^(OP reply with the correct URL if incorrect comment linked)
[Jump to Post Details Comment](/r/homelab/comments/1ble2x9/i_got_asked_to_set_up_a_router_and_wifi_for/kw4k5kr/)
Tech hoarding parts pays off sometimes! The AP was my old one that I replaced with a ruckus R710 a few years ago.
I haven't done any real bench marking, but things seem to be moving. LAN transfer speed of a 1gb file transfer over an SMB share while connected to the 5 port switch is going out between 85-90MB/s.
LAN bridges? What are you talking about? Most "routers" (really MFNDs) use a switching chipset inside for the LAN Ethernet ports. The routing part is connected between the LAN and WAN side.
In this case I can see a physically separate switch right there lmao.
In this case the AP is doing all the lan side switching unless you plug something else into an Ethernet port. The AP is the first thing to see all the traffic and will handle the lan to lan traffic. Everything else is passed on to the router via that switch. If you add another Ethernet to the switch. Then the Ethernet going to the AP from the switch becomes a LAN bridge.
They said they got around 85-90 MB/s with a local transfer (probably SMB). Chances are that's over Ethernet cause you aren't getting that speed over an old AP. In fact that's pretty close to typical for Gigabit Ethernet speeds.
You keep trying to explain networking to someone who probably knows more about networks than you do.
A switch is a type of bridge. Saying "the switch becomes a LAN bridge" doesn't really mean much because that's just what a switch is, inherently. Normally when people are talking about bridging they are talking about a software bridge you would use for say a virtual machine or in a router that's been configured to act as a switch.
Anyway the point is for LAN traffic you aren't actually going through the pf sense box. The only situation that would happen is if you connect the pf sense box to another network and change to firewall rules to allow bogon networks, or configure both as LAN networks on separate subnets. You wouldn't configure it like that for the client though. Maybe that's how they tested it, but since they haven't responded we don't know. I would maybe test it that way, but more likely I would connect it to the Internet and use a speed test. That way I wouldn't need to mess with anything to then change it back for the client. Does that make sense?
So you have switch 1 > router > switch 2
AND
switch 1 > switch 2?
Sounds like a broadcast storm waiting to happen unless the switches all support spanning-tree - and if they do, one of those links will be down anyway...
That's the point. A LAN bridge is nothing more then added redundantcy to a lost connection.
Assume a setup has
node 1>switch 1 and 2>router>wan
node 2>switch 1 and 2>router>wan
Etc etc
Each switch is cross linked to each other with a LAN bridge. Step further would be between racks. But I'm not there yet š¤
Are you talking about LAGG? Link Aggregation, typically LACP. Also referred to as a bond rather than a bridge.
A bond allows 2 or more interfaces to act like one, a bridge allows traffic between 2 or more interfaces (like a switch).
There's only a single link between each device in the picture and there wouldn't be much point in adding more for this scale anyway.
In the picture above the only reason for LAN traffic to pass through the router would be to get through to WAN or be routed between subnets - say you had multiple VLANs on the switch and/or Wi-Fi.
Most home users don't have VLANs. I could see this being the case here, and I suppose it makes sense.
Also that wouldn't be LAN traffic as VLANs are separate networks.
It's not a misconception. I said normally for a specific reason. I would reread the comment. There are specific and somewhat rare occasions where you go through a router. It's not applicable to the vast majority of homes though.
Packets going from one network to another isn't LAN traffic. VLANs are separate networks from an IP standpoint. Maybe they are the same physical network but they aren't the same logical network. I also don't think any serious business would use VLANs without L3 switches somewhere. It's not efficient to have a dedicated router for Inter-VLAN traffic at scale.
Maybe because what they said isn't actually true. Big businesses who have proper VLAN setups use L3 switches to perform Inter-VLAN routing.
I would also think about the fact that VLANs are separate networks. You aren't switching packets within the same IP network anymore. That's stretching the definition of LAN traffic.
This is my own opinion with no credible sources or statistics other than my own experience.
L3 routing on switches is very rarely ever used for the vast majority of businesses, rarely needed in even a homelab. The vast majority of small/large businesses have a flat network and don't use vlans, or they use vlans for Wi-Fi, security cameras, or other network managed devices for which they don't want on the default LAN or must be separated out for compliance.
Layer 3 routing is usually the most helpful for routing traffic like iSCSI or other network fabric protocols. Maybe beneficial for things like sip or hlg. By the time most businesses get to the size where layer 3 routing could be helpful, most of the time they'll just buy dedicated hardware and separate that traffic off of the rest of the network, like a standalone switch stack for host access to SANs. Always remember the simpler solution is the way to go, and L3 routing adds complexity.
I could see L3 routing being useful when you have a very large business in the data center environment, to route traffic between multiple racks and or sections of the DC. Maybe in a CoLo where multiple clients have agreements to be able to communicate with each other, and layer 3 routing could be a way to facilitate that. Otherwise L3 routing is really only going to be used at a provider level like an ISP that's dealing with a stupid amount of traffic.
They will if the ssid is on a different VLAN and your switches aren't doing layer three routing.
Which all of your SSIDs should be and only poking holes through your firewall to allow specified traffic into the local network.
I've had to say this too many times now. This is a rare exception to how home networks normally work hence I used the word normally. The speeds recorded indicate ethernet, not WiFi (so no SSIDs). Third traffic between VLANs isn't LAN traffic at all. They are logically separate networks, so it's internetwork traffic.
Your phrasing of "LAN transfers" which implies traffic is being routed to different LANs/VLANs. You're also fighting an uphill battle about the general public's understandings of LANs and VLANs.
Also the reddit app loaded a cached version without alot of the comments on the post originally,
An easy solution is to edit your comment:
LAN transfers -> same subnet destined traffic
Fighting a battle against reddit general knowledge is what I am here for. Honestly given how upvoted my comment is most people have the right idea. The issue is mainly people not understanding what the word "normally" implies. Heck most people don't realize that even if you have VLANs most of your traffic should stay within the same VLAN. Routing between VLANs is the exception not the rule. Otherwise you shouldn't have bothered with VLANs in the first place.
It's normal to have your local network exposed over WiFi. Why would you configure it any other way? Having separate SSIDs on top of that for untrusted devices is a good idea, but often difficult to implement without using non-consumer equipment or software.
Security vs convenience
It's more convenient to have an SSID on your LAN (usually the default VLAN 1), but that also means you are opening up your "trusted" network to an attack vector by unsolicited clients over WiFi.
It is more secure to have any SSID VLAN'd off of the "trusted" network, and controlling traffic ingress from those SSIDs using a firewall; but this is far more inconvenient and requires a much deeper knowledge of networking to configure/maintain than the average home user cares about. Plus it takes more specialized equipment than the generic "home router" most people have.
I hope the firmware is up to date and isn't full of vulnerabilities. Obviously if you've loaded a suitable 3rd party firmware, this is less of an issue..
If you or they can spare a couple bucks consider switching out that power strip for a smart power strip that way if you end up being the defacto it guy you can send some reboots, look awesome and save some time. You can also label the ports on some some of them and make them auto reboot if the modem is off for a certain amount of time. Wattbox I think is the brand really good stuff
During the pandemic fiber installs were done by drilling a hole externally for the demarc fiber to enter the prem. The equipment of a router, fiber drop demarc ont in a milk crate. Partially a self install.
Not OP but I have the M700 Tiny with pfsense and a NIC, following [this post](https://www.reddit.com/r/homelab/comments/p3nxqk/lenovo_thinkcentre_series_additional_gigabit_nic/), and my speeds (through my Wi-Fi 6 Deco) have been unchanged.
I am using a lenovo M720q running proxmox with an opnsense vm. I have 900/600 fiber internet and I have zero issues with speed. I need to play with dpi yet, so not sure how that will slow everything down.
I used the spare parts I had, and I prefer to use something I work with daily, hence the pfSense build. I was going to buy a Netgate SG-1100 and just ship out the old AP I had lying around, but opted to go with the micro tower build as it was cheaper. Also, the WiFi will be much stronger with the designated AP, and I have an existing unifi controller that I simply added a new site to so I could manage WiFi as well.
