. RPi is on the weak side for all that in one. It worked fine as retro gamer, little weak for high-def videos and slow for storage/torrenting.
Also have a look at those that have the AMD GX420, while a touch slower it is still much better than the Pi.

 

[kanewolf]

thanks for the reply and the tips! in particular for the Dell Wyse - I was thinking whether RPi4 could satisfy all the needs. I was going for RPi mainly for consumption and noise (although I plan to put a server into the living room) but when Wyse 5060 can go as less as 8W (sometimes more) that is completely acceptable.

I recommend commercial NAS units for low power, always on devices. Latest ones have quad core Intel CPUs and support Docker containers for any functionality desired.

 

[SamirD]

Some great ideas from other posters.

With as much as you're trying to do, I could see a complete Ubiquiti setup something that you would truly enjoy. This would handle the following requirements:

• vpn
• wifi and handoff
• vlan/guest network

Answers to specific questions:

• Yes, you can run a vpn without a static IP. In fact, a dynamic IP will rarely change if the router is always connected ime. The only times I've had IP addresses change is when the ISP is redoing something on their network or there's an extended power outage beyond the dhcp reservation time and my UPSes get depleted.
• Yes, you are connected to your lan via wifi just wirelessly. Keep in mind vlans can change this.
• No. As others have mentioned, the roaming is set up by the client. However, Ubiquiti setups using the cloudkey or dream machine can have a very seamless experience from my understanding.
• Yes, with a ubiquti setup it would 'just work'. With others there would be configuration required for sure to achieve the same effect.
• Brother makes some great laser network multifunction machines that have a 'scan to ftp' feature (I have several of these). Most have wireless and wired connection that can be used, but usually only one at a time. Network printing is easy enough and for network scanning you can simply run an ftp server on your nas/server for easy scanning straight from the scanner. We use this very regularly in our own setup to scan to pdf every day and it works flawlessly.
• I think Ubiquti would make you happy. It is a little pricey, but will be a 'one and done' type of purchase.

Good luck and please tell us what you finally end up going with.