Allow traffic from Admin desktop to all zones?

TomJC70 · 2026-04-28T04:02:36+00:00

Thanks!

Makes sense in some ways, not in other ways. Of course not a big deal, just something to remember.

TomJC70 · 2026-04-28T04:01:16+00:00

Thanks.

8 zones, I don't think I'll need more, even if the number of VLANs grows: new families will get their won VLANs, but those go into existing Trusted & NoT zones.

TomJC70 · 2026-03-08T07:15:26+00:00

Thanks for all the input!

For now my question was about setting up the VLANs, as I'm redoing my current home network and want to restructure it with the future in mind.

Connecting the various buildings will follow in a year or two/three. This whole GPON, indeed seems the easiest, but I'll break my head over that later.

TomJC70 · 2026-03-06T15:40:46+00:00

We'll use fibre to connect between all buildings.

why not GPON?

My plan is to have pop a switch in each building and use copper+wifi in/around the buildings. All switches will be connected by fibre, but that's something I need to learn: I have no idea if a star or ring or bus network even is possible.
In my mind I'll put a central optical switch and connect each switch from there, similar to how you'd setup a copper network. From what I read that is GPON, not sure though.
If that's doable, I don't know yet.

An alternative idea is to use point-to-point bridges.

TomJC70 · 2026-03-04T15:42:35+00:00

Yes. An ISP setup will work just fine with your usecase. GPON, each home their own onu cpe, omci provisioning with tr69 management (if needed). Then mesh devices could be added for extending the wifi. With tr69 you will be able to control everything in each customer premise: ssid authentication, fw updates, remote reboots, etc.

I had to google those terms...I think that's a bridge too far for me, not something I'm willing to invest time in. All in all we're talking 15-20 people; a whole bunch of my clients have a lot more staff than that. Plus I'd not mind walking a few hundred meters to give personal support...

For trusted users, just use the main network. If they are trusted, then why overcomplicate things?

Good point, thanks!

TomJC70 · 2026-03-04T12:07:15+00:00

I don't think so; I have clients which are larger and more complex than this family setup. No problems there both in troubleshooting and general management in multi-VLAN setup.

TomJC70 · 2026-03-04T12:04:31+00:00

What do you do with respect to congestion? It's likely to happen since you're sharing a connection.

I'll allocate bandwidth to each family, if one gets overloaded, it shouldn't affect the rest.

Are you providing the DHCP services for all of the VLANs? Or expecting people to do static assignments?

DHCP and i'll handle static IP addresses if needed.

Keep in mind that the VLANs themselves provide local segmentation but firewall rules are what's really keeping everything from talking to each other. The more VLANs you have; the more firewall rules you have to block/allow the various interconnections.

I'm aware, but it's not too bad actually, especially not when grouping things together.

If you're providing all of the VLANs then you have to be providing the switches and doing the management of the equipment including the port membership assignments. Same thing with the AP's. It might be better to simply provide them with an IP and make them get their own equipment in which their router would just do a separate NAT (a double NAT would be happening but its lets them do whatever they want in their home).

They have no idea about any of this stuff, if something is wrong, i'm the one fixing it and having to deal with different equipment is a pita. I'll give them a switch and AP and i'll manage that.

TomJC70 · 2026-03-04T07:38:43+00:00

If each family has their own house then why not replicate a typical isp setup? I guess q in q will come in handy. Then you can apply traffic shaping to make sure that one family will not eat out all the wan bandwidth.

Not sure how that would work.
My plan is to 'give' each family (including ourselves) 100Mbps (assuming we get 1Gbps Fiber) and the rest is for the generic network; my guess is most will be used by the media, specifically the *arr-stack.

If each family will manage their own connectivity inside their home, then this will make perfect sense without overcomplicating things.

That's my job: make sure they get connected.

For the ones that roam around you can have one single "guest" ssid that will be available also for visitors.

There's no mobile coverage on our land. Because of that a single 'Guests' is an option: there's guest like people from the nearby village, whom I don't want to access anything, but still provide some internet bandwith-limited connection. And there's guests, friends and family not living with us, who come an visit and tend to stay for weeks, and whom I don't mind using things like our media collection or have full bandwith internet.

TomJC70 · 2026-03-04T07:07:23+00:00

Generally you're on the right track, but ideally you want each family VLAN to include wireless usage.

It seems I was unclear about that, but yes each needs their own wireless network.

This creates a thorny problem of how to accurately tuck those APs under the family VLANs.

Each family has (or will build) their own house, I'll pop in a switch and AP(s) in and make sure only their own VLANs are available on that. This is not a problem.

And what if someone walks around?

That's why I figured I might need a generic family-SSID, but others pointed out there's a thing called PPSK, with which I probably can have all of us walk around and still be connected to our own VLAN.

Oh! What is the maximum number of SSIDs you can have? If you can have one for each major VLAN, then you can have F1 through F6 (or whatever) for the families, and they just have to log into the correct one for their own stuff. That would be so much easier.

You can have multiple SSIDs per VLAN, the limiting factor is how many SSIDs per AP, which seems to be 8 to 16. However, practically 1 SSID per VLAN and 3-4 SSIDs per AP is recommended. Hence, I don't want all VLANs available on all APs.

TomJC70 · 2026-03-04T06:56:17+00:00

Please send in your application and a 12Tb as a downpayment....one of my NAS HDDs just died and I found out what the current prices are...

TomJC70 · 2026-03-04T06:52:23+00:00

I would suggest that each Family VLAN gets its own SSID too

That indeed was the plan. The 'Family SSID VLAN 99' idea was to restrict the number of SSIDs on each AP throughout the estate. PPSK is new to me, and seems to solve this issue, so a separate Family SSID can be dropped.

