Three Dumb Router question

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

jlariviere

Member
Jul 15, 2021
7
1
Apologies if these are dumb questions. If this type of question was answered earlier on this forum, searches didn't bring it up so if you have a good post here or elsewhere feel free to forward me to that one :) My current OnHub router (that I should've replaced a long time ago) is getting discontinued by Google and I will be replacing it of course. It is just for my personal use (IOT devices, laptops, computers, etc.), so nothing too complex is needed (and reasonably cheap is of course good).

In 2022, do you think hardware separation with the "three dumb router" idea still ideal, or do some of the routers (like the Edgerouter X and those with one or more Guest Wifi) actually offer sufficient network separation at a hardware level, to satisfy a somewhat paranoid / cautious individual?

If I go with the three dumb routers, I am currently in a subdivision so there is some wifi congestion. Some available routers that support DD-WRT or OpenWRT only have 2.4 GHz. Would you recommend I be sure to get routers that supports 5GHz?

Thanks!
 
In the past, Steve has recommended pfSense running on a Netgate SG-1100. I would strongly recommend AGAINST using that device. I have one, and have found it so under powered to the point of being unusable. It takes 10s of seconds after entering the login and password into the gui to bring up the status screen, and similar time to save a configuration change or switch between screens. There is no native wifi hardware, and limited support for 3rd party hardware, so you will need a second router anyway.

I am looking around for an alternative, and am strongly leaning towards something the will run OpenWRT.

5GHz does not carry very far, and my experience has been that it is only every better than 2.4GHz if you are in the same room as the router. So not worth paying extra for.
 
  • Like
Reactions: jlariviere
Having wireless devices both on your "secure" network and on your "insecure" IoT network would entail having two wireless routers. This will have you causing your own extra congestion... so ideally it would be better to keep your secure network wired only and put all devices, such as your cell phone on the IoT network. You could potentially achieve this with a personal VPN into your secure network, but boy that all starts to sound really complicated. It makes a lot of sense to put your phone on the IoT network if it's going to be running apps to control the IoT devices anyway.

If you can restrict yourself to just one wireless access point, then you just need simple wired only routers for the other two devices. (No you don't strictly need two use three routers, but the premise is a defense in depth... if one of the routers fails to block an attack, the other two should contain the damage.)
 
  • Like
Reactions: jlariviere
Having wireless devices both on your "secure" network and on your "insecure" IoT network would entail having two wireless routers. This will have you causing your own extra congestion... so ideally it would be better to keep your secure network wired only and put all devices, such as your cell phone on the IoT network. You could potentially achieve this with a personal VPN into your secure network, but boy that all starts to sound really complicated. It makes a lot of sense to put your phone on the IoT network if it's going to be running apps to control the IoT devices anyway.

If you can restrict yourself to just one wireless access point, then you just need simple wired only routers for the other two devices. (No you don't strictly need two use three routers, but the premise is a defense in depth... if one of the routers fails to block an attack, the other two should contain the damage.)
for the congestion, would it be better if two different wireless routers were on different channels?
 
In the past, Steve has recommended pfSense running on a Netgate SG-1100. I would strongly recommend AGAINST using that device. I have one, and have found it so under powered to the point of being unusable. It takes 10s of seconds after entering the login and password into the gui to bring up the status screen, and similar time to save a configuration change or switch between screens. There is no native wifi hardware, and limited support for 3rd party hardware, so you will need a second router anyway.

I am looking around for an alternative, and am strongly leaning towards something the will run OpenWRT.

5GHz does not carry very far, and my experience has been that it is only every better than 2.4GHz if you are in the same room as the router. So not worth paying extra for.
thanks, that is helpful to hear about that netgate
 
two different wireless routers were on different channels
Yes, but most modern routers can manage this on their own anyway, I believe. (Certainly the higher end/mesh ones do.) If you wanted to spend some money, and do some messing about/heavy learning, you could buy a single wireless system... something business class like Ubiquity and then you would have better control over which devices can see what other devices. (But then you might end up with a full time job of figuring things out too.)
 
  • Like
Reactions: jlariviere
After going through a series of Cisco/fka Linksys devices that kept going out of support, IMO much too soon, for the price paid, I ended up going the eero route. Between the fiber modem and the rest of the network, I have a 24-port gigabit LAN switch, with 1 or 2 outlets with 1 or 2 LAN sockets each in each main floor room, wired from below from the basement through the walls. The upstairs is half the size of the main floor, and there are convenient hall closets stacked on both floors, so it was easy running a drop up to the 2nd floor to a 5-port gigabit LAN switch that feeds a few wired PCs and printers upstairs. The entertainment system in the living room takes another 5-port gigabit LAN switch to feed the DirecTV, Roku, TV, and BluRay player. So much for all the direct wired devices. Next comes the eero WiFi 6 mesh routers. The main one is in the basement ham shack and has two gigabit ports and forms the firewall/gateway between the fiber modem and the 24-port LAN switch. It meshes with a wireless satellite on the main floor, and another one on the 2nd floor.

