Messages

[Isolate IOT devices on the network.]

Hi all, I'm a techie (web dev), but know very little in-depth about networking and am trying to learn more by setting up my home network.  So don't worry about over-explaining anything, I need it!

The N100 mini PC I ordered to use as a router arrived last week and I got OPNSense running and configured for my simple home network without too much bother.

I've sorted the basics, but there's a couple of points I could do with pointing in the right direction on next.

Attached is a network diagram of what I have currently.  In summary it's:

PPPOE 300MB FTTP > OPNSense Firewall > Switch > Tenda Mesh in Bridge mode.

Unleashed DNS is turned off and AdGuard is turned on.

My next goals that I'd appreciate some guidance on are:

• Isolate IOT devices on the network.
  I had previously intended to create a vlan for this, but have since learnt that the Tenda MW12 mesh does not support 802.1Q and I'm not aware of other options. I've decided not to create a separate Wifi for these, at least for now, and am exploring alternative ways that I could hide other devices on the network.
  
  What other options do I have here?  All known devices have static leases within set ranges, and my thinking was that I could utilise this to create rules.
• Optimise PPPoE
  I've read that PPPoE not well optimised, and potentially laggy.  I'd like to try and maximise the conditions, particularly for my son's xbox - he frequently rages at 'lag' on EA FC25!  What should I be looking at to do this and what's the best way of monitoring the quality?
• Better visibility of 'what's going on' on the network
  One of the reasons I've struggled with networking in the past is that it's a bit of a black box to me, I've not known enough to know what metrics to look at, if they even exist, to diagnose an issue and trouble-shooting has always felt like stabbing in the dark.  I'd like to get some traffic monitoring set up so that I can visually see what's happening on the network better. I don't know enough to know what would be most useful.  Could anyone suggest tools/dashboards available in OPNsense that would help with this sort of monitoring?

There's a few other bits that I'll get to it in time, but these are my priorities.

I'd welcome hearing from more experienced voices here as to how best to proceed.

TIA for any helpful replies!

I don't know about Tenda but I use eeros for mesh. All their smarts are disabled, all done by OPN. Work wonderfully BUT they are not VLAN aware, so I can't put different SSIDs on different VLANs. That's the big but only drawback.

My tendas are running in bridge mode so similar.  Could see anything suggesting vlan awareness in the app. Will have to do some more research...

I'm starting to think that my vlan plans in their current form might not be possible.

I'm also in the UK (North West - plenty of snow right now) and the only personal preference is I go AMD everytime I can. Especially with current and recent Intel misteps, but don't let my preferences sway you. You could have used a spare small pc if you had one lying around, all you want is two or more well supported NICs (not realtek). You'll ge good.
p.s. you can almost always use the replaced routers as APs if they can go in bridge mode.

Derbyshire Dales here, and similar weather, baltic -7 last night!

Yeah, intel haven't covered themselves in glory of late.  Back in the 486/pentium days all my PCs were AMD as you got so much more for your money.  Although my last 3 laptops have been intel i7 of various generations.  I'm on desktop linux now so checking support of chipsets is important, nice when stuff just works and you don't need to faff with compiling drivers etc.  Had those sort of issues with a realtek wifi dongle I was trying to get work, I did succeed but have since replaced with an plug & play alternative, which I'm only using because the awful Intel killer wifi (soldered to MB).

I'll have a look and see if I can configure the openwrt routers as bridges.  Thinking I could put one in son's bedroom for his xbox, which can connect with ethernet.  Not sure about enabling the wifi though as I don't think that would work with the Tenda mesh network unless I used a separate SSID.

For a 300 MB FTTP connection, pretty much any hardware will be sufficient. You'll get more advice on the merits of N100 versus other choices relating to efficiency and power use.
[...]

I always recommend going for the most computing power that fits within your money, space, power, noise, and thermal budgets. It's hard to go too wrong with something like the N100, as it should meet your compute needs, and should be (relatively) inexpensive, small, efficient, quiet, and won't cook you.

That's always been my philosophy when choosing laptops.  Pressed the button on the N100 8GB/128GB last night.  N100 seems to really sip power compared to the other processor options.

I'm in the UK, never gets too toasty in the hallway where the server will live so should be ok.  I might avoid stacking anything on top of it though to improve airflow.

It seems the Archer C7 is VLAN capable using OpenWRT: https://openwrt.org/toh/tp-link/archer_c7
It might work with dd-wrt too.

I just checked the Archer C7 and turns out that it was OpenWRT that I'd installed previously and not dd-wrt.  So I've just flashed it with the latest firmware.

I've got another Archer C7 I could use in the network too.  Starting to think about how I could use them in the network.

Also ordered a TP-Link TL-SG605E managed switch too in case the Archers didn't work out.  So I've got plenty of hardware to play around with now!

Thanks for that, you've been a great help.  Really appreciate it.

