Need help with redesigning my home network

[vcth4nh]

I want to redesign my home network to:

1. Segregate devices into 3 VLANs: Main Devices (TVs, PCs, phones, server), IoT Devices, Cameras
2. Have good wifi coverage and good internet speed to stream movies (I'll set up a Plex server)
3. Use ISP as modem only, and set up another main router.

All of my devices are cheap and unmanaged. My LAN cables are Cat5e and are inside the wall.
Here is my current home network map (solid line means single LAN cable, dash-line means wireless connection, red box is the device I will 100% replace)
The dump switch and 4th floor wifi router only have 100mbps ports

Diagram link: here
I just bought a home server and I'll run Esxi on it.
TV1 and TV2 will stream 4k movies, TV3 will stream FHD

My plan is:
- Install OpenWRT on the TP-Link Archer C50 and move it to the 4th floor, other devices on the 2nd floor will connect to the Asus one
- Replace the dumb switch with a managed switch (haven't decided which model)
- Use ISP as a modem only, and set up a new main wifi router

Here are some questions:

1. Can I set up a VM to run OpenWRT to replace my ISP router, and buy a wifi router/AP to broadcast wifi? Or should I just grab a router that supports managing my network (VLAN, VPN, QoS, etc.)? Any brand/model recommendation?
2. Does installing OpenWRT onto my TP-Link Archer C50 make it capable of managing VLAN? Also, I read that OpenWRT makes 2.4ghz signal weak: Archer C50 v4 Mac80211 Loses Internet Access after 20'+ Away from Router But Maintains Connection - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum
3. Any other suggestions?

Thanks a lot!

Edit: update the diagram

 

[TLN]

You must really like consumer-grade wifi routers.

I'd go with mesh-like network, such as Omada, or Aruba IAP (my setup) and some switches. Most recent articles about 2.5gbe poe switches on this site are very helpful.
You can do server and virtualized VM if you want (and have hardware to do so).

 

[NerdAshes]

I want to redesign my home network to:

1. Segregate devices into 3 VLANs: Main Devices (TVs, PCs, phones, server), IoT Devices, Cameras
2. Have good wifi coverage and good internet speed to stream movies (I'll set up a Plex server)
3. Use ISP as modem only, and set up another main router.

All of my devices are cheap and unmanaged. My LAN cables are Cat5e and are inside the wall.
Here is my current home network map (solid line means single LAN cable, dash-line means wireless connection, red box is the device I will 100% replace)
The dump switch and 4th floor wifi router only have 100mbps ports
View attachment 35221
Diagram link: here
I just bought a home server and I'll run Esxi on it.
TV1 and TV2 will stream 4k movies, TV3 will stream FHD

My plan is:
- Install OpenWRT on the TP-Link Archer C50 and move it to the 4th floor, other devices on the 2nd floor will connect to the Asus one
- Replace the dumb switch with a managed switch (haven't decided which model)
- Use ISP as a modem only, and set up a new main wifi router

Here are some questions:

1. Can I set up a VM to run OpenWRT to replace my ISP router, and buy a wifi router/AP to broadcast wifi? Or should I just grab a router that supports managing my network (VLAN, VPN, QoS, etc.)? Any brand/model recommendation?
2. Does installing OpenWRT onto my TP-Link Archer C50 make it capable of managing VLAN? Also, I read that OpenWRT makes 2.4ghz signal weak: Archer C50 v4 Mac80211 Loses Internet Access after 20'+ Away from Router But Maintains Connection - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum
3. Any other suggestions?

Thanks a lot!

A lot to unpack here... I'll start with your 3 goals.
1. Segregate devices into 3 VLANs: Main Devices (TVs, PCs, phones, server), IoT Devices, Cameras

This is very simple to do on most 2010+ routers. "I" would put your phones, tablets and TVs in the "IoT" VLAN. Servers with WAN access in a "Untrusted" untagged LAN (with printers, switches, firewalls and routers). Desktops, Laptops and LAN only servers (file servers, backup targets, container hosts) I'd put in a "Trusted" VLAN. Cameras I'd put in their own VLAN.

2. Have good wifi coverage and good internet speed to stream movies (I'll set up a Plex server)

Good WiFi starts with good wireless access points (aka WAP, AP) and a heat map. You need a AP broadcasting at just enough power to cover it's area and no more. If you can help it, avoid wireless mesh networks. You'll want an access point in each area of your house, that the last access point failed to cover. That's very dependent on your house. Good internet access is up to your wallet and internet service provider. You get what they offer, there is nothing you can do to increase that. Normally they offer junk equipment and charge you monthly for it. You can usually save the monthly fee and upgrade the equipment. Plex, Kodi, Jellyfin whatever, will stream great over your LAN (local area network) regardless of your WAN (wide area network (internet)) speed.

