Room acquired. ;) Oh, you know... stuff. Seriously, it's a necessary upgrade. This place is like a compound, and I'm managing everything across multiple buildings, with multiple VLANs, so it's going to let me increase security, network everything at 2.5 g speeds and above, and have full control over maintenance, managing multiple APs etc. I'm also getting it ready to go mobile (a mobile home lab) when I move and travel, so that's going to be fun. 👀 

 4x10G SPF+, that's a spicy 🔥 setup

Using fiber interlinks between buildings? 

 ✊🏻 

 Nice. 

 I recommend a #Protectli Vault Pro VP2420 4x 2.5G with no WiFi module, coreboot pre-installed, running OPNsense (or pfSense; I prefer OPNsense).

It's a great hardware firewall/router for most home and small business networks. You can install an always-on VPN if you like, assign interfaces, silo networks, assign subnets and static IPs, and generally keep your network monitored and secure.

Put your ISP router in bridge mode, then use the Protectli as your firewall/router.

You can run all interfaces off the same LAN network or get more granular with security through isolation...

Example:

  • LAN interface could be for your trusted devices like your computer, etc.
  • Opt1 could be your NAS or storage (siloed from both networks).
  • Opt2 could be your untrusted devices like IoT devices and for friends to connect to when they come over, etc.

You can then use OPNsense to set up rules for how these networks can and cannot interact with each other.

You can also run switches (large and small, managed or unmanaged) and/or WiFi routers (preferably running OpenWRT) in AP mode off of any of the three interfaces.

https://protectli.com/product/vp2420/ 

 I love my protectli vault with opnsense! 

 Why not an arm router with openwrt? Same result can be achieved with less money and resources. 

 Hardware firewalls running OPNsense on dedicated devices like Protectli offer superior security and advanced routing features. They're built for one job and do it well. 

OpenWRT, primarily designed for Wi-Fi routers, provides flexibility but can struggle when tasked with complex firewall and routing functions. 

While OpenWRT can be configured to do it all, it's not optimal for advanced security setups, similar to all-in-one ISP solutions that prioritize convenience over security. 

Best practice involves separating network functions: use a dedicated hardware firewall/router (like OPNsense) for security and routing, and a separate device running OpenWRT or similar firmware for Wi-Fi. 

This approach ensures each component performs its specialized task efficiently, avoiding the compromises inherent in all-in-one solutions. 

 I gotta do some digging.  I just swapped my Unifi Security Gateway for OpnSense and am experiencing random internet drop offs.  I can still connect to it via the webUI but can't ping out on the WAN, rebooting fixes it for a few hours/days but I need to figure it out.  Are realtek ethernet ports as bad as Reddit makes it sound?  According to then it's Intel or nothing... 

 what do you like about OPnsense over pfSense?  I've been using pfSense since 2015. whenever I try to upgrade I always end up going back.  

 UI is so much better IMO, not to mention the questionable decisions/abuses of trust pfSense has made that has driven users to OPNsense. Both are good. I prefer OPNsense. 

 Thank you for this, much appreciated. I look forward to making this a weekend project in the very near future.