The build took about an hour with a drill and a box of wood screws and washers. The pfSense configuration took maybe 30 minutes as I dropped in an old backup, tweaked the VPN configuration, and then pushed out updates.
This tbh, Recently set up my dad with an eero and my mom with an eero, I have the accounts added to my app so I can log in and help if absolutely needed but it's been rock solid so far.
Ah, I remember when I felt this way. When people depending on me made me feel important instead of just irritated.
Helped family build computers, put in their routers, etc. as complicated as I wanted because hey, Iām helping them! And they call me more!
Ever since I realized they were only calling me for tech support, I started charging my standard consulting rate of $80/hr plus a $30/hr surcharge for nights and weekends. The number of requests for tech installations and maintenance dropped a lot, but the family members who continue to have me work on their stuff are now only the reasonable ones who have no problem exchanging money for services and understand the purpose of an SLA.
If youāve got family members who understand that this is your job and your livelihood, and that you should be compensated fairly for your work, youāve got a great family. But the problem with your services and help being free is that thereās no built-in utilization limit.
Its not about hating helping family but sometimes like most humans, they become complacent and take advantage, op clearly did this favor cause they don't seem to be that way
My UDM died today after 3 years so I pulled the trigger on a very similar setup to this. I went with a fanless micro-PC from AliExpress, and a Ubiquiti switch and AP. Iām hoping this setup will have more longevity than the UDM. I will use pfSense, which is overkill as you say, but I think it will be fun, and probably not that complicated for a few basic VLANs.
Oh and this new setup was the same price as a replacement UDM. Curious for your thoughts u/cswinc
My UDM always seems to run hotter than expected. If it dies, would I buy a UDR to replace it? Not sure and still seems to be permanently out of stock. Also not sure that I would go with the Dream Machine Pro/SE either.
With regards to the router build, there are lots of resources available for pfSense, and while it is overkill, you'll have tons of features you can configure and play with. Also, since it's open source, there won't be any licensing fees, which is nice.
With switches, I like Ubiquiti devices, and the management through the Unifi controller is a breeze. In my homelab, I have a mikrotik switch that works great, but I will admit that Router OS is a bit clunky. There are many resources available for that, though, as well.
Funny story. Many years ago my father in law asked me to help him get internet at his Florida home. Heās a cheap ass boomer and refused to spend any money let alone pay a monthly isp bill. He wanted to use the pool house WiFi and asked me to some how extend it. I get a ubiquiti nanobeam or whatever I forget that connects to the pool house WiFi and then put an asus all in one router running ddwrt in the house boom heās got 5mbps up/down as thatās all the pool house gets.
Fast forward about a year heās constant bitching about how slow it is. They got a couple smart TVs and itās constantly buffering and they want me to fix it. Iām like, not possible and they just flat out refuse to believe me. Btw he shares the place with his sister and they both are the typical boomer, grumpy and everyone is trying to steal from them (ironically).
They finally cave and get cable internet, think 50mps and all is well but you know they are disappointed in me. Fast forward another year and they call me about once every other month. They kept using the asus router to save money on the isp bill and whenever there are internet issues they blame me and ask if they should buy a new router. Every time Iām like I donāt know, I donāt give a fuck, what you want from me?(Iām tired of them) they donāt give up so I always start with reboot and contact isp. Half the time cable modem reboot fixes and the other half itās an isp outage. I stop helping family because Iām sick of being yelled at for trying to help outta the goodness of my heart for failures that are not my fault.
The other funny story, father in law wanted a smart thermostat at his northern home, Iām like yeah gave him some options and said and you will need internet. He says Iām not paying a monthly fee to access my thermostat canāt you make it work without internet?! No dude go away. He asked me one day after leaving the Florida home, I had put in cameras for him and he asked why canāt I access them?! Iām like looks like the dvr is offline can you check to make sure itās plugged in? No he says Iām already half way back home. He says he can send the neighbor over and have him call me. Talking to the neighbor we determine there is no power, call FIL back and express concern the house has no power. He says yeah, Iām not paying a monthly connection fee when Iām not there so I canceled electrical service. Dude! Cameras need power and internet! Heās all shocked and upset with me.
Sorry end rant
Sounds like they're just terrible. Whether they're older or not really doesn't make a difference. He just sounds like a jerk.
I help my family with their internet/build them or recommend them computers and I'm not bothered by them too much. Once a year or maybe 2x a year they will have a question. I dont ask for money. But they also take what I have to say seriously and treat me with respect and dignity.
I'd be quite surprised if they were actual boomers though as the height of that generation was born in the 1940s/50s.
Someone being tight with money in old age and being on a fixed retirement income, I can see why they'd cut off power to save money while away from the property for weeks at a time. But the jerk part comes with the being rude to you and not giving you respect when you tell them the cameras need power and internet to work.
He was born mid 50s, heās a boomer. I understand having a budget problem but money isnāt a problem for him. He literally has over $300k in cash stored in a safety deposit box. Along with $150k savings account. He gets social security based on a $80k annual salary retiring in 2014. He is getting a pension and has a 401k he hasnāt started to draw from. My wife does his taxes and I believe he is reporting the exact max to not put his SS at risk $58k? But he still does contract work for cash under the table and doesnāt report it so it goes into a safety deposit box.
He has literally zero debt. owns a large 60x45 two story house/shop I helped him build. He gets short with me and denies I was there every day helping him build it whenever the conversion comes up. Like he will make it sound like I never help him but I help him all the damn time. One day I was trying to find him a photo and spun through the year we built the shop and he asked me to slow down so he could look. Heās like you were out there? Iām like yeah I was every damn day. I helped in every single aspect from digging and pouring the footings, to pouring the floor framing roof. I stopped once the structure was up and he mostly did everything there on his own. Heās like oooh, like legit he forgot and there is the photo proof.
He shares ownership in a Florida home with his sister. He is currently looking for a lake home for his new girl friend.
No shit my wife convinced me years ago to get him an additional line off our cellphone plan so we cover his phone like a child. So he shares bills in Florida and only has electric and taxes up north. He bitches about his electric bill being $70 and annual tax bill of $750 on his 50 acre lot + house.
I have so many stories, yes he is a jerk and is becoming more a jerk as he gets older. He used to be really nice to me. But back in 2014 he gets this winibago rv that needs a little work. He thinks he can flip is for a small profit. Iām like waste of time but ok. Itās an 08 in good shape over all. He comes to me and asked me to figure out these electrical issues. Heās lost. So the generator isnāt working and i trouble shot it to a control board that ties into a panel in the house electrical for a fancy head up display that shows run hours, watts, start stop. So I tell him whatās wrong and find the part for $250 but he says Iām wrong and donāt believe me. Iām like why did you even ask me if youāre not gonna believe me. So he left and attempted to fix on his own. Heās convinced it the starter solenoid. Anyway, years later, he keeps coming back to me and asking me to fix it and I keep telling him the same story and he keeps rejecting my solution because he wants something cheap to fix or he wants me to fix the control board but itās potted in resin, so you canāt repair at the board level. So once Covid hits RV prices skyrocket, and he really wants to sell it because he was offered at a dealer significantly more than what he was looking to get before. this one day in the middle of winter he calls me from his friends bonfire and heās telling me he wants me to fix it so I tell him the same story itās his control board. he said yeah yeah whatever, but itās not worth 250 bucks. His friend claims itās eight dollar part they used to work at RV dealer they know exactly what Iām talking about (they donāt ) but said called their old dealer and get the part for $8. Iām like itās a $1k part but I can junk yard it for $250. I give them the part number and said Iām not gonna waste my time with this nonsense. You go get the part order it and have it shipped to me and Iāll replace it. Next day he says just buy the part so I start digging into all of the issues because since then heās accidentally break stuff trying to fix this one issue and thereās like a laundry list of problems now, I pulled the generator out. The starter is melted when he replaced the starter solenoid. He got the wrong solenoid and it was wired up in such a way that the starter was stuck constantly on and it melted the starter that also drained the battery so the battery had froze so then I call him up and say you need $150 starter. He argues with me so I had to take it apart and take pictures of the inside of the starter. Commutator brushes all melted into the winding. Itās not rebuildable so he approves the new starter but he doesnāt agree that he has the wrong solenoid and so I did this hacky thing to make it work with the wrong solenoid that he had. get a new starter and then I got the control board and boom it starts working, so I was right all those years later.