3. Use ISP as modem only, and set up another main router.

If you have MoCa (Multimedia over Coax Alliance aka Cable Internet) then you'll have a modem. Normally you can swap the ISP's modem with you own. You can then "bridge" your router/firewall (combo unit normally, if not firewall, then router) with your modem, essentially making the modem invisible.

You bought a server.. cool! What server? Why ESXi?
If your server is streaming 4k to your TVs and FHD to another, you'll need a decent GPU on your CPU or a dedicated card (to transcode the files for FHD TV).

1. Can I set up a VM to run OpenWRT to replace my ISP router, and buy a wifi router/AP to broadcast wifi? Or should I just grab a router that supports managing my network (VLAN, VPN, QoS, etc.)? Any brand/model recommendation?

You might be able to setup a VM to run OpenWRT, but you have better options. OPNsence comes to mind. Yes, you should be able get rid of the ISP router. Yes you should just grab a decent router (with firewall) instead. Your situation screams "UniFi" from Ubiquiti, or TP-Llink "Omada", to me. Simple, cheap, reliable, and FAR better than what you're doing now. There are other better, expencive, more complicated options.. but I think UniFi and 4 hours of YouTube will make you very happy.

2. Does installing OpenWRT onto my TP-Link Archer C50 make it capable of managing VLAN? Also, I read that OpenWRT makes 2.4ghz signal weak.

OpenWRT can do VLANs. You should keep your 2.4ghz band "narrow", not sure why OpenWRT would effect the signal unless it's making it wider for speed (silly for 2.4ghz these days).

3. Any other suggestions?

A few..
Your "Plan" and diagram is a network engineers nightmare. Not trying to be rude, honestly. It's just a mess of wiring, low end consumer devices and routers. 4 floors!? I bet you're in shape! Is the Cat 5e loose in the walls? Can you use it to pull Cat 6e? It's not to bad, if you can't pull new cable, just limits some LAN speed. It looks like you could use the existing cable to run a single Firewall/Router and a single POE (power of Ethernet) switch on floor 1. If you can't pull 2 (maybe 3 if you need an AP there) more cables to floor 4 you'll need 2 "unmanaged" (instead of "dump" or dumb) switches. One for floor 3 and one for floor 4. If you can ditch the wired PCs and Cameras for wireless, you can keep your current wiring and install access points on each floor (floor 3's AP would need to be able to link to floor 4's AP (common ability on access points with two Ethernet ports)).

Your budget, house size, housing density, wall composition, wireless device count/density, wireless security needs and networking background would be good to include in this question (I've inferred a bunch of things) ;-)

Best of luck!

 

[Tech Junky]

@NerdAshes

A for effort!!!

 

[vcth4nh]

A lot to unpack here... I'll start with your 3 goals.
1. Segregate devices into 3 VLANs: Main Devices (TVs, PCs, phones, server), IoT Devices, Cameras

This is very simple to do on most 2010+ routers. "I" would put your phones, tablets and TVs in the "IoT" VLAN. Servers with WAN access in a "Untrusted" untagged LAN (with printers, switches, firewalls and routers). Desktops, Laptops and LAN only servers (file servers, backup targets, container hosts) I'd put in a "Trusted" VLAN. Cameras I'd put in their own VLAN.

2. Have good wifi coverage and good internet speed to stream movies (I'll set up a Plex server)

Good WiFi starts with good wireless access points (aka WAP, AP) and a heat map. You need a AP broadcasting at just enough power to cover it's area and no more. If you can help it, avoid wireless mesh networks. You'll want an access point in each area of your house, that the last access point failed to cover. That's very dependent on your house. Good internet access is up to your wallet and internet service provider. You get what they offer, there is nothing you can do to increase that. Normally they offer junk equipment and charge you monthly for it. You can usually save the monthly fee and upgrade the equipment. Plex, Kodi, Jellyfin whatever, will stream great over your LAN (local area network) regardless of your WAN (wide area network (internet)) speed.

3. Use ISP as modem only, and set up another main router.

If you have MoCa (Multimedia over Coax Alliance aka Cable Internet) then you'll have a modem. Normally you can swap the ISP's modem with you own. You can then "bridge" your router/firewall (combo unit normally, if not firewall, then router) with your modem, essentially making the modem invisible.