They operate on both 2.4 and 5 GHz, and I get flawless wireless coverage throughout the house, where I used to get cold spots with the previous non-mesh systems. WiFi 6 can easily keep up with my 300 mbit/bidirectional fiber-to-the-home AT&T service, which beats my prior Comcast 100 mbit up/6 mbit down service all hollow, and for half the price. On the 2nd floor satellite on my smartphone, running Ookla speedtest, I get 172 mbit/bidir. This is mainly a function of the backhaul speed between satellites, which will vary depending on the signal strength between them. On the basement main node, I routinely get 350 mbit/bidir on the same test, same phone.

Support? eero updates my system at LEAST once a month, if not more often. It all runs on an app on your smartphone, and you can control all aspects from there easily.

You can get an eero 6 3-pk for under $300. It's been the best money I've ever spent on a WiFi system. And no, I don't work for them or get any kickback from them. Just a very happy customer.
 
  • Like
Reactions: jlariviere
I haven't read every word of this thread but only skimmed it. I'm not familiar with mesh systems. I haven't searched for routers in a while so I cannot cite model numbers. But, I definitely like the idea of DDWRT or OpenWRT type systems. Turn off ALL external features and special services you don't need and ALL remote admin. I still think the 3 dumb routers is a good idea if you don't do the same thing with virtual LANS, etc. You can also get away with 2 routers ganged in series but it's not as clean. In that case I think you put your IOT LAN on the router closest to the internet.

May your bits be stable and your interfaces be fast. :cool: Ron
 
  • Like
Reactions: jlariviere
Apologies if these are dumb questions. If this type of question was answered earlier on this forum, searches didn't bring it up so if you have a good post here or elsewhere feel free to forward me to that one :) My current OnHub router (that I should've replaced a long time ago) is getting discontinued by Google and I will be replacing it of course. It is just for my personal use (IOT devices, laptops, computers, etc.), so nothing too complex is needed (and reasonably cheap is of course good).

In 2022, do you think hardware separation with the "three dumb router" idea still ideal, or do some of the routers (like the Edgerouter X and those with one or more Guest Wifi) actually offer sufficient network separation at a hardware level, to satisfy a somewhat paranoid / cautious individual?

If I go with the three dumb routers, I am currently in a subdivision so there is some wifi congestion. Some available routers that support DD-WRT or OpenWRT only have 2.4 GHz. Would you recommend I be sure to get routers that supports 5GHz?

Thanks!
The “3 dumb routers” is still as acceptable today as it was before. I wouldn’t go out and buy 3 dumb routers, but if you have them, go for it ASSUMING they are still being supported by their respective manufacturers. Otherwise, that could be a security issue. Also, don’t forget to turn off WiFi on the edge device to reduce congestion, and make sure the other 2 are on different channels and/or frequencies. In regards to an Edgerouter X, it will accomplish the same thing assuming you configure it correctly. If you are fairly savvy, pfsense would also be a great option providing you have a spare box and appropriate NICs.
 
Perhaps too late, a few notes on the ER-X. First, yes it's cheap, but also low-powered, like the SG-1100. It will work, but perhaps no better than an SG-1100. In a moderately complicated setup you're probably limited to 300-450Mbps using routing and firewall functions. EdgeOS is similarly less powerful than pfsense. The ER-X is great stuff for $50. You can learn a lot and access most config via webgui, but there's not much room to grow.


I have an ER-Lite and use a ER-X only as an internal router. My ER-Lite is barely enough for my recently-upgraded 800Mbps connection. Arguably the ER-L is slightly better hardware. YMMV. Both Ubuiquiti devices are pretty old in terms of support and expansion/growth. If I were buying en EdgeRouter today, I'd get the ER-4.

I keep thinking of buying one of those NUCs Steve has recommended for pfsense....
 
Last edited:
limited to 300-450Mbps
Yeah, I found the ER-X is not as powerful as I had hoped. It would be nice if it was line speed, but it's definitely less. There is a setting you can enable to allow for hardware assist, but it affects availability of other features, so I haven't done that.

Do you know if the ER-4 is capable of line speed throughput?

Bell Canada offers an option for 1.5G fibre, but they say you can only achieve maximum throughput by using their modem/router's WiFi as well as a wired link. (I don't think their router offers 2.5G or higher links.) Never the less, a slow firewall is not going to touch anything close to that.