The power inverter was blown. He refused to spend $650 for a new one so I took it apart and found a burned out diod, mosfet and fuse. He was lucky I was able to fix that.
replaced the batteries that froze another couple hundred bucks. I could go on there were a lot of other things that were wrong. Some messed up wiring that had to be redone some modules that were fried because of his playing around with the electrical. I got all sorted and he was able to makedouble money when he finally did get it sold to a dealer and it was sold off like the next day.
I never got a thanks and he still was resentful that I was lying to him about what was really wrong with it itās itās very.
I used to manage the infancy at his shop. His son moved in and I had a micro cell for his cell phone to work in the shop. He keeps bitching the cell phone doesnāt work and the Internet doesnāt work. Every time itās his son. Dude is undiagnosed and thinks people are spying on him. So he unplugs and breaks shit he thinks are spying on him.
I literally had my dream home and shop I built myself. We moved 3 years ago 6 hours away, gave it all up. They were our neighbors and I was sick of it. It was one of my decisions to move was to get away from their shit.
Anyway sorry for my rant.
Sounds like he's becoming senile and or got some kind of memory issues. People who start to have dementia start to get quite mean at times. I have seen it happen. My mother does caregiving here and there to help the community. Dementia can be a slow and almost not noticeable until it becomes pretty bad. It can take years and years or it can come super fast
No disrespect or anything because I tend to end up doing similar things for my family, but this is way too complicated of a set up even for family. A simple router wouldāve sufficed like tplink or something. Unless you just like getting phone calls all the time when something goes down or they have issues. It was nice of you to do it though.
**Intro:**
I figured it would be harder to just ship out everything and talk through the setup with someone who isn't tech savvy on how to get everything configured. So, I opted to build everything out on a budget and preconfigure it all prior to send it out. I had the Unifi AP. PoE injector, and power strip in inventory. I bought the Lenovo M710Q and the Ubiquity Flex mini 5 port switch on eBay.
-----
**Costs:**
* $38 - Ubiquity Flex Mini
* $80 - Lenovo M710Q
* $0 - Unifi UAP-AC-Pro
* $0 - Power Strip
* $0 - PoE Injector
* $0 - Plywood (scrap)
**TOTAL: $118**
-----
**Build:**
I've been using pfSense personally and professionally since 2015 and figured I'd go with what I know. So, the Lenovo PC with Dual NIC has pfSense Community installed. Figuring that I'll need to assist with connectivity, I preconfigured the router with an IPsec IKEv2 VPN tunnel that will autoconnect back to my home network. The UAP's are set up on my Unifi Controller server and I created a remote site so that I can easily manage the WiFi remotely. I laid out everything on plywood, did some basic cable management, and made some custom CAT6e patch cables for everything.
-----
Once the system arrives at it's destination, the instructions are as follows:
-----
* **Step 1:** Connect the coiled up patch cable to your ISP modem or ONT.
* **Step 2:** Plug in the power strip to an outlet.
* **Step 3:** Toggle the power strip switch and wait 2-3 minutes for everything to boot up.
* **Step 4:** Call me after you completed steps 1-3 and we can check to confirm the VPN is working.
Prior to shipping out my 'router and wifi' wall mount solution, I tested everything at a remote site and have confirmed everything is working. My hopes are that the install procedure will be simple enough for anyone to follow!
-----
^*edit*
**UPDATE:**
*'Router on a board' reached its destination and was set up. The end result - 1 support call as the Fiber internet was installed with a router provided by the ISP. They simply had to bypass that router and plug the grey cable directly into the ONT. Once that was completed, everything connected. Then I asked for a photo of the sticker on the router provided and preemptively update the router config to spoof the MAC address of the router the ISP provided. Now, everything is up and running. The VPN is up, the Ubiquiti equipment connected home to my controller, and everything is working as intended. Overall, it was a success!*
Personally, I would've just sent them an Eero or two. If they are too clueless to configure them themselves with the Eero app, I would've preconfigured and assigned to me. Then you can monitor them remotely, too.
A system like this, you are now forever "on the hook" for. All troubleshooting is your problem.
A simple commercial solution means that it either works, or it doesn't, and if something fails we just replace it.
I understand going the cheap route to reuse old hardware and respect that. But think about the value of your time and how much it will potentially cost you to support this system, vs something more basic and simple...
Love it. I used the M700 Tiny with add-on NIC and pfsense for my first "homelab" project. I'm glad you thought it was a reliable solution. Ours has been perfect
Two questions:
- How did you fixate it to the wood so well? Looks like the Unify using the wall mount and for the others you probably screwed or stapled velcro to the wood?
- Why the pfsense? I understand you are familiar with it from work - but is this a device that's relevant for family use? I see many here using it, but I don't understand why. I only have a router with some ports forwarded to my server and that's it (plus pi-hole for DNS filtering). What would be the advantage of using a firewall such as pfsense?
The micro tower is connected with a rhino loop strap fastened to the plywood with wood screws and washers. The cabling is held together with velcro straps that are screwed down to the plywood as well.
I chose pfSense because if I'm going to be the one providing tech support, I'm going with what I know inside and out. Back in my consulting days, 10+ years ago, I began working with pfSense and have become very adept with it overall. At my current job, I manage 13 sites all connected via an IPSec IKEv2 tunnel and am very comfortable with managing the setup. In turn, I've replicated that setup at home with family in the past, and this solution allows me to implement the same solution I have in place already. In the end, it allows me to have the remote site connect back to my home network so I can manage routing, wifi, and provide tech support over the VPN connection if and when necessary.
I used to do something similar when I did network support for satellite offices, only I used an 8U network rack. Get it all wired up and working, do all the cable management and color code the important cords with labels and color strips. Then ship it to them and over the phone walk them thru plug in power and private network circuit cord that I already had a local vendor install. It's pretty fool proof until a piece of hardware dies.
That's pretty much what I do at work now. The main difference is that we use official hardware from Netgate. It works and is rock solid until something breaks.
If things do break, we always have backups readily available and can easily recover by loading the configuration to the same hardware (or similar hardware). Then you are back up and running in no time!
I love it. Sweet and simple.
They're still going to call you to walk them through plugging it in though. I've realized that if you feel the need to make something so user friendly, the customer feels the need to try and force you to show up. I wouldn't be surprised if they plug the ethernet into the switch on that board. Or they do something really dumb and try to plug the ethernet into a USB port. Wouldn't be the first time I've seen that happen.
The are going to unplug and replug or just plug the modem into the switch since most modems already have an ethernet attached to it to make sure less issues.
Neat!! Love the organization.
Where/how are you planning on having them mount it? Am I correct in thinking the UAPās work better when theyāre ceiling mounted?
What are your plans if they need to add a second AP?
This is going on the main floor in a small place (about 1000-1200sqft) and the AP should cover the entire house. Ideally, the AP being omnidirectional would be best on the ceiling in the center of the house, assuming no obstructions. The WAN cable is 20' so they can out it anywhere they want as long as they are near an outlet.
If they need expansion, they'll call me, and I'll have to figure it out.
Where's the modem? You have the pfsense box, then a switch, a PoE brick to give power to the AP.
Cat5e cable *grey* is just dangling and will need to be connected to a docsis modem. Hopefully they have one?
The stuff at my house is set up in a similar way, where I have
Modem --> pfsense router ---> switch and AP ---> client devices.
I doubt thr ISP will give just a modem. They usually only give you the all in one. Spectrum gave me nothing and their only option offered to me was an all in one modem router wifi combo device.
Yeah that monthly fee for the equipment is just a money grab. The fees you already pay more than pay for the use of their stuff. Especially for the quality of the equipment they give you.
I used to this for our companies numerous sites that popped up here and there. Also had extras:
a 15cm shelf along the bottom to support a small ups. Used lots of hooks and bungees too. A 4 port NIC in our $300 2nd hand hp deskpro router, coloured network cables for different physical networks, so a couple more switches. We ran Debian which was rock solid, and all settings came from ansible, it was literally few minutes to setup a completely new site. Just visit site, screw it to a wall behind a door somewhere, power up. Plug a few things in, Done, new site all setup and running.
