Are my router, switch, and AP plans ok?

[BrockSamson]

I am switching from a consumer wifi router to a proper network and have no router, no switches, and no APs. I think I have an OK plan but am looking for critiques and suggestions. I've attached a picture with my current (left) and potential future (right) network structure.

Now: Start with an Omada TL-SG2210MP which is affordable and should cover all my current needs.
Later: Eventually, add one or more additional switches with some form of multi-gig. It may be several years from now or if I end up needing additional APs or poe cameras then it could be next month. The Omada TL-SG3210XHP-M2 seems like it would meet my future needs but I have serious questions about it's reliability. Perhaps the newer revisions are better.
AP: I was thinking that a single centrally located Omada EAP670 might work for my house. I don't need the speed itself but the numbers that I understand and the reports I've read seem to indicate that it has a better signal strength. I'm also considering adding an EAP610-Outdoor for my yard depending on how the EAP670 reaches.
Router: I was thinking of opnSense on an R86S-G1, whatever i226v router Gowin is coming out with next month, an iKoolCore R1 for only $220, or maybe even build something on an ASRock J4125B-ITX which has a pci 2 x2 slot which would support a 2x2.5g Intel NIC. I only have 400Mbit service and don't see going above gigabit anytime soon. My main consideration is mostly for potential east/west VLAN traffic.

Thoughts? I'm open to anything within a similar price range. I'd prefer new equipment to used, and although people love Protectli and similar devices I don't love the higher cost for 25-50% performance compared to the options above. Nothing is ruled out though. I don't want to spend $400-800 on and end up with some bottlenecks or fatal flaws.

 

[DavidWJohnston]

Sounds reasonable. You may already know, but hopefully this helps:

It looks like that switch does not have L3 routing capability (most of this type don't) - The mini-PC opnSense routers may be able to route at close to 1G but the total east-west (inter-VLAN) capacity will also be limited to 1G due to the trunk NIC only being 1G, with all routing needing to pass through. A faster CPU in the router machine will not help because it's bottlenecked by the NIC.

For example if you have devices A&B talking across VLANs, and simultaneously C&D talking across VLANs, both conversations need to share the 1G NIC on the router. Whereas on a flat network, A&B + C&D could both be 1G each. (1G switches usually have at least 10Gbps of backplane capacity)

Of course the north-south traffic is also handled by the trunk NIC as well as east-west. So it's really a 1G limit for NS & EW traffic together.

The maximum packet-per-second forwarding rate of the router may be a bottleneck as well. This may be less of a concern, but it depends on your workload.

The best way to achieve good L3 routing speeds is with a L3-capable switch. This way, routing is done on the super-fast ASIC (switching silicon) instead of in software on a CPU. For 10Gbps and higher it's pretty much essential.

So ultimately, I think your plan will work; if your total routed workload (inter-VLAN + North-South) doesn't need to approach 1G, you should be OK. Even so, for future expansion, consider this as a potential bottleneck.

Good Luck!

 

[BrockSamson]

It does help yes, thank you. How would this be changed to make it a more "flat" network? That would require an L3 capable switch to handle routing the inter-VLAN traffic? Or would it just be a different layout and quantity of switches and connections?

This is my expected traffic:

• Office computer connecting to internet
• Office computer transfer to/from NAS
• WIFI clients (phones, tvs, etc) connecting to internet and nothing else
• Persistent 30-50mbit/s of security camera feeds to NVR (on mini pc) and then to NAS

My office computer and NAS are both gigabit and my internet service is only 400mb/s so internet traffic from all devices and transfers between my office and NAS shouldn't present any additional bottlenecks compared to what I have now. Obviously anything going to WAN would go through the router but Office<->NAS should, I think, stay on the switch and never hit the router at all as long as it's the same VLAN right? The only thing I'm not sure about are the camera feeds. I think that either the camera-to-NVR (VM on mini pc) or the NVR-to-NAS might have to go through the router since the cameras would be on a separate VLAN but maybe I can do this on the virtual switch in proxmox as it needs to get a trunk with multiple tags anyways for the various VMs it hosts. Or have I got it wrong somewhere?

 

[DavidWJohnston]

A "flat" network is one that's a single segment with no VLANs, like the LAN-side of a typical home network. Networks are either flat or non-flat; either they have VLANs or they don't. The moment you have VLANs, you need a router.

East-west traffic on the same VLAN stays on the switch and does not go through the router. Ex: If your office computer and NAS are on the same VLAN, traffic between them does not pass through the router.

In general, you want a CCTV system to be robust, so just remember that if your opnSense box dies, reboots, etc, your CCTV recording could be interrupted depending on how the devices are arranged across VLANs. If you have Cameras -> NVR -> NAS, if any of the "->" connections cross VLANs, those connections will fail when the opnSense router fails. Consider the impact that would have.

Whether you're talking about VMs (even on the same host) or physical devices, if their traffic is going between VLANs, it needs to go through a router; in your case opnSense. Proxmox virtual switch understands VLAN tags, but that's L2-only (same segment) - When you're routing between VLANs, that's L3 and needs a router.

From your list of devices, I would say the 1G limit on the opnSense is probably not going to be a problem, until more devices are added. But keep in-mind about the outage potential.

 

[BrockSamson]

Awesome thanks for this info it's really helpful.

I'm not actually sure how the cameras will work yet but that's good info about the cross-vlan routing potentially bringing it down.

Now I just need to find an actual router.

 

[sic0048]

I think your router/firewall hardware and Wi-Fi AP choices are fine. I would suggest that you forgo the TP-Link switch however and buy something that is more enterprise quality - even if that means buying something used off EBay. There are tons of enterprise quality switches that are being sold on EBay - not because the are bad, but because the company needed something more powerful or newer. This will give you everything you need today and give you room to grow without having to replace the switch in the future.

There are lots of switch threads on this site that go into the ins and outs of various switch models. Currently there is one on the Brocade brand switches that seem to be very popular. https://forums.servethehome.com/ind...be-40gbe-switching.21107/page-417#post-371139