Router recommendations

CJ133

Getting the hang of it
Joined
Jul 18, 2019
Messages
54
Reaction score
30
Location
NJ USA
How bad is a Netgate SG 2100?
 
Joined
Apr 26, 2016
Messages
1,048
Reaction score
746
Location
Colorado
In that video, check the 7 minute mark for a really good summary of the SG-1100 ($179) or SG-2100 ($229). Recognize you are buying a lower power device at a premium, but officially supported and with the newest pfSense software. Also I don't believe either provide any wifi connectivity so plan accordingly.
 

eeeeesh

BIT Beta Team
Joined
Jan 5, 2017
Messages
285
Reaction score
437
Correct - costs are going to be a little higher than just building something yourself because it's an officially supported product. I considered one of their devices but the SG-2100 for example, I have no use for the SFP port and I didn't like the fact that unless I am wrong, the four ports are basically just a built in 'switch' but I think you can setup vlans for each of the ports. I wanted to go with physical subnets which is one of the main reasons for going with something like the Protectli.

And yes, router only. You could either repurpose your old router as an access point or buy a dedicated access point. Something like this would work (link below). I am actually using a 3 piece Orbi Mesh system for my main wifi and my old router as the unsecured wifi. A lot of people tout the Unifi Products. I purchased a UniFi NanoHD ($160) but my old router in AP mode provided a better signal. Also, you had to run their software on a computer or buy their cloud key to configure it. I found it very clumsy to use, it did not perform well and I returned it

 

Jay Roman

Getting the hang of it
Joined
Mar 18, 2021
Messages
102
Reaction score
37
Location
USA
I am new to all this networking gibberish.

Is a router more preffered than a switch when it comes to IPcams ?

Is it just personal preference. I understand they operate at different layers of the OSI model.

i bought a Cisco WS-C3560X-24P-L, should i have gone with a router instead ?
 
Joined
Dec 28, 2019
Messages
4,704
Reaction score
9,421
Location
New Jersey
It's best to keep the cameras and PC on a switch and avoid running all the data through a router. Regular routers, like ISP supplied, just don't have the bandwidth capacity to handle many multiple, constant, video streams that IP cameras generate.
 

JNDATHP

Getting comfortable
Joined
Oct 16, 2018
Messages
652
Reaction score
1,408
Location
USA
I started slowly with UniFi equipment and ended up going all in. Finished with a USG in late 2017 and have to say that we are very happy with their ecosystem. Everything just works.

We have a two story, 1800 sq ft house and have one AP mounted to the upstairs loft ceiling and the other to the garage ceiling where we also have a UniFi 8x150 switch. The garage gets hot in our high desert climate but it keeps on ticking.

DA86AC17-08BF-4B3C-8C4B-E86A799DF208.jpeg
 

JNDATHP

Getting comfortable
Joined
Oct 16, 2018
Messages
652
Reaction score
1,408
Location
USA
@runraid thanks for the link though I have made the recommended changes. My phone beeps with so many 2FA texts it drives some crazy.
 
Joined
Dec 30, 2016
Messages
655
Reaction score
390
Location
Somewhere in the space/time continuum

Jessie.slimer

BIT Beta Team
Joined
Aug 23, 2019
Messages
1,381
Reaction score
3,890
Location
Illinois
What would you guys suggest for a relatively low cost router with built in VPN and VLAN support? As a non network guru with no programming ability, I'd like it to have a gui to set up the vpn and vlan to isolate my IoT devices.

I have an Asus 86u now, and I see that it will do VLAN if I use Merlin firmware, but from what I understand it won't have a gui.
 
Joined
Apr 26, 2016
Messages
1,048
Reaction score
746
Location
Colorado
I know you are asking for a recommendation for a different router, but I find the ASUS Routers to be a pretty good consumer solution. I definitely would recommend (and do use them) for VPN access via OpenVPN. I know it doesn't specifically tackle the VLAN feature you asked about but it might still be able to basically accomplish your goals.

I would configure each IOT client to block internet access by navigating to:
  • Network Map\Clients
  • Client Status
  • Select the client
  • Toggle Block Internet Access
I would configure ALL IOT devices to just have their internet access blocked entirely (if supported by the product).
I tried this myself for IP cameras, but found while it blocked the cameras video going to the internet it also blocked video going over site-to-site VPN, which for my use case wasn't a good option. There was a workaround using iptables manual configs but I haven't figure it out just yet.
 