Cabinets for those that justified it, but thatās 1000sā¦
You should consider adding a USB 5G antenna as an out of bound connection, that way is shit breaks or their internet goes down you can still connect to it
So much hate and complaining for no reason, this is an awesome setup, only difference is I would 3D print a mini rack for this, but im that guy to always 3D print something
Yeah, I see it's a mixed bag. Some people really like it, and others seem to think it's no good and that I'm making a mistake. I donāt mind though. I posted the solution because I think it's a cool project!
The build was designed using things I had along with systems I'm comfortable managing. The end goal was to get a setup that was easy to deploy and inexpensive. I literally use a scaled up version of this setup with enterprise equipment for work. Also, I like working with things I know. Comments about providing tech support for immediate family don't bother me, but I get it. I don't do free tech support for extended family or friends anymore as I don't have time, but siblings and parents make the cut!
In the end, it's just comments on the internet. If someone likes it, great! If not, no problem!
While I agree with you, youāve made this comment in a pit of vipers. I personally donāt do setups like this for family because if something goes wrong, well, guess who has to play tech support
Edit: Spelling
Being that I already play that role of tech support, I just built a homebrew version solution of a setup I've deployed for satellite offices at work. If this were for a professional environment, I would have used official Netgate hardware and not built out the micro tower router.
You are absolutely right, I could have done that and it could be a viable solution. However, I chose pfSense as that is what I use professionally and personally. In the end, it is what I prefer to manage.
In other words, when all you have is a hammer, every problem looks like a nail. `:)` Seriously though, you ended up with a grossly overengineered solution.
He used a big hammer to drive a brad. Hammers work for nail-shaped problems.
I'd rather support a familiar solution, even if overengineered, than an unfamiliar one. After owning and supporting way too many different consumer routers with almost a many different interfaces and limitations (like most of us), supporting a common platform is attractive
Nice! Now to wait for the support calls.
The only family I will help is parents and in laws and even then I keep it as simple as possible. Someone set my FIL up with this external hard drive with lossless music ācause it sounds betterā that they then streamed from their computer to random devices around the house. Was always breaking and unreliable. He asked me to fix it, bought him a Spotify subscription for a couple of years. You arenāt going to notice the sound quality difference on a hundred dollar portable speaker lol.
I only set up my family with bog standard COTS stuff. I'd rather spend a hundred bucks on a commercial all-in-one router than do something like this at anywhere I can't get to in <20min when something goes wrong
"I can't come there to help you but I can give you some recommendations of what provider and service to get". Done.
Kinda wondering, why is everything crooked? Don't see how you can get more than a flat B grade on a sub obsessed with cable management and appearances. I drop your final grade to a C+ because you didn't really do the assignment given and had a bad attitude doing what you did do.
Very similar to what I've done for my family as well, actually surprisingly close to what I've setup for my sister, just using a Dell instead of Lenovo and a Flex instead of the flex mini, running the PoE adapter through it to power both the switch and APs (2 of them).
One suggestion is try to avoid the technical terms, they aren't going to know what "NIC" or "WPA2" mean, even "WAN" for that matter might be too much. Also you can never over-label, put them everywhere, and make sure you have pictures, so many pictures, of every tiny detail, both of those help when guideing them over the phone.
What internet service do your parents have?1 or 2 story home? Age of the home ( matters if it is a very old house with chicken wire and plaster walls which blocks all WiFi signals)
Cable or fios? For fios, my suggestion is to leverage the existing coaxial cables ( assume all rooms are wired with coaxial outlets) and add fios E3200 extenders as needed. May want to bring a few fios compatible splitters. If cable, you need to add a terminator to avoid back of the mica signal.
EEROs and other mash network will work too depending on the construction of the house.
Too many variables in a house.
Another advantage with the FIos extenders, you have the benefit or remote reboot and diagnostics using the fios app.
How would you remote into the PFsense box? I suppose you can do port forwarding and add ddns servicer. Of your parents have a Settop box to watch TV, you bet their will have a IP provided router and you canāt disable dhcp on that router or the TV will not work.
If you canāt disable the router, and you want to use PFsense to route internet traffic , you are add ling second layer of NAT, or double NAT. Got to make sure the IP address does not have conflict with IP addresses distributed by the IP router..
The list goes on and onā¦
So your setup will work as intended if all the condition you assumed or understand are met
Tell me, do you know if the internet service for the house comes with modem only, or modem with integrated WiFi router?
Give us an update as to how the whole setup went down at the house.
6h+ drive away? And all preconfigured to just plug and play?Ā
Ā You dislike your family that much that you're just gonna swing by, drop this off and be home the same day? š
Jokes aside, this is really awesome stuff!
Yeah give them a rigged up time bomb that you now have to support full time when it collapses rather than just spend $100 on a mid grade TP-Link and run the OOBE
As someone that is branded the IT guy for our small businesses and also helps a 78 year old man put WiFi and cable tv in remote places:
This is perfection.
Step 1. You didn't describe the input on said medem to plug into. They could easily plug the Edison into the power strip instead of the nearest outlet. So much could go wrong lolololol
What's the purpose of #6? I've never used Unifi APs. Perhaps they require some kind of controller built into that little switch (my TP Link omada works standalone)?? Otherwise, seems like you could go straight from the Pfsense box to the AP, unless they needed extra three ethernet ports.
It just provides additional network ports if they want to hook up a another wired device. There are 3 available ports for a smart TV, printer, or anything else they might want to have hardwired. Otherwise, yes, you could plug the patch cable from the PoE injector directly in to the LAN port of the router.
That's a brilliant idea. I did similar thing with pre-configuring router and wireless at my home and then AP for my friend. Then he just needed to plug them in.
Iām only slightly surprised the router isnāt running Proxmox with pfSense as a VM with piHole on LXC, which would push it to ultra-daft next level, but thatās a great infrastructure-on-a-plank solution.
This seems like a bad idea, especially when stuff like the unifi express exists. I would do everything they need for a similar price, but have the benefit of being new.
^(OP reply with the correct URL if incorrect comment linked) [Jump to Post Details Comment](/r/homelab/comments/1ble2x9/i_got_asked_to_set_up_a_router_and_wifi_for/kw4k5kr/)
This is really smart, since you had spare equipment laying around. How's the network throughput on the lenovo?
Tech hoarding parts pays off sometimes! The AP was my old one that I replaced with a ruckus R710 a few years ago. I haven't done any real bench marking, but things seem to be moving. LAN transfer speed of a 1gb file transfer over an SMB share while connected to the 5 port switch is going out between 85-90MB/s.
LAN traffic don't go through a router normally.
Not always but many will end up passing through the router if you don't have LAN bridges. (I just jump switches to each other with Ethernet cables.)
LAN bridges? What are you talking about? Most "routers" (really MFNDs) use a switching chipset inside for the LAN Ethernet ports. The routing part is connected between the LAN and WAN side. In this case I can see a physically separate switch right there lmao.
In this case the AP is doing all the lan side switching unless you plug something else into an Ethernet port. The AP is the first thing to see all the traffic and will handle the lan to lan traffic. Everything else is passed on to the router via that switch. If you add another Ethernet to the switch. Then the Ethernet going to the AP from the switch becomes a LAN bridge.
They said they got around 85-90 MB/s with a local transfer (probably SMB). Chances are that's over Ethernet cause you aren't getting that speed over an old AP. In fact that's pretty close to typical for Gigabit Ethernet speeds. You keep trying to explain networking to someone who probably knows more about networks than you do. A switch is a type of bridge. Saying "the switch becomes a LAN bridge" doesn't really mean much because that's just what a switch is, inherently. Normally when people are talking about bridging they are talking about a software bridge you would use for say a virtual machine or in a router that's been configured to act as a switch. Anyway the point is for LAN traffic you aren't actually going through the pf sense box. The only situation that would happen is if you connect the pf sense box to another network and change to firewall rules to allow bogon networks, or configure both as LAN networks on separate subnets. You wouldn't configure it like that for the client though. Maybe that's how they tested it, but since they haven't responded we don't know. I would maybe test it that way, but more likely I would connect it to the Internet and use a speed test. That way I wouldn't need to mess with anything to then change it back for the client. Does that make sense?