> For the managed switch, I think the TP-link dd-wrt router could be configured as a switch, which would solve that one I guess?  Could all of the vlan config still be done from OPNSense in that scenario?

If DD-WRT can be used a non-managed switch then yes you just use it to expand to its ports. So if it has 4 ports, you use one to connect to OPN and you gain 3 ports on it, using one power point.
If DD-WRT can be used as managed switch , then you can use VLANs.
No managed switch, no VLANs. Simple.

Great, thanks for that.  I did look into earlier to see if DD-WRT can do a managed switch, and it can, but seems a bit complex to set up so for the price of a managed switch I think it would be easier to just get a cheap one off amazon, like this TP Link one as you suggest.

Presumably I would assign a port on the switch to a VLAN, not necessarily have anything connected to it, but be able to assign a virtual WiFi network to the VLAN and for them to have an IP allocated in that VLAN's range by OPNSense.  Have I understood that correctly?

For a 300 MB FTTP connection, pretty much any hardware will be sufficient. You'll get more advice on the merits of N100 versus other choices relating to efficiency and power use.
For your requirements, some remarks:

•     an IDS/IPS

No problem.

•     firewall

No problem.

•     switch (raspberry pi on one port and tenda mesh WiFi network is all that would be connected)

Can be done but ideally get yourself a cheap switch from Amazon. It'll be more efficient at the expense of another power socket used.

•     DHCP server inc port forwarding

No problem.

•     vlan config to separate IOT (security cameras, TV etc), guest, adult & child networks

No problem. VLANs require a managed switch.

•     Content filtering/monitoring to keep some of the darker corners of the net away from my kids

No problem. Zenarmor, AdGuard Home are options. All free and integrated.

•     Useful metrics so I can analyse any bottlenecks & see where bandwidth is being consumed

Limited metrics built in and only/maily point in time. For better, you need something external, but OPN can send metrics out to those systems i.e. a monitoring stack.

•     Optimise network conditions for gaming rigs (mainly Xbox) for low latency/jitter)

Limited. OPN is not domestic but commercial grade, so no built in optimisations for gaming. Those require manual tuning and looking around for tutorials, forum posts, etc. This is on the user.
[/list]

Brilliant, thanks so much for that - exactly the sort of info I was after.

For the managed switch, I think the TP-link dd-wrt router could be configured as a switch, which would solve that one I guess?  Could all of the vlan config still be done from OPNSense in that scenario?

The gaming thing is mainly my son complaining about lag when playing EA FC25.  I'm also considering putting a wired ethernet connection into his bedroom for the xbox.  His room is conveniently located right above the router so shouldn't be too hard to route.

Part of my problem is just not knowing enough about networking, or having metrics to analyse, to know what's causing the lag.

Hi all,  I've been thinking more that I need to secure my home family network and my research has led me to opnsense (mainly thanks to Dave Plummer).

I'd appreciate a little advice about if needs can be met by opnsense and would perform well on the hardware I'm intending to purchase.

I'm a techie (self employed web dev) but have never enjoyed networking and found getting it configured right to be a struggle, and debugging issues hit & miss.  Although I am slowly picking up knowledge and more confident than I was. 

Last time I tried something similar, setting up DD-WRT on a TP-Link Archer C7 I had to factory reset the ISP router/modem as I ended up with no working DHCP server on the network!  I gave up at that point.

Anyway I would like to get a mini pc to put behind the ISP modem and put opnsense on it to act as:

• an IDS/IPS
• firewall
• switch (raspberry pi on one port and tenda mesh WiFi network is all that would be connected)
• DHCP server inc port forwarding
• vlan config to separate IOT (security cameras, TV etc), guest, adult & child networks
• Content filtering/monitoring to keep some of the darker corners of the net away from my kids
• Useful metrics so I can analyse any bottlenecks & see where bandwidth is being consumed
• Optimise network conditions for gaming rigs (mainly Xbox) for low latency/jitter)

I'm in the UK and we're on a 300MB FTTP connection. Behind the OPNSense box would be a Tenda MW12 mesh wi-fi network.

I'm intending to put it on a 4 port N100 8gb ram, 128GB NVMe, this one: I just found this on AliExpress: https://a.aliexpress.com/_EItqu6s

The questions I have are:

• Can Opnsense do all that I've outlined?
  My research tells me it can, but I'm aware that what's possible in practice is often different to what's possible in theory.  Coupled with my limited networking experience too, I'd need it to be relatively straight forward to set up, although I wouldn't do everything all at once, just get the basics right and build from there as my knowledge grows.
• Is that hardware I'm proposing to buy suitable for the workload? Are there alternatives I should consider?
• Can anyone point me in the direction of beginners/idiots guides to getting the sort of thing I'm after set up?
• Could I do anything useful with the TP-Link DD-WRT router in the network in tandem with the OPNSense box?
• Anything else I need to consider but haven't mentioned?

I also see this as a fun project to learn more and gain a deeper understanding about networking concepts.

TIA for any replies!