Jessie.slimer

BIT Beta Team
Joined
Aug 23, 2019
Messages
1,381
Reaction score
3,890
Location
Illinois
Yeah I really like this router and has worked really well on openvpn. My IoT and untrusted devices still need internet access to function though. I just don't want them to be able to access my computers or anything else with sensitive information on my network. I wonder if there is a way to use a second low end Netgear Nighthawk router I have laying around and put those devices on that router, and route all that traffic through the Asus directly to the internet.
 

JNDATHP

Getting comfortable
Joined
Oct 16, 2018
Messages
652
Reaction score
1,408
Location
USA
Just another reason to 'stay away' from anything Cloud based. You put your security in some other person/companies hands. Learn to secure your own network to the best of your ability. I for one, will never have anything Cloud based.
UniFi is not cloud based. I have an account with UniFi for other reasons.
 

wittaj

Known around here
Joined
Apr 28, 2019
Messages
4,597
Reaction score
5,864
Location
USA
Yeah I really like this router and has worked really well on openvpn. My IoT and untrusted devices still need internet access to function though. I just don't want them to be able to access my computers or anything else with sensitive information on my network. I wonder if there is a way to use a second low end Netgear Nighthawk router I have laying around and put those devices on that router, and route all that traffic through the Asus directly to the internet.
Not a perfect solution, but putting all your untrusted devices and IoT on a guest network in the Asus router will keep them off your other network.

The problem with adding another router downstream of the Asus router is that everything connected to the downstream can access the upstream router. I thought that option first as well and read that this doesn't solve it, and sure enough I was able to access the Asus router settings through a device connected to the downstream router.
 
Joined
Apr 26, 2016
Messages
1,048
Reaction score
746
Location
Colorado
edit: I think "Guest Network" @wittaj recommended would be what I would try.

Play dumb and get lucky option: hook up a second distinct network router
Check if your ISP allows you to connect multiple devices to your single internet connection (i.e. thinking a switch in front of two routers to accomplish your separation goal). I have never personally encountered one that would allow it, but maybe you get lucky.
If your ISP provides your modem and it has multiple ports but your current internet only uses one of them, you could call them and "play dumb" asking them to turn on an inactive port to hook up "just one more device" (of course you will be hooking up a router with numerous IOT devices but they shouldn't need to know that).

Double NAT
Another possible option is double-NAT your entire home network behind two routers with NAT (beware double NAT can cause some hard to troubleshoot problems):
WAN--------Router 1 (IOT) ------- Router 2 (HOME LAN)
If you reversed the routers and put Router 1 behind Router 2 then you aren't actually isolating IOT from HOME networks like @wittaj mentioned above plus all the IOT devices would be double-NAT (depending on the device this could be a problem).

ASUS DMZ
I researched if ASUS DMZ might work, but everything I read is that if the DMZ hosts are on your primarily LAN subnet (IOT devices plugged into your network), then if they were compromised they could launch attacks against your regular devices. (so bad news).

The "Longshot" - Custom Firmware + special routing rule
I found an article that describes a simple way and a more complicated way (VLAN) to setup ASUS routers for LAN-side separation, which might prevent you from needing to buy additional equipment. Here: LAN port isolation (port-based VLAN) on ASUS RT-AX88U with Asuswrt-Merlin 384.16
Without a working ASUS router available to test, I don't know if Merlin firmware would be required or something. He supposedly does what you want with this command:
Code:
# eth3 maps to LAN port 2 on AX88U
ebtables -A FORWARD -i eth3 -o br0 -j DROP
The best option if you can afford to do it
Probably a better option would be some different firewall device that supports exactly what you want (VLANs, OpenVPN etc), and then repurpose the ASUS router as just a wifi access point (not router mode). Depending when you bought it that's probably a sour pill to turn your high end ASUS router into a dumb AP.
 
Last edited:
Joined
Sep 29, 2020
Messages
26
Reaction score
0
Location
USA
has anyone dived into the Tp-link Omada train? seems like a Unifi knock-off with a lower price point.
 

avspin

Getting the hang of it
Joined
Jan 18, 2021
Messages
90
Reaction score
50
Location
Reno, NV
has anyone dived into the Tp-link Omada train? seems like a Unifi knock-off with a lower price point.
I use Omada. I have four EAP245s and a cloud controller that gives me a mesh network all over my home. But I use an ASUS router. So far I love the Omada mesh, no issues for about a year. All three of my wifi cameras are connected through them.
 
Joined
Sep 29, 2020
Messages
26
Reaction score
0
Location
USA
I use Omada. I have four EAP245s and a cloud controller that gives me a mesh network all over my home. But I use an ASUS router. So far I love the Omada mesh, no issues for about a year. All three of my wifi cameras are connected through them.
Good to know. Does your Asus router have VLAN and VPN abilities?
 
Top