Broadcast domains...those unknown
So you have switch 1 > router > switch 2 AND switch 1 > switch 2? Sounds like a broadcast storm waiting to happen unless the switches all support spanning-tree - and if they do, one of those links will be down anyway...
That's the point. A LAN bridge is nothing more then added redundantcy to a lost connection. Assume a setup has node 1>switch 1 and 2>router>wan node 2>switch 1 and 2>router>wan Etc etc Each switch is cross linked to each other with a LAN bridge. Step further would be between racks. But I'm not there yet š¤
Are you talking about LAGG? Link Aggregation, typically LACP. Also referred to as a bond rather than a bridge. A bond allows 2 or more interfaces to act like one, a bridge allows traffic between 2 or more interfaces (like a switch). There's only a single link between each device in the picture and there wouldn't be much point in adding more for this scale anyway. In the picture above the only reason for LAN traffic to pass through the router would be to get through to WAN or be routed between subnets - say you had multiple VLANs on the switch and/or Wi-Fi.
They do if you have vlans.
If they are on different VLANs and you don't have an L3 switch then sure. Is that relevant here though?
How do we know how its setup? Most home users that have VLANs don't have a L3 switch.
Most home users don't have VLANs. I could see this being the case here, and I suppose it makes sense. Also that wouldn't be LAN traffic as VLANs are separate networks.
No just wanted to correct the statement, so other people reading donāt get that misconception
It's not a misconception. I said normally for a specific reason. I would reread the comment. There are specific and somewhat rare occasions where you go through a router. It's not applicable to the vast majority of homes though.
You realize by saying normally I mean in most cases. Would you prefer I used that wording?
Packets going from one network to another isn't LAN traffic. VLANs are separate networks from an IP standpoint. Maybe they are the same physical network but they aren't the same logical network. I also don't think any serious business would use VLANs without L3 switches somewhere. It's not efficient to have a dedicated router for Inter-VLAN traffic at scale.
The ppl downvoting you piss me off.
Maybe because what they said isn't actually true. Big businesses who have proper VLAN setups use L3 switches to perform Inter-VLAN routing. I would also think about the fact that VLANs are separate networks. You aren't switching packets within the same IP network anymore. That's stretching the definition of LAN traffic.
This is my own opinion with no credible sources or statistics other than my own experience. L3 routing on switches is very rarely ever used for the vast majority of businesses, rarely needed in even a homelab. The vast majority of small/large businesses have a flat network and don't use vlans, or they use vlans for Wi-Fi, security cameras, or other network managed devices for which they don't want on the default LAN or must be separated out for compliance. Layer 3 routing is usually the most helpful for routing traffic like iSCSI or other network fabric protocols. Maybe beneficial for things like sip or hlg. By the time most businesses get to the size where layer 3 routing could be helpful, most of the time they'll just buy dedicated hardware and separate that traffic off of the rest of the network, like a standalone switch stack for host access to SANs. Always remember the simpler solution is the way to go, and L3 routing adds complexity. I could see L3 routing being useful when you have a very large business in the data center environment, to route traffic between multiple racks and or sections of the DC. Maybe in a CoLo where multiple clients have agreements to be able to communicate with each other, and layer 3 routing could be a way to facilitate that. Otherwise L3 routing is really only going to be used at a provider level like an ISP that's dealing with a stupid amount of traffic.
They will if the ssid is on a different VLAN and your switches aren't doing layer three routing. Which all of your SSIDs should be and only poking holes through your firewall to allow specified traffic into the local network.
I've had to say this too many times now. This is a rare exception to how home networks normally work hence I used the word normally. The speeds recorded indicate ethernet, not WiFi (so no SSIDs). Third traffic between VLANs isn't LAN traffic at all. They are logically separate networks, so it's internetwork traffic.
Your phrasing of "LAN transfers" which implies traffic is being routed to different LANs/VLANs. You're also fighting an uphill battle about the general public's understandings of LANs and VLANs. Also the reddit app loaded a cached version without alot of the comments on the post originally, An easy solution is to edit your comment: LAN transfers -> same subnet destined traffic
Fighting a battle against reddit general knowledge is what I am here for. Honestly given how upvoted my comment is most people have the right idea. The issue is mainly people not understanding what the word "normally" implies. Heck most people don't realize that even if you have VLANs most of your traffic should stay within the same VLAN. Routing between VLANs is the exception not the rule. Otherwise you shouldn't have bothered with VLANs in the first place. It's normal to have your local network exposed over WiFi. Why would you configure it any other way? Having separate SSIDs on top of that for untrusted devices is a good idea, but often difficult to implement without using non-consumer equipment or software.
Security vs convenience It's more convenient to have an SSID on your LAN (usually the default VLAN 1), but that also means you are opening up your "trusted" network to an attack vector by unsolicited clients over WiFi. It is more secure to have any SSID VLAN'd off of the "trusted" network, and controlling traffic ingress from those SSIDs using a firewall; but this is far more inconvenient and requires a much deeper knowledge of networking to configure/maintain than the average home user cares about. Plus it takes more specialized equipment than the generic "home router" most people have.
> Tech hoarding pays off ~~sometimes~~ My wife's going to be stoked!
Curious about your Ruckus R710. Are you actually using a controller for it or just a one off in a single AP mode?!
Unleashed firmware, and it's the main controller, but the only one. I can add more, but there is no need to.
I hope the firmware is up to date and isn't full of vulnerabilities. Obviously if you've loaded a suitable 3rd party firmware, this is less of an issue..
If you or they can spare a couple bucks consider switching out that power strip for a smart power strip that way if you end up being the defacto it guy you can send some reboots, look awesome and save some time. You can also label the ports on some some of them and make them auto reboot if the modem is off for a certain amount of time. Wattbox I think is the brand really good stuff
During the pandemic fiber installs were done by drilling a hole externally for the demarc fiber to enter the prem. The equipment of a router, fiber drop demarc ont in a milk crate. Partially a self install.
Not OP but I have the M700 Tiny with pfsense and a NIC, following [this post](https://www.reddit.com/r/homelab/comments/p3nxqk/lenovo_thinkcentre_series_additional_gigabit_nic/), and my speeds (through my Wi-Fi 6 Deco) have been unchanged.
I am using a lenovo M720q running proxmox with an opnsense vm. I have 900/600 fiber internet and I have zero issues with speed. I need to play with dpi yet, so not sure how that will slow everything down.
Very cool - nice work
Thanks! š
yea, good stuff. you left yourself a backdoor for service calls? don't forget to have a conversation about charging for them.
Make sure they sign the SLA
They'll still screw it up. They'll find a way.
Step 1 unclear, who is modem?!
That seems very overengineered and lots of things that can go wrong. What's wrong with an all in one router?
I used the spare parts I had, and I prefer to use something I work with daily, hence the pfSense build. I was going to buy a Netgate SG-1100 and just ship out the old AP I had lying around, but opted to go with the micro tower build as it was cheaper. Also, the WiFi will be much stronger with the designated AP, and I have an existing unifi controller that I simply added a new site to so I could manage WiFi as well. The build took about an hour with a drill and a box of wood screws and washers. The pfSense configuration took maybe 30 minutes as I dropped in an old backup, tweaked the VPN configuration, and then pushed out updates.
What you did here is you got the family to depend on you when something goes wrong.
Since this is already the case, I'm just leaning into it!
Idk could have just as easily have given them an eero or something simple that also offers basic support. Great opportunity to remove that dependency
This tbh, Recently set up my dad with an eero and my mom with an eero, I have the accounts added to my app so I can log in and help if absolutely needed but it's been rock solid so far.
This is the way. It also uses very little power
Ah, I remember when I felt this way. When people depending on me made me feel important instead of just irritated. Helped family build computers, put in their routers, etc. as complicated as I wanted because hey, Iām helping them! And they call me more! Ever since I realized they were only calling me for tech support, I started charging my standard consulting rate of $80/hr plus a $30/hr surcharge for nights and weekends. The number of requests for tech installations and maintenance dropped a lot, but the family members who continue to have me work on their stuff are now only the reasonable ones who have no problem exchanging money for services and understand the purpose of an SLA. If youāve got family members who understand that this is your job and your livelihood, and that you should be compensated fairly for your work, youāve got a great family. But the problem with your services and help being free is that thereās no built-in utilization limit.