I guess I should try a PC that has an option for a couple of PCIe NIC that could also go faster than 1G and see just how much throughput pfSense could push.
 
I'm not being critical in any way by saying this. My internet is 90 Mbps down / 12 Mbps up and some of my networking gear is probably capable of 1 Gbps and other parts probably 100 Mbps. Many people on DSL have 3 Mbps internet. Do people REALLY need to push 1 Gbps in and out and around the house consistently? Maybe they do. But, it's certainly not me.

May your bits be stable and your interfaces be fast. :cool: Ron
 
  • Like
Reactions: fibar and Sushi
By "people" you're implying "joe average" I guess. In my case, if I am going to pay the money for the service, I see no point to let my networking gear be the limiting factor in my connection... whether I actually use it to the maximum or not. On the other hand, time is money, and so if I can download a large file 10x faster then why waste the time?
 
I have two work-at-home adults that stream video conferences all day and two-game-playing adults, plus a 4K TV with streaming services. So far, a 300 mbps un-capped bidirectional service hasn't cramped our style, but the old 100 mbps down/ 6 mbps up 1 Gb/mo capped service certainly did, especially when using BackBlaze to back up all those systems. Without throttling, BackBlaze would saturate the uplink and knock the game-players off their game, so to speak.

And as a bonus, the 300 mbps un-capped bidirectional service is half the price of the old 1/3 speed capped unidirectional service. It pays to shop around, if you have the opportunity in your neighborhood. Not everyone has a choice, unfortunately. No competition breeds high prices, and lousy service, in my opinion.
 
Interesting. Guess I have to get my gaming on. I can see what you're saying about the teleconferencing. My wife does that and I do occasionally but not usually at the same time. Come to think of it, I guess it does bog down a bit on occasion especially if I'm doing a big download or backup. I've got backups scheduled to occur in the middle of the night. Also, I bought a gadget from (I think) Western Digital a decade or more ago called a prioritizer. It looks like a wired router or hub. My router and her router are plugged into it. If I'm contending with her for internet access, her packets get priority. It generally works pretty well.

May your bits be stable and your interfaces be fast. :cool: Ron
 
Hi,

You might look into a using an Ubiquiti ER-X Router in conjunction with Ubiquiti's Access Point(s) for your needs.

This $60 router supports multiple VLANS (VLANS provide network segmentation / isolation), and has 5 built-in Ethernet ports.
The Access Point is the Wi-Fi portion. Typically priced less than $150, each AP supports four VLAN-separated (isolated) SSIDs.
So you can have four isolated networks, typically: Home Network, Guest Network, and IOT Network.
You can make more isolated networks, example work from home, if they are Ethernet wired only.

Steve (very favorably) mentioned my setup guide in SN podcasts #641 and #649.
The link to my guide is on his linkfarm page:
https://www.grc.com/linkfarm.htm
Ensure you use the live link and DON'T use Steve's cached link, as his cache is about 25 commits and 100 pages out of date.
Direct Link
https://github.com/mjp66/Ubiquiti

@sggrc It might be time for a new SN mention of this guide, since IOT segmentation is so important lately.

This setup should work very nicely at 300mpbs, router peak rates can be about 900mbps unidirectional.

The only trouble (right now) is finding these routers in stock, since we live in a post-pandemic supply-chain world.
Note1: ui.com's out-of-stock email-notification-system is broken.
Note2: Maybe try this: https://www.reddit.com/r/UbiquitiInStock/


-Mike
 
I have a problem which is less common than most peoples. I have a long house built of stone and I want the wifi to reach out into the garden too. Having heard Steve‘s suggestion a few years ago to ‘make a new year’s resolution to isolate devices’, I set about resolving the whole issue. First, I bought a Synology router which contains a packet inspection facility which inspects every packet against a threat database maintained by Google and IBM I believe. This is brilliant as even if there is a single pixel containing a malicious ‘advert’, it will block any ‘phoning home’. I then connect this router into the router provided free by my ISP. I configured the Synology router to provide a different subnet IP range to the devices that connect to it and to select ‘isolate devices’ so they can see each other. Thats the crucial part. I connect IoTs that need internet access, eg my smart TV, they get connected to ISP‘s router. I don’t care much about how good the ISP’s router is at isolation as the devices I do care about are behind a NAT router and on a different subnet.