You bought a server.. cool! What server? Why ESXi?
If your server is streaming 4k to your TVs and FHD to another, you'll need a decent GPU on your CPU or a dedicated card (to transcode the files for FHD TV).

1. Can I set up a VM to run OpenWRT to replace my ISP router, and buy a wifi router/AP to broadcast wifi? Or should I just grab a router that supports managing my network (VLAN, VPN, QoS, etc.)? Any brand/model recommendation?

You might be able to setup a VM to run OpenWRT, but you have better options. OPNsence comes to mind. Yes, you should be able get rid of the ISP router. Yes you should just grab a decent router (with firewall) instead. Your situation screams "UniFi" from Ubiquiti, or TP-Llink "Omada", to me. Simple, cheap, reliable, and FAR better than what you're doing now. There are other better, expencive, more complicated options.. but I think UniFi and 4 hours of YouTube will make you very happy.

2. Does installing OpenWRT onto my TP-Link Archer C50 make it capable of managing VLAN? Also, I read that OpenWRT makes 2.4ghz signal weak.

OpenWRT can do VLANs. You should keep your 2.4ghz band "narrow", not sure why OpenWRT would effect the signal unless it's making it wider for speed (silly for 2.4ghz these days).

3. Any other suggestions?

A few..
Your "Plan" and diagram is a network engineers nightmare. Not trying to be rude, honestly. It's just a mess of wiring, low end consumer devices and routers. 4 floors!? I bet you're in shape! Is the Cat 5e loose in the walls? Can you use it to pull Cat 6e? It's not to bad, if you can't pull new cable, just limits some LAN speed. It looks like you could use the existing cable to run a single Firewall/Router and a single POE (power of Ethernet) switch on floor 1. If you can't pull 2 (maybe 3 if you need an AP there) more cables to floor 4 you'll need 2 "unmanaged" (instead of "dump" or dumb) switches. One for floor 3 and one for floor 4. If you can ditch the wired PCs and Cameras for wireless, you can keep your current wiring and install access points on each floor (floor 3's AP would need to be able to link to floor 4's AP (common ability on access points with two Ethernet ports)).

Your budget, house size, housing density, wall composition, wireless device count/density, wireless security needs and networking background would be good to include in this question (I've inferred a bunch of things) ;-)

Best of luck!

Wow, that's really detailed write-up.
For context, I live in Vietnam, and enterprise-grade devices are not really common here.

Your budget, house size, housing density, wall composition, wireless device count/density, wireless security needs and networking background would be good to include in this question (I've inferred a bunch of things) ;-)

• Budget: let's say I can afford 2 Asus RT-AX1800HP (~$60 per 1 here) and 2 TP-Link TL-SG108E (~$34.48 per 1 here). I can also buy used devices. My budget is flexible (+ $100-$150)
• House information: a small house, but many floors (updated the diagram to match my real house structure). Basically, 1 wifi router can cover 3 floors, e.g. wifi on the 2nd floor can also cover 1st and 3rd
• Wireless security needs: Does "average security" make sense? I want to control/monitor my network traffic, but don't need something too complicated (like a dedicated firewall). Mostly, I want to separate untrusted devices, personal devices, and cameras, but also learn to control, monitor, and design networks.
• My background: I have a good IT background, and I'm starting to learn networking (currently intermediate level, I would say). So I believe I can research to do xyz on my own. However, I want experienced people to point me in the right direction.

"I" would put your phones, tablets and TVs in the "IoT" VLAN

What if I want to stream from my PCs/phones/tablets/Plex server to my TV?

If you can help it, avoid wireless mesh networks

Can you explain more? I really like the concept of mesh network.

If you have MoCa (Multimedia over Coax Alliance aka Cable Internet) then you'll have a modem. Normally you can swap the ISP's modem with you own

This is the first time I've heard of "MoCa", and it's not possible to use my own modem in my country. I will make the ISP modem "modem only" and bridge it with my router (maybe a real router, or a router OS in my VM)

You bought a server.. cool! What server? Why ESXi?

My server information:

• Dual CPU Xeon server, with Supermicro X10 DAI mobo (I built it myself, not a prebuilt enterprise rack)
• Not exposed to the Internet (yet)
• Use to host Plex and run VMs to serve my research purpose.

You might be able to setup a VM to run OpenWRT, but you have better options. OPNsence comes to mind. Yes, you should be able get rid of the ISP router. Yes you should just grab a decent router (with firewall) instead. Your situation screams "UniFi" from Ubiquiti, or TP-Llink "Omada", to me. Simple, cheap, reliable, and FAR better than what you're doing now. There are other better, expencive, more complicated options.. but I think UniFi and 4 hours of YouTube will make you very happy.