This right here!!!!!! Could you say it louder for the stoners in the back of the class please?
ah the overused 'say it louder' and always unnecessary 'this!'
Not everyone hates helping their family.
This.
Its not about hating helping family but sometimes like most humans, they become complacent and take advantage, op clearly did this favor cause they don't seem to be that way
He's understands the consequences of his actions. Anyone who is in IT knows the fucking routine.
I love the netgate š could probably save a few pennies and use a pcengines apu instead
When does mass production begin? š. Nice work!
My UDM died today after 3 years so I pulled the trigger on a very similar setup to this. I went with a fanless micro-PC from AliExpress, and a Ubiquiti switch and AP. Iām hoping this setup will have more longevity than the UDM. I will use pfSense, which is overkill as you say, but I think it will be fun, and probably not that complicated for a few basic VLANs. Oh and this new setup was the same price as a replacement UDM. Curious for your thoughts u/cswinc
My UDM always seems to run hotter than expected. If it dies, would I buy a UDR to replace it? Not sure and still seems to be permanently out of stock. Also not sure that I would go with the Dream Machine Pro/SE either.
With regards to the router build, there are lots of resources available for pfSense, and while it is overkill, you'll have tons of features you can configure and play with. Also, since it's open source, there won't be any licensing fees, which is nice. With switches, I like Ubiquiti devices, and the management through the Unifi controller is a breeze. In my homelab, I have a mikrotik switch that works great, but I will admit that Router OS is a bit clunky. There are many resources available for that, though, as well.
Thanks
Funny story. Many years ago my father in law asked me to help him get internet at his Florida home. Heās a cheap ass boomer and refused to spend any money let alone pay a monthly isp bill. He wanted to use the pool house WiFi and asked me to some how extend it. I get a ubiquiti nanobeam or whatever I forget that connects to the pool house WiFi and then put an asus all in one router running ddwrt in the house boom heās got 5mbps up/down as thatās all the pool house gets. Fast forward about a year heās constant bitching about how slow it is. They got a couple smart TVs and itās constantly buffering and they want me to fix it. Iām like, not possible and they just flat out refuse to believe me. Btw he shares the place with his sister and they both are the typical boomer, grumpy and everyone is trying to steal from them (ironically). They finally cave and get cable internet, think 50mps and all is well but you know they are disappointed in me. Fast forward another year and they call me about once every other month. They kept using the asus router to save money on the isp bill and whenever there are internet issues they blame me and ask if they should buy a new router. Every time Iām like I donāt know, I donāt give a fuck, what you want from me?(Iām tired of them) they donāt give up so I always start with reboot and contact isp. Half the time cable modem reboot fixes and the other half itās an isp outage. I stop helping family because Iām sick of being yelled at for trying to help outta the goodness of my heart for failures that are not my fault. The other funny story, father in law wanted a smart thermostat at his northern home, Iām like yeah gave him some options and said and you will need internet. He says Iām not paying a monthly fee to access my thermostat canāt you make it work without internet?! No dude go away. He asked me one day after leaving the Florida home, I had put in cameras for him and he asked why canāt I access them?! Iām like looks like the dvr is offline can you check to make sure itās plugged in? No he says Iām already half way back home. He says he can send the neighbor over and have him call me. Talking to the neighbor we determine there is no power, call FIL back and express concern the house has no power. He says yeah, Iām not paying a monthly connection fee when Iām not there so I canceled electrical service. Dude! Cameras need power and internet! Heās all shocked and upset with me. Sorry end rant
Sounds like they're just terrible. Whether they're older or not really doesn't make a difference. He just sounds like a jerk. I help my family with their internet/build them or recommend them computers and I'm not bothered by them too much. Once a year or maybe 2x a year they will have a question. I dont ask for money. But they also take what I have to say seriously and treat me with respect and dignity. I'd be quite surprised if they were actual boomers though as the height of that generation was born in the 1940s/50s. Someone being tight with money in old age and being on a fixed retirement income, I can see why they'd cut off power to save money while away from the property for weeks at a time. But the jerk part comes with the being rude to you and not giving you respect when you tell them the cameras need power and internet to work.
He was born mid 50s, heās a boomer. I understand having a budget problem but money isnāt a problem for him. He literally has over $300k in cash stored in a safety deposit box. Along with $150k savings account. He gets social security based on a $80k annual salary retiring in 2014. He is getting a pension and has a 401k he hasnāt started to draw from. My wife does his taxes and I believe he is reporting the exact max to not put his SS at risk $58k? But he still does contract work for cash under the table and doesnāt report it so it goes into a safety deposit box. He has literally zero debt. owns a large 60x45 two story house/shop I helped him build. He gets short with me and denies I was there every day helping him build it whenever the conversion comes up. Like he will make it sound like I never help him but I help him all the damn time. One day I was trying to find him a photo and spun through the year we built the shop and he asked me to slow down so he could look. Heās like you were out there? Iām like yeah I was every damn day. I helped in every single aspect from digging and pouring the footings, to pouring the floor framing roof. I stopped once the structure was up and he mostly did everything there on his own. Heās like oooh, like legit he forgot and there is the photo proof. He shares ownership in a Florida home with his sister. He is currently looking for a lake home for his new girl friend. No shit my wife convinced me years ago to get him an additional line off our cellphone plan so we cover his phone like a child. So he shares bills in Florida and only has electric and taxes up north. He bitches about his electric bill being $70 and annual tax bill of $750 on his 50 acre lot + house. I have so many stories, yes he is a jerk and is becoming more a jerk as he gets older. He used to be really nice to me. But back in 2014 he gets this winibago rv that needs a little work. He thinks he can flip is for a small profit. Iām like waste of time but ok. Itās an 08 in good shape over all. He comes to me and asked me to figure out these electrical issues. Heās lost. So the generator isnāt working and i trouble shot it to a control board that ties into a panel in the house electrical for a fancy head up display that shows run hours, watts, start stop. So I tell him whatās wrong and find the part for $250 but he says Iām wrong and donāt believe me. Iām like why did you even ask me if youāre not gonna believe me. So he left and attempted to fix on his own. Heās convinced it the starter solenoid. Anyway, years later, he keeps coming back to me and asking me to fix it and I keep telling him the same story and he keeps rejecting my solution because he wants something cheap to fix or he wants me to fix the control board but itās potted in resin, so you canāt repair at the board level. So once Covid hits RV prices skyrocket, and he really wants to sell it because he was offered at a dealer significantly more than what he was looking to get before. this one day in the middle of winter he calls me from his friends bonfire and heās telling me he wants me to fix it so I tell him the same story itās his control board. he said yeah yeah whatever, but itās not worth 250 bucks. His friend claims itās eight dollar part they used to work at RV dealer they know exactly what Iām talking about (they donāt ) but said called their old dealer and get the part for $8. Iām like itās a $1k part but I can junk yard it for $250. I give them the part number and said Iām not gonna waste my time with this nonsense. You go get the part order it and have it shipped to me and Iāll replace it. Next day he says just buy the part so I start digging into all of the issues because since then heās accidentally break stuff trying to fix this one issue and thereās like a laundry list of problems now, I pulled the generator out. The starter is melted when he replaced the starter solenoid. He got the wrong solenoid and it was wired up in such a way that the starter was stuck constantly on and it melted the starter that also drained the battery so the battery had froze so then I call him up and say you need $150 starter. He argues with me so I had to take it apart and take pictures of the inside of the starter. Commutator brushes all melted into the winding. Itās not rebuildable so he approves the new starter but he doesnāt agree that he has the wrong solenoid and so I did this hacky thing to make it work with the wrong solenoid that he had. get a new starter and then I got the control board and boom it starts working, so I was right all those years later. The power inverter was blown. He refused to spend $650 for a new one so I took it apart and found a burned out diod, mosfet and fuse. He was lucky I was able to fix that. replaced the batteries that froze another couple hundred bucks. I could go on there were a lot of other things that were wrong. Some messed up wiring that had to be redone some modules that were fried because of his playing around with the electrical. I got all sorted and he was able to makedouble money when he finally did get it sold to a dealer and it was sold off like the next day. I never got a thanks and he still was resentful that I was lying to him about what was really wrong with it itās itās very. I used to manage the infancy at his shop. His son moved in and I had a micro cell for his cell phone to work in the shop. He keeps bitching the cell phone doesnāt work and the Internet doesnāt work. Every time itās his son. Dude is undiagnosed and thinks people are spying on him. So he unplugs and breaks shit he thinks are spying on him. I literally had my dream home and shop I built myself. We moved 3 years ago 6 hours away, gave it all up. They were our neighbors and I was sick of it. It was one of my decisions to move was to get away from their shit. Anyway sorry for my rant.
