Apologies for the late reply. First off, I just want to thank sirozha for taking the time to provide all this great insight. It’s been truly informative. I’ve also read through the discussion between sirozha and thisisnotmyname and have found some great advice. I actually agree with the points both of you made, so although I have a much better understanding of these systems, I’m unsure what would make better sense for my use case. I wholeheartedly agree with sirozha’s philosophy of building a robust network but I’m also contemplating thisisnotmyname’s point about the cost of doing so. If I may ask, I’d like to present my use case and get some feedback from both of your viewpoints on what setup you’d recommend. I really appreciate all this help.
My goal is to setup a very secure and private network that is robust enough to expand into over time. Along with throughput, latency is also important to me. I would like remote access if it’s not a compromise. I’d like the option to convert at least 3 currently wireless devices to wired, ability to create multiple networks like a guest network and possible others, add future network external storage connectivity, future VPN setup, possibly future self-monitored camera security. I’m not one who opts to buy the latest new thing. I’d much rather have a quality setup that will be supportive of upgrades for years to come, which I understand isn’t always possible with technology.
This is for a home environment. It would be multi-user and multi-use with remote work from home access of enterprise and financial systems along with the usual home entertainment stuff. It’s an entirely Apple ecosystem so definitely needs to be Mac friendly. The house itself is about 2500 sq/ft on a property of about 6000 sq/ft. Most of the wireless devices are usually about a 25 feet radius from the center point of the house, but I would like coverage on the whole property. We currently have Cat 5 connections in all rooms and to the ONT, then it’s fiber (FTTP); and a self-installed solid copper coax to the house cable node. I currently have a spool of Belden Cat 6 that I intend to replace in place of the Cat 5. We’re provisioned for Comcast cable and ATT fiber. I have Comcast right now. Had their 150 Mb connection but it wasn’t being fully utilized so I downgraded to the 50 Mb. They recently upgraded the 50 to a 75 Mb. We can also get gigabit with either service but it’s a bit expensive at the moment.
My setup right now is a Zoom modem with an Airport Express 2nd gen router. The wireless maxes out around 60 Mb hence why I downgraded the plan until I could put in a better setup. Every single device is wireless, around 8, but I’d like to wire things like the Mac and Apple TVs. Currently I get a bit of load lag and sporadic connection freezes and timeouts.
Touching on security, I’m a bit weary of Netgear and Linksys because of their recent security flaws. Considered Amplifi but didn’t like their lack of network storage and something else I can’t remember right now. Unifi AP seems like a good bet but not sure about the router, switch, controller, cloud key, etc. I was hoping to mount an AP centrally to the ceiling but I’m open to other options. Another option is to just wait for WiFi 6 integration since it seems not too far off and continue with the Airport for now.
Sorry this is so long! Thanks for reading and any more feedback!
For a 2500 sq ft house, you can mount one UAP-AC-HD centrally, and it should cover the entire house. You should be able to have 500 Mpbs throughout the house or better with just one UAP-AC-HD. I would not recommend any other AP for your use case. I would definitely not recommend 2nd generation UAPs (read my comments above in this tread). I would also not recommend the UAP-nanoHD unless you decide to buy two of them. Personally, I've had so many issues with the UAP-IW-HD (same chipset and same firmware as UAP-nanoHD) that I would stay away from both. There are also numerous threads on the Ubiquiti forums (UI.com) about all the issues that the nanoHDs had. On the other hand, the UAP-AC-HD has been really solid for me.
For the firewall/router I would not recommend anything made by Ubiquiti. None of their mature routers (from the UniFi or from the Edge lines) have powerful enough hardware to handle decent encrypted throughputs. So, if you are interested in VPN tunnels to your house terminated by your router/firewall, don't go with anything made by Ubiquiti. They have a new device that's still in beta called UniFi Dream Machine Pro that has powerful enough hardware to handle encrypted traffic at decent throughputs, but the firmware for this new platform is based on a different code base than their legacy firewalls/routers, and the feature set is so narrow right now that they don't even support any kind of VPN yet.
If you asked me, I would go with pfSense for your firewall. You can run it pretty much on any hardware you wish. A lot of people run it on miniature computers. Personally, I run it on a miniature computer platform made by Compulab (an Israeli company). The Computlab platform that I use it on is called Fitlet. When running pfSense, it can do LAN-to-WAN routing at about 750 Mbps. With IPSec VPN encryption, the LAN-to-WAN throughput is 170 Mbps. I've had this computer running pfSense for over 3 years now with not a single reboot required. It's a rock-solid system. Since I bought mine, Compulab released
Fitlet2, which has a much more powerful CPU in it. The Fitlet 2 can do LAN-to-WAN routing at line speed of 1 Gbps. Encrypted throughout is much better than 170 Mbps on this platform. I haven't tested a Fitlet2 yet, but as soon as Gigabit Internet become available in my area, I will buy a Fitlet2 to replace my Fitlet. There are other hardware platforms that you can buy to run pfSense. Also, they have their own hardware for sale. If you buy a third-party system (like Fitlet2), you can download pfSense for free. The Fitlet2 comes as barebones, so you need to buy the SDD and RAM separately and assemble it yourself. I'm running my pfSense on 4 GB of RAM and 32 GB of SSD, and that's plenty. Additionally, Fitlet2 has add-on cards that they call Facet cards. One of those cards is a POE Facet that allows the system to be powered by POE. It costs $45, and IMHO, it's well worth it so that don't need an extra UPS-protected outlet to plug in your firewall.