So you're saying I should use both OPNsence and a UniFi router? Also, thanks for the recommendation. I'll look into it to see which UniFi router is available in my country.
Also, should I use wifi router or an AP+normal router to replace the ISP router?

It's just a mess of wiring, low end consumer devices and routers. 4 floors!? I bet you're in shape! Is the Cat 5e loose in the walls? Can you use it to pull Cat 6e?

Yea I know xD . My father built this house in 2013, tho. And I cannot replace the wire, nor pull new cable cross floors.

It looks like you could use the existing cable to run a single Firewall/Router and a single POE (power of Ethernet) switch on floor 1

You suggest POE, so is it a must or a should to use a POE switch

you'll need 2 "unmanaged" (instead of "dump" or dumb) switches. One for floor 3 and one for floor 4.

If I use unmanaged switches on floor 3 and 4, how can I use VLANs for IoT devices and cameras on floor 4?

If you can ditch the wired PCs and Cameras for wireless

Sadly, the cameras on the 4th floor don't support wifi (and I also cannot replace the cameras)


In addition, what about a Wi-Fi router (or AP?) that support Guest Network mode (like my Archer C50)? Should I use that instead of VLANs for untrusted devices?

 

[NerdAshes]

My budget is flexible (+ $100-$150)

My brain is going to have a hard time with that budget. I can respect it, but I'm not going to have a lot of knowledge of products in that price range.

1 wifi router can cover 3 floors.

That'll help the budget.

Does "average security" make sense?

I guess? I was more looking for what potential threats you might have to your WiFi network. IE: Rogue APs or thieves jamming your WiFi cameras.

I have a good IT background, and I'm starting to learn networking (currently intermediate level, I would say). So I believe I can research to do xyz on my own.

A good IT background and will to learn should be plenty!

What if I want to stream from my PCs/phones/tablets/Plex server to my TV?

You'll create firewall/traffic rules to enable certain device's/network's traffic to pass through other rules you'll create. Setup correctly, you'll have no issues streaming from/to the IoT network.

Can you explain more? I really like the concept of mesh network.

Mesh networking can be great if it's needed (it may be a benefit to you). It also creates more traffic/signal interference and slows down overall speeds (you need to create a wireless backbone for the APs to talk over). There is more to learn - you should read up on it if you're into it.

I will make the ISP modem "modem only" and bridge it with my router (maybe a real router, or a router OS in my VM).

Sounds good. I'd do the VM option in your situation. I'd still look into OPNsence as the solution.

So you're saying I should use both OPNsence and a UniFi router?

No. If you're going VM, I'd go OPNsence and if you're going with a real router (that is beginner friendly and includes everything you might need) UniFi gear is good for your use case. That said, given your budget and that you already have a server.. I'd go VM.

Also, should I use wifi router or an AP+normal router to replace the ISP router?

I thought you couldn't replace it in your country? Consumer grade WiFi/Router/Firewall combo units are almost always horrible at doing any of those jobs. Separate Router/Firewall (They are normally combined these days, but don't have to be) and a separate AP is normally far superior in every way. There is always an exception to every rule but I've not heard of it in this case.

I cannot replace the wire, nor pull new cable cross floors.

Your Cat5e will do fine in this case.

You suggest POE, so is it a must or a should to use a POE switch?

Not a must. A really nice to have.

If I use unmanaged switches on floor 3 and 4, how can I use VLANs for IoT devices and cameras on floor 4?

Unmanaged switches can still forward VLAN traffic. You'll just have to setup your managed switch that sends packets to the unmanaged switch correctly. Your AP will handle the IoT traffic just fine.

Sadly, the cameras on the 4th floor don't support wifi.

That's fine. How about the TV and the PCs? Can you use a usb WiFi adapter?

In addition, what about a Wi-Fi router (or AP?) that support Guest Network mode (like my Archer C50)? Should I use that instead of VLANs for untrusted devices?

I guess it depends on how the Guest vLAN is done? Many people put the IoT network on the Guest vLAN. Often Guest vLAN just means it already has firewall rules like vLAN Isolation and Device Isolation with maybe a landing page. I personally just setup my firewall and networks manually and would only use a built in Guest Network if I was setting up a hotel.

 

[vcth4nh]

My brain is going to have a hard time with that budget. I can respect it, but I'm not going to have a lot of knowledge of products in that price range.