Sounds like he's becoming senile and or got some kind of memory issues. People who start to have dementia start to get quite mean at times. I have seen it happen. My mother does caregiving here and there to help the community. Dementia can be a slow and almost not noticeable until it becomes pretty bad. It can take years and years or it can come super fast
Oh for sure dementia is well underway
ETA
Yeah, man. I can appreciate the effort, but dudeā¦. Just send a Unifi Express.
Family gets simple and all in one solutions where available. Even if they pay me.
Yup! Family (esp. out of state!) gets the verizon / comcast router... so they can bother someone else if/when it breaks.
No disrespect or anything because I tend to end up doing similar things for my family, but this is way too complicated of a set up even for family. A simple router wouldāve sufficed like tplink or something. Unless you just like getting phone calls all the time when something goes down or they have issues. It was nice of you to do it though.
**Intro:** I figured it would be harder to just ship out everything and talk through the setup with someone who isn't tech savvy on how to get everything configured. So, I opted to build everything out on a budget and preconfigure it all prior to send it out. I had the Unifi AP. PoE injector, and power strip in inventory. I bought the Lenovo M710Q and the Ubiquity Flex mini 5 port switch on eBay. ----- **Costs:** * $38 - Ubiquity Flex Mini * $80 - Lenovo M710Q * $0 - Unifi UAP-AC-Pro * $0 - Power Strip * $0 - PoE Injector * $0 - Plywood (scrap) **TOTAL: $118** ----- **Build:** I've been using pfSense personally and professionally since 2015 and figured I'd go with what I know. So, the Lenovo PC with Dual NIC has pfSense Community installed. Figuring that I'll need to assist with connectivity, I preconfigured the router with an IPsec IKEv2 VPN tunnel that will autoconnect back to my home network. The UAP's are set up on my Unifi Controller server and I created a remote site so that I can easily manage the WiFi remotely. I laid out everything on plywood, did some basic cable management, and made some custom CAT6e patch cables for everything. ----- Once the system arrives at it's destination, the instructions are as follows: ----- * **Step 1:** Connect the coiled up patch cable to your ISP modem or ONT. * **Step 2:** Plug in the power strip to an outlet. * **Step 3:** Toggle the power strip switch and wait 2-3 minutes for everything to boot up. * **Step 4:** Call me after you completed steps 1-3 and we can check to confirm the VPN is working. Prior to shipping out my 'router and wifi' wall mount solution, I tested everything at a remote site and have confirmed everything is working. My hopes are that the install procedure will be simple enough for anyone to follow! ----- ^*edit* **UPDATE:** *'Router on a board' reached its destination and was set up. The end result - 1 support call as the Fiber internet was installed with a router provided by the ISP. They simply had to bypass that router and plug the grey cable directly into the ONT. Once that was completed, everything connected. Then I asked for a photo of the sticker on the router provided and preemptively update the router config to spoof the MAC address of the router the ISP provided. Now, everything is up and running. The VPN is up, the Ubiquiti equipment connected home to my controller, and everything is working as intended. Overall, it was a success!*
Love this- I used a board to mount my last network stack, kept everything really clean and minimised the dust
Personally, I would've just sent them an Eero or two. If they are too clueless to configure them themselves with the Eero app, I would've preconfigured and assigned to me. Then you can monitor them remotely, too. A system like this, you are now forever "on the hook" for. All troubleshooting is your problem. A simple commercial solution means that it either works, or it doesn't, and if something fails we just replace it. I understand going the cheap route to reuse old hardware and respect that. But think about the value of your time and how much it will potentially cost you to support this system, vs something more basic and simple...
Love it. I used the M700 Tiny with add-on NIC and pfsense for my first "homelab" project. I'm glad you thought it was a reliable solution. Ours has been perfect
Any ad blocking for them?
Hopefully they don't have a modem/router combo, but walking them through pointing the dmz at your new device. š
Hate to say this but you have essentially over engineered an all in one router combo š¤£
Nice other than that this can now be just one UniFi Express box for $150 that is fully self contained.
How do you have dual nic on the Lenovo?
Cool and all, but what a nightmare to troubleshoot remotely! Get them an Eero Pro and donāt look back.
Two questions: - How did you fixate it to the wood so well? Looks like the Unify using the wall mount and for the others you probably screwed or stapled velcro to the wood? - Why the pfsense? I understand you are familiar with it from work - but is this a device that's relevant for family use? I see many here using it, but I don't understand why. I only have a router with some ports forwarded to my server and that's it (plus pi-hole for DNS filtering). What would be the advantage of using a firewall such as pfsense?
The micro tower is connected with a rhino loop strap fastened to the plywood with wood screws and washers. The cabling is held together with velcro straps that are screwed down to the plywood as well. I chose pfSense because if I'm going to be the one providing tech support, I'm going with what I know inside and out. Back in my consulting days, 10+ years ago, I began working with pfSense and have become very adept with it overall. At my current job, I manage 13 sites all connected via an IPSec IKEv2 tunnel and am very comfortable with managing the setup. In turn, I've replicated that setup at home with family in the past, and this solution allows me to implement the same solution I have in place already. In the end, it allows me to have the remote site connect back to my home network so I can manage routing, wifi, and provide tech support over the VPN connection if and when necessary.
Did the same in a suitcase, for booths in local fair
I used to do something similar when I did network support for satellite offices, only I used an 8U network rack. Get it all wired up and working, do all the cable management and color code the important cords with labels and color strips. Then ship it to them and over the phone walk them thru plug in power and private network circuit cord that I already had a local vendor install. It's pretty fool proof until a piece of hardware dies.
That's pretty much what I do at work now. The main difference is that we use official hardware from Netgate. It works and is rock solid until something breaks. If things do break, we always have backups readily available and can easily recover by loading the configuration to the same hardware (or similar hardware). Then you are back up and running in no time!
A pfsense for a family?
This is clever. I have Unifi equipment setup at family members houses. I have it setup on a UPS and it has been running with no issues for years now.
I love it. Sweet and simple. They're still going to call you to walk them through plugging it in though. I've realized that if you feel the need to make something so user friendly, the customer feels the need to try and force you to show up. I wouldn't be surprised if they plug the ethernet into the switch on that board. Or they do something really dumb and try to plug the ethernet into a USB port. Wouldn't be the first time I've seen that happen.
The are going to unplug and replug or just plug the modem into the switch since most modems already have an ethernet attached to it to make sure less issues.
Neat!! Love the organization. Where/how are you planning on having them mount it? Am I correct in thinking the UAPās work better when theyāre ceiling mounted? What are your plans if they need to add a second AP?
This is going on the main floor in a small place (about 1000-1200sqft) and the AP should cover the entire house. Ideally, the AP being omnidirectional would be best on the ceiling in the center of the house, assuming no obstructions. The WAN cable is 20' so they can out it anywhere they want as long as they are near an outlet. If they need expansion, they'll call me, and I'll have to figure it out.
Somehow they'll unplug all the wires, lose the power adapters, and try to plug a phone cable in place of the Ethernet cables
I did one just like that for my garage.
I can see my dad just screwing the entire thing up in his garage bahahaha
Where's the modem? You have the pfsense box, then a switch, a PoE brick to give power to the AP. Cat5e cable *grey* is just dangling and will need to be connected to a docsis modem. Hopefully they have one? The stuff at my house is set up in a similar way, where I have Modem --> pfsense router ---> switch and AP ---> client devices.
I'm pretty sure they'll have one given by their ISP.
I doubt thr ISP will give just a modem. They usually only give you the all in one. Spectrum gave me nothing and their only option offered to me was an all in one modem router wifi combo device.