As for the Ethernet switch, you can buy an 8-port or 16-port UniFi switch that support POE+ (802.11at). In order to power the UAP-AC-HD, you must have POE+. For UAP-nanoHD, you are okay with POE (802.11af). The UniFi switches have very narrow feature sets, but the feature set is sufficient for what you are trying to do. They support 802.1q VLAN tagging and POE/POE+, and that's all that you will need from a switch. One downside of UniFi switches is that they don't have any Layer 3 switches. Therefore, if you build your network in such a way that there will be a lot of traffic between different VLANs/subnets, the inter-VLAN routing will have to happen at the router/firewall. Ideally, you would want to inter-VLAN route at a Layer 3 switch because doing so at the router/firewall can over-utilize the uplinks between the switch(es) and the router/firewall. Additionally, you would load the router/firewall with inter-VLAN routing traffic, which may affect the throughput from/to the Internet. However, in reality, it would be unlikely to create so much traffic between VLANs/subnets that you would over-utilize the uplinks to the router/firewall or over-utilize the router/firewall's CPU with inter-VLAN traffic. Nevertheless, when designing your network, you should keep in mind that the hosts that would send a lot of traffic to each other should be on the same VLAN/subnet to preclude sending this traffic upstream to the router/firewall unless you MUST firewall the traffic between such hosts.
All in all, UniFi and Edge equipment is fine for a prosumer environment and for small business. Edge is supposedly targeted at Mom-and-Pop's service providers and to third-world countries that cannot afford real enterprise-network equipment. Ubiquiti claims that Edge line is enterprise-class, but it's not the case. It's can only be considered enterprise-class in poor third-world countries. In the US, I would never recommend it even for a medium-size business. It belongs squarely in the small business niche. I know that there are some small rural ISPs in the US that are running almost exclusively on Ubiquiti Edge equipment, but this is its own niche, as they don't do a lot of LAN switching in their environment, and they operate on such narrow margins that they can't afford Cisco or Juniper or Arista. The only Ubiquiti product I wouldn't hesitate to recommend for a medium-size business is their APs and only UAP-AC-HD or more expensive ones.
UniFi routers and switches are even less "enterprise-class" than Edge and is only good for very small business IMHO. However, UniFi is excellent for prosumers and very large residences except for their USG (UniFi Security Gateways, aka firewalls for the reason mentioned above). It's unfortunate that one has to resort to a non-Ubiquiti router/firewall while having the rest of equipment made by Ubiquiti, but that has been going on for years now. Hopefully, the UniFi Dream Machine Pro will become the firewall of choice once Ubiquiti fully develops its firmware. However, I wouldn't be holding my breath on that, as Ubiquiti has promised to fix their USG feature set for years now but has not done much. With the introduction of the new router/firewall platform (UniFi Dream Machine and Dream Machine Pro), it's unlikely that they will be using their development resources on the legacy USG platform, but it's also unclear how many more years it will take them to make the Dream Machine platform into a decent firewall.
You can run the UniFi controller in Windows, macOS, Linux or on the dedicated piece of Ubiquiti hardware called the CloudKey. The regular CloudKey is about $75 and it will do everything that you need for your network. You can also buy a more expensive newer CloudKey Gen2, which can also run UniFi Protect (the new video camera server) and even UniFi Talk (the new VoIP PBX - still in beta), but unless you are going to install Ubiquiti cameras, I would just go with the regular CloudKey to save money. Unless you are interested in gathering statistics from your UniFi equipment to look at trends, you don't even have to run UniFi controller on your network. You can just fire it up on your Mac when you need to change something on the network; it's not required for the network to operate. Moreover, you can even set up your APs and UniFi switches with an iPhone app without the UniFi controller. I haven't used the iPhone app with my equipment, and I heard that not all features are available via the app, but you can try to see if you even need the controller to begin with. One very useful feature of the UniFi controller is the DPI information (Deep Packet Inspection). However, this feature works only if you have a USG on the network, but USG is a very limited firewall (feature-wise) and it has terrible encrypted throughput (to the tune of less than 20 Mbps). Ubiquiti refuses to repurpose the legacy USG as the DPI probe only, so you are either stuck with an inferior firewall and DPI capability in UniFi controller, or if go with a third-party firewall, there will not be any DPI available in UniFi Controller. So, all in all, the controller may not be necessary at all in your environment if you go with a third-party router/firewall like pfSense.