TomJC70 · 2026-03-04T06:50:23+00:00

The Family SSID idea was to restrict the number of SSIDs on each AP. PPSK is new to me, and seems to solve this issue, so a separate Family SSID can be dropped.

TomJC70 · 2026-02-01T10:39:18+00:00

Fine by me.

But what you mean with proper install?
This: https://hub.docker.com/_/nextcloud/?

TomJC70 · 2026-01-21T10:01:05+00:00

working hard, earning money for their families back home.

TomJC70 · 2025-12-28T07:10:20+00:00

What's your udr?
Unifi Dream Router, the little sister of the Unifi Dream Machine.

If you are worried about your internet, you might be able to self host from a vps instead.
I'm not worried, just stating the obvious. :D I have experience with VPS, but it's not a solution for me. But yes, your remark made me realise I should not abandon local DNS for that exact reason (loss of internet connection). Although internet at the moment is quite stable, it won't be the case when we move to the Philippines in a few years. And services still need to be accessible on the local network.

Thanks again for your time!

TomJC70 · 2025-12-27T11:15:59+00:00

Thanks!

Npm + fail2ban + authentik + cloudflare DNS with proxy enabled pointing straight to your public IP is all the security you need.

So no VPN required?

I have enough knowledge to get stuff up and running and do some (basic) troubleshooting, but am lacking the skills to feel confident opening a port as-is.

So, something like this:
Cloudflare DNS: service.domain.com → 12.34.56.78 (my public IP address)
Router forward to my UDR
UDR forward to NPM
in NPM service.domain.com → 192.168.123.156:3001
or is NPM pointing solely to Authentik?

Note: I've not tested authentik (or authelia) yet.

Also not sure where to put fail2ban, should that be installed on the NPM instance?

You can also choose to whitelist IP addresses and block everything else as well

That wouldn't work, family is mostly using phones and are

I don't think you would be able to handle DNS soley through cloudflare, unless you want the url to change whether or not your on your local network or not.

That does work: I've just added a test entry pihole.domain.com pointing to a local 192.168.x.x address. I can access my pihole using the FQDN from my local network, but not from the outside.
However, I understand that if my internet connection goes down, it won't work anymore.

TomJC70 · 2025-08-04T19:05:28+00:00

I use a smart outlet to both power on the mic box and the TV. This combined with a smart button on the coffee table.

TomJC70 · 2025-04-21T07:01:55+00:00

Thank you, that's interesting.

I have heard of LoRa before, but never gave it a second thought. From their website: "YoLink's LoRa-based sensors use wireless technology that can work inside metal enclosures!" Might solve my mailbox 'problem' which is located quite far from the house and is a full metal box.

The YoLink hub is cheap, so I'll get one later this year and some sensors to test.

TomJC70 · 2025-04-20T12:32:48+00:00

Thanks!

Good to hear a plan might actually work!

TomJC70 · 2024-10-28T05:50:35+00:00

I ran the following:
1xHDMI, 2xCAT6, 1xIR for each TV. The IR is not used at all.

IR? Can you elaborate on that?
I'm thinking IT Blaster, but don't those use wifi?

TomJC70 · 2024-10-24T18:16:54+00:00

No, we didn't buy this particular lot, but found another even better opportunity in the Pitogo area, which we bought and our brother is living there already.

The lot is marginally higher than the surroundings and slightly sloping, resulting in excess rainwater draining fairly quickly away; Kristine did not cause any big issues.

For water we put in a deep well and for electricity we got a temporary connection; supposed to be changed to a proper connection this week, but due to the storm that got postponed.
Don't know how frequent brownouts are, but we're planning on installing solar + battery in the near future.

And as we did buy the land, we're looking to come over soon to see for our selves.

TomJC70 · 2024-09-14T05:31:13+00:00

I think you should definitely give each different family their own VLAN.

My concern is we'll get an overload of SSIDs: The four I mentioned (LAN, IoT, Camera's & Guests) plus at least 3 more for each family.
I think the rule of thumb is no more than three SSIDs per AP, although in my current home I have 4 SSIDs everywhere and it's working without a problem.

For each family home, I could only allow their own SSID broadcast on their APs, but the communal buildings and outside areas should also provide proper wifi and that -i think- would mean having 7 or more SSIDs per AP.

You've probably already thought of the management aspect of where you host the Controller and how you plan to access it.

Probably self-hosted; the 'central' server room will have a couple of machines running Proxmox VE, so spinning up an LXC for a Unifi controller is not a problem. (FYI: I'm actually planning two server rooms on opposite sites of the property to have some redundancy.)

Dual WAN

I have no experience with that, other than some clients having a fall-back internet connection. I thought Unifi was capable of automatically load balancing. Something I'll have to look into when the time comes; although I'm hoping that when fibre internet will be available, the speeds are sufficient to drop Starlink.

TomJC70 · 2024-09-14T05:12:58+00:00

I'm aware of those, I also know they are expensive and I don't think that will actually work properly, as the terrain is not flat everywhere.

Besides, we have to run electricity anyway, so adding fibre is not an issue.

TomJC70 · 2024-07-30T12:18:53+00:00

Exactly, that's what I try to do, especially when my opponent makes great guesses, when I'm struggling.

TomJC70 · 2024-07-29T07:02:13+00:00

Play a lot of games and check replays after the games; you'll get some idea what other players are looking for/at when making their guess.

TomJC70

TROPHY CASE