If I had a house where the Synology router could reach everywhere that would be the end of the story, but I not in that position. I solved my problem by buying a 16 port managed switch capable of running VLANs, and to provide the wifi I bought 2 EAP115 access points sited to access the whole house and the main areas of the garden, but not the greenhouse. I set each of these access points to have the same channel frequencies so we can walk around the house and our devices seamlessly connect to one or the other access point. I set each device connected to the access points to be isolated from each other, and I set up the SSIDs to define different groups, IoTs that work form wifi only eg Amazon firesticks, a guest SSID so when family members come and then travel the country and this SSID is broadcasted the ‘guest’ SSID can‘t be traced to my house as ‘guest’ is so widely used. For the SSIDs that I use I terminate them with optout and nomap.

Next I set up the VLANs in the managed switch which route the packet headers to provide the isolation. My NAS goes onto the most secure VLAN, IoTs firesticks have no access to this VLAN.

Interestingly, although the supplier was extremely helpful in trying to setup the VLAN, they couldn’t answer my questions other than to point to website instructions Which were for the most basic of configurations so I spent many weeks of great fun trying to understand how VLANs work and to get the seamless walk through from one access point to the other and the data swapping from one VLAN to the other transparently.

I got it all working correctly after a few months of trial and error. I regularly check the device isolation by running a LAN scan on the individual SSIDs.

I heard you say, “but what about the greenhouse when working out there?” In those times I plug in a mains extender and connect the Ethernet cable into one of the ports depending upon which VLAN I want access to when using the internet. If I just want the TV on my iPad, YouTube I’ll connect the mains extender into an IoT port, or if I need access to my NAS I’ll connect it into the secure VLAN by using another port.

I’ve got a smart printer, that’s a horror as it needs to be on my secure VLANs so we can print from our phones and iPads. I’ve configured the router to block access of the printer to the internet and I only turn it on when we want to print something, and every so often I plug it into the ISPs router and check for any updates.

I think is about as secure as any domestic user can get.
 
these access points to have the same channel frequencies
I don't think the channels need to be identical, and that would theoretically cause the two devices to overlap each other, actually reducing your signal strength. On the other hand, it may prevent a device from holding on too long to an AP which is sub-optimally far away and using a weaker signal. It's clearly working for you, so without experimenting it's hard to know if changing channels on one would make things better or worse or make no difference at all.
 
  • Like
Reactions: saguaro
First, I bought a Synology router which contains a packet inspection facility which inspects every packet against a threat database maintained by Google and IBM I believe. This is brilliant as even if there is a single pixel containing a malicious ‘advert’, it will block any ‘phoning home’.
I've been tempted by the Synology routers. They seem like very good gear. Lots of security-minded features and good performance.
I set each of these access points to have the same channel frequencies so we can walk around the house and our devices seamlessly connect to one or the other access point.
Although it may work for you, as @PHolder suggests, this is the opposite of wifi best practice. Ideally your WAPs should xmit on channels that don't conflict with any nearby access points. And only use 1, 6, 11 for 2.4Ghz (because they're the only ones that don't overlap). Perhaps given your "stone" house, the WAPs never see the other APs. However, there is no need to use different channels to "seamlessly connect from one AP to another..." Just using the same SSID/passphrase does that. Cheers.
 
Do you know if the ER-4 is capable of line speed throughput?

Bell Canada offers an option for 1.5G fibre, but they say you can only achieve maximum throughput by using their modem/router's WiFi as well as a wired link. (I don't think their router offers 2.5G or higher links.) Never the less, a slow firewall is not going to touch anything close to that.
Sorry to have let this go so long. Was typing a reply last night and my ERL-3 crashed for the second time in 8-days. Then it crashed 3 more times after ~20 min each. Short version: power supply apparently bad, which seems to be happening to many people over the past year...

The ER-4 answer depends on your configuration. My ERL-3 seems to route at nearly line speed, but add on multiple VLANs, Firewall Rules, still ok. But add QoS and things get bad. With QoS enabled my ERL seems capped at about 180Mbps. But I now have 800Mbps down, mainly so I can get 20Mbps up! (This is the problem in the US and why so many people look like garbage on Zoom... they have 5Mbps up and 8-12 devices online!) Right now with firewall and 5 VLANs, without QoS enabled I can get ~800+Mbs through the device.

I'm sure the ER-4 will route better than the ERL. In this 3-yr old thread they say ER-4 *should* get 400Mbps with QoS enabled.

I found this new site that does buffer-bloat test, and it mentions ER-4 as good for up to 300 Mbps!? Shows only the Eero mesh router able to handle QoS at gigabit rates. https://www.waveform.com/tools/bufferbloat via https://www.bufferbloat.net/projects/bloat/wiki/Tests_for_Bufferbloat/#best-bufferbloat-tests

@mjp66 I love your well done EdgeRouter reference. Haven't looked at it lately though: it was so good I hardly need to do anything more. :)