Sorry, in total it should be around $300 to $350. The price and the concept of cheap/expensive are different from country to country, so I think I will give an example of what I can buy with my budget in my country.
For reference, with that budget, I can afford

• 2 Asus RT-AX1800HP (~$60 per 1 here) and 2 TP-Link TL-SG108E (~$35 per 1 here), plus $100-$150 more, or
• 4 Ubiquiti EdgeRouter X Router (~$89 per 1), or
• 2 Aruba 515 (~$120 per 1), plus $100 more

I was more looking for what potential threats you might have to your WiFi network. IE: Rogue APs or thieves jamming your WiFi cameras.

Well, I'm just paranoid about the China IoT stuff I have at home, so I want to separate it from my other devices, especially the cameras. Also, I want to learn to control a small home network.

Unmanaged switches can still forward VLAN traffic

Oh that's nice to hear. What about trunked VLAN? Because I'll need to pull IoT VLan + Camera VLan + Trusted VLan to the 4th floor in one single cable. What will happen if I use an unmanaged switch on the 3rd floor, 1 port goes to my PC 2, 1 port goes to the 4th floor? Will my PC 2 can access the correct VLan?

I thought you couldn't replace it in your country?

I got a modem/router/wifi/firewall combo from my ISP. I can't replace the modem, but I can set up my own router and everything else.

That's fine. How about the TV and the PCs? Can you use a usb WiFi adapter?

I can do wifi on TV, but on PC? I mean I can buy a wifi adapter, but which wifi should I connect my PC to to have a different VLan than my cameras and IoT stuff?

I personally just setup my firewall and networks manually and would only use a built in Guest Network if I was setting up a hotel.

Okay, you really got me thinking about whether I should pay more attention to the firewall (routers should have a firewall built-in, right? Or I need to buy a dedicate firewall?). Do I have to configure each device in the firewall manually? Because sometimes guests come to visit and ask for the wifi, and sometimes I buy random IoT stuff to test.

 

[NerdAshes]

Here is what I would do..

Using Ubiquiti UniFi gear since there is a TON of help and videos to set it all up.

Dream Router UDR, Built-in WiFi 6 AP, Integrated 4-port switch with (2) PoE ports & 128 GB SSD & microSD card slot for NVR.
I'd install that on the second floor connected to the ISP modem and your server. The other ports would connect to the 1st Camera and the 3rd floor switch (using a POE port).

Flex Mini USW-Flex-Mini A compact, 5-port, Layer 2 switch that can be powered with PoE.
I'd put that on the 3rd floor, connected to your 4th floor switch.

Lite 8 PoE USW-Lite-8-POE, An 8-port, Layer 2 PoE. 4 GbE PoE+ & 4 GbE non-POE ports.
I'd put this on the 4th floor connected to the 4th floor Camera and another AP.

U6 Lite Compact, ceiling-mounted WiFi 6 AP. Powered using PoE from the USW-Lite-8-POE.

I'd put your TVs and PCs on WiFi. I'd sell your other gear to cover as much of this cost as you can. This should be close to your budget. It would get you a good start on software defined networking and, a far better experience than you have now. There will be a learning curve, but nothing too crazy and you'll meet all your goals and more.

Should look like this.

 

[vcth4nh]

Here is what I would do..

Using Ubiquiti UniFi gear since there is a TON of help and videos to set it all up.

Dream Router UDR, Built-in WiFi 6 AP, Integrated 4-port switch with (2) PoE ports & 128 GB SSD & microSD card slot for NVR.
I'd install that on the second floor connected to the ISP modem and your server. The other ports would connect to the 1st Camera and the 3rd floor switch (using a POE port).

Flex Mini USW-Flex-Mini A compact, 5-port, Layer 2 switch that can be powered with PoE.
I'd put that on the 3rd floor, connected to your 4th floor switch.

Lite 8 PoE USW-Lite-8-POE, An 8-port, Layer 2 PoE. 4 GbE PoE+ & 4 GbE non-POE ports.
I'd put this on the 4th floor connected to the 4th floor Camera and another AP.

U6 Lite Compact, ceiling-mounted WiFi 6 AP. Powered using PoE from the USW-Lite-8-POE.

I'd put your TVs and PCs on WiFi. I'd sell your other gear to cover as much of this cost as you can. This should be close to your budget. It would get you a good start on software defined networking and, a far better experience than you have now. There will be a learning curve, but nothing too crazy and you'll meet all your goals and more.

Should look like this.
View attachment 35249

Haha thanks! I'll definitely look into Ubiquiti gears! Really appreciate the diagram suggestion.