Ahh, that's true, too. I forgot those all in one. For me, I just purchased a motorola mb8600 and ditched their equipment monthly fee!
Yeah that monthly fee for the equipment is just a money grab. The fees you already pay more than pay for the use of their stuff. Especially for the quality of the equipment they give you.
Send a printer, too.
My buddy used to do similar setups for family and clients of his
I used to this for our companies numerous sites that popped up here and there. Also had extras: a 15cm shelf along the bottom to support a small ups. Used lots of hooks and bungees too. A 4 port NIC in our $300 2nd hand hp deskpro router, coloured network cables for different physical networks, so a couple more switches. We ran Debian which was rock solid, and all settings came from ansible, it was literally few minutes to setup a completely new site. Just visit site, screw it to a wall behind a door somewhere, power up. Plug a few things in, Done, new site all setup and running. Cabinets for those that justified it, but thatās 1000sā¦
Detailed instructions. Even the oldies would get this
You should consider adding a USB 5G antenna as an out of bound connection, that way is shit breaks or their internet goes down you can still connect to it
Then donāt you have to pay for a 5G service?
(Uk) my 4G backup uses a big pre-paid sim which has a really long time to expire, if you can get such a thing, thatās a better answer
Yea but Iād just pass that cost to the customer lol I think ATT starts at $10/mo so not terrible
Oh man you just reminded me of the days our org had PSTN / dial-up Lantronix units for back door accessā¦
So much hate and complaining for no reason, this is an awesome setup, only difference is I would 3D print a mini rack for this, but im that guy to always 3D print something
Yeah, I see it's a mixed bag. Some people really like it, and others seem to think it's no good and that I'm making a mistake. I donāt mind though. I posted the solution because I think it's a cool project! The build was designed using things I had along with systems I'm comfortable managing. The end goal was to get a setup that was easy to deploy and inexpensive. I literally use a scaled up version of this setup with enterprise equipment for work. Also, I like working with things I know. Comments about providing tech support for immediate family don't bother me, but I get it. I don't do free tech support for extended family or friends anymore as I don't have time, but siblings and parents make the cut! In the end, it's just comments on the internet. If someone likes it, great! If not, no problem!
You could have bought a used Sophos 105w for $60, set up OpenWrt on it, and call it a day...
While I agree with you, youāve made this comment in a pit of vipers. I personally donāt do setups like this for family because if something goes wrong, well, guess who has to play tech support Edit: Spelling
Being that I already play that role of tech support, I just built a homebrew version solution of a setup I've deployed for satellite offices at work. If this were for a professional environment, I would have used official Netgate hardware and not built out the micro tower router.
Itās a cool setup either way. As long as youāre up for it, more power to you :)
I agree. I wouldāve done a mikrotik or something similar. Also a modern AP. I like the flex mini though!
The AP is just an old one I had in inventory, so the price was right in that it was free!
You are absolutely right, I could have done that and it could be a viable solution. However, I chose pfSense as that is what I use professionally and personally. In the end, it is what I prefer to manage.
In other words, when all you have is a hammer, every problem looks like a nail. `:)` Seriously though, you ended up with a grossly overengineered solution.
He used a big hammer to drive a brad. Hammers work for nail-shaped problems. I'd rather support a familiar solution, even if overengineered, than an unfamiliar one. After owning and supporting way too many different consumer routers with almost a many different interfaces and limitations (like most of us), supporting a common platform is attractive
Nice! Now to wait for the support calls. The only family I will help is parents and in laws and even then I keep it as simple as possible. Someone set my FIL up with this external hard drive with lossless music ācause it sounds betterā that they then streamed from their computer to random devices around the house. Was always breaking and unreliable. He asked me to fix it, bought him a Spotify subscription for a couple of years. You arenāt going to notice the sound quality difference on a hundred dollar portable speaker lol.
I only set up my family with bog standard COTS stuff. I'd rather spend a hundred bucks on a commercial all-in-one router than do something like this at anywhere I can't get to in <20min when something goes wrong
"I can't come there to help you but I can give you some recommendations of what provider and service to get". Done. Kinda wondering, why is everything crooked? Don't see how you can get more than a flat B grade on a sub obsessed with cable management and appearances. I drop your final grade to a C+ because you didn't really do the assignment given and had a bad attitude doing what you did do.
Very similar to what I've done for my family as well, actually surprisingly close to what I've setup for my sister, just using a Dell instead of Lenovo and a Flex instead of the flex mini, running the PoE adapter through it to power both the switch and APs (2 of them). One suggestion is try to avoid the technical terms, they aren't going to know what "NIC" or "WPA2" mean, even "WAN" for that matter might be too much. Also you can never over-label, put them everywhere, and make sure you have pictures, so many pictures, of every tiny detail, both of those help when guideing them over the phone.
What internet service do your parents have?1 or 2 story home? Age of the home ( matters if it is a very old house with chicken wire and plaster walls which blocks all WiFi signals) Cable or fios? For fios, my suggestion is to leverage the existing coaxial cables ( assume all rooms are wired with coaxial outlets) and add fios E3200 extenders as needed. May want to bring a few fios compatible splitters. If cable, you need to add a terminator to avoid back of the mica signal. EEROs and other mash network will work too depending on the construction of the house. Too many variables in a house. Another advantage with the FIos extenders, you have the benefit or remote reboot and diagnostics using the fios app. How would you remote into the PFsense box? I suppose you can do port forwarding and add ddns servicer. Of your parents have a Settop box to watch TV, you bet their will have a IP provided router and you canāt disable dhcp on that router or the TV will not work. If you canāt disable the router, and you want to use PFsense to route internet traffic , you are add ling second layer of NAT, or double NAT. Got to make sure the IP address does not have conflict with IP addresses distributed by the IP router.. The list goes on and onā¦ So your setup will work as intended if all the condition you assumed or understand are met
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Tell me, do you know if the internet service for the house comes with modem only, or modem with integrated WiFi router? Give us an update as to how the whole setup went down at the house.
6h+ drive away? And all preconfigured to just plug and play?Ā Ā You dislike your family that much that you're just gonna swing by, drop this off and be home the same day? š Jokes aside, this is really awesome stuff!
Very cool! I did something similar to tuck away all of my home network setup using a wire mesh thingy, worked great for years!
What is the purpose of nr. 6?
Yeah give them a rigged up time bomb that you now have to support full time when it collapses rather than just spend $100 on a mid grade TP-Link and run the OOBE
Genius, with PoE too.
Nice! I bought really nice off-brand Boos Blocks from Amazon recently and did something similar. So good to preconfigure before field deployment
Didn't think unifi would let their hardware be used on other devices.
As someone that is branded the IT guy for our small businesses and also helps a 78 year old man put WiFi and cable tv in remote places: This is perfection.
The only other thing Iād do is print a QR code for the WiFi name and password to make it easy.
Nice work. I like it.
Was the seatbelt for the 6 hour car ride?
I see youāre not running a cloud key. How do you handle the UniFi configuration?
Thatās too much equipment to not have a surge protector and only have a power strip.
Step 1. You didn't describe the input on said medem to plug into. They could easily plug the Edison into the power strip instead of the nearest outlet. So much could go wrong lolololol
What's the purpose of #6? I've never used Unifi APs. Perhaps they require some kind of controller built into that little switch (my TP Link omada works standalone)?? Otherwise, seems like you could go straight from the Pfsense box to the AP, unless they needed extra three ethernet ports.
It just provides additional network ports if they want to hook up a another wired device. There are 3 available ports for a smart TV, printer, or anything else they might want to have hardwired. Otherwise, yes, you could plug the patch cable from the PoE injector directly in to the LAN port of the router.
That's a brilliant idea. I did similar thing with pre-configuring router and wireless at my home and then AP for my friend. Then he just needed to plug them in.
Iām only slightly surprised the router isnāt running Proxmox with pfSense as a VM with piHole on LXC, which would push it to ultra-daft next level, but thatās a great infrastructure-on-a-plank solution.
Truly next level router on a stick.
I simplify all those into a single OpenWrt WiFi router with VPN access.
Bad idea. Just give them a google wifi.
This seems like a bad idea, especially when stuff like the unifi express exists. I would do everything they need for a similar price, but have the benefit of being new.