I use a Mikrotik router, so it probably does. I’ll have to check it out. I assume it can do SNI-based routing just like haproxy, but if not, I’ll have to move haproxy to my LAN and just do a TCP tunnel in my VPS.
But yeah, doing this and internal DNS should make for a more robust system, thanks for the breakdown.
I work with this stuff professionally. I personally enjoy mikrotik. Not sure how to hairpin NAT on it off the top of my head, though I’m sure it can be done.
I usually use a business firewall as my gateway. Nothing wrong with mikrotik at all, it’s all personal preference. I think this is the first time I’ve heard of someone using a tik in the wild who isn’t running an ISP.
Yup, I was looking for an inexpensive, enterprise grade router, and 5 port Mikrotik was just the right size and price. I like playing with networking stuff.
The next project is getting a WiFi network with a VPN configured at the router level, as well as a WiFi network with no access to the rest of the network. I use a Ubiquiti AP, so it should be feasible.
I used to manage the network at my last job, a startup, but I’m not in IT, I’m a software engineer who gets into a lot of adjacent stuff.
That sounds familiar. My official job is more system administration, but networking is my one true love… At least in terms of work and interests.
Ubiquiti makes pretty good wifi gear. If I’m not mistaken you’ll need a controller running 24/7 to ensure that roaming and stuff works, but IMO, that should always be the case. When I’m doubt, there’s always the cloud key.
Ubiquiti wireless supports VLANs, so you should be good there, if it’s just going to be another SSID on your WiFi. I help run an ubiquiti network at home, we have two main LANs. My network is comprised mainly of Cisco stuff, but I’m using a sonicwall for my gateway, the other network here is entirely ubiquiti, UDM Pro, unifi PoE switches, unifi access points (about 4 right now, mostly for speed/density, though that network only has about 30 devices on it at any given time). The UDM acts as the network controller/manager. I don’t love it because the routing is not where I’d like it to be (in terms of features and capability). Prime example is that I’ve been pushing into L3 switching and for that net we got an enterprise 48 PoE, which can do 2.5G with PoE+ on all ports, and has a slew of additional features including L3 switching. On my side I have a Cisco catalyst 4948, which is connected to the enterprise 48 on a 10G link, I wanted to use the 10G link for device to device routing. On the Cisco, everything worked like clockwork. On the ubiquiti side, you can define routes, but they’re only added to the controller, which only adds them to the gateway. So traffic from my net to the ubiquiti net goes from station to switch to switch to station, and return traffic from the ubiquiti side goes from station to switch to the UDM, then to my switch, to the target station.
You can manually add the routes to the enterprise 48 by cli/SSH, but as soon as the unit restarts, the config is replaced with the current config on the controller (which doesn’t include the routing information).
I did it this way because my homelab, which everyone uses in some way or another, is hanging off my 4948 on a VLAN with L3 switching. I want to avoid the overhead of having it go through the extra devices and the bandwidth limits of going straight from my gateway to the ubiquiti gateway, and the enterprise 48 just won’t do it. On the control panel there’s no way to set what routes should be installed on which devices, so you’re kind of up a creek without a paddle.
I like ubiquiti, but for anything more advanced than all VLANs being handled by the gateway directly, I wouldn’t recommend it. Since most home users only need VLANs to go to the gateway at most, it’s my go to recommendation for home users. It’s inexpensive (relatively speaking) and it’s fairly easy to manage, all while being quite good at what most users need.
If I were to do it again, I’d skip the enterprise 48. It was much more expensive than the “pro” line, which would have been adequate (no 2.5G on the pro), or even the basic 48 PoE, which only has layer 2 (VLANs). I specifically bought the enterprise so it could do this and simply put, it doesn’t. I can force it to work, but I have to do the routes every time the unit restarts. It’s a huge pain.
If you’re only going to use ubiquiti for wifi though, have at it. It’s quite good. A bit basic IMO, but I’m used to Cisco aeronet, which is above most people’s heads with the options you can set. Ubiquiti is a good balance.
Yeah, I’m planning on three VLANs, each based on a WiFi SSID, but also with Ethernet plugs as well:
IOT - no access to anything outside the VLAN
VPN - my state has stupid laws, so this will just VPN to the next state over
Everything else - guests, etc
My home lab/NAS (same box for now) would be on 1 & 3, personal devices on 2. Then everything is assigned a VLAN based on SSID or physical network port. I’ve considered a fourth as a guest network (so internet only, no other devices), but that’s not common enough yet to worry about.
And yeah, the Ubiquiti controller software is annoying, and there’s no way I’m signing up for their cloud nonsense. But it works.
Sounds like a solid plan. If you want to discuss any particulars, I’m happy to discuss more, however, since it seems like you have a good grasp on what you’re after, I don’t really have a lot to add here.
I use a Mikrotik router, so it probably does. I’ll have to check it out. I assume it can do SNI-based routing just like haproxy, but if not, I’ll have to move haproxy to my LAN and just do a TCP tunnel in my VPS.
But yeah, doing this and internal DNS should make for a more robust system, thanks for the breakdown.
I work with this stuff professionally. I personally enjoy mikrotik. Not sure how to hairpin NAT on it off the top of my head, though I’m sure it can be done.
I usually use a business firewall as my gateway. Nothing wrong with mikrotik at all, it’s all personal preference. I think this is the first time I’ve heard of someone using a tik in the wild who isn’t running an ISP.
Yup, I was looking for an inexpensive, enterprise grade router, and 5 port Mikrotik was just the right size and price. I like playing with networking stuff.
The next project is getting a WiFi network with a VPN configured at the router level, as well as a WiFi network with no access to the rest of the network. I use a Ubiquiti AP, so it should be feasible.
I used to manage the network at my last job, a startup, but I’m not in IT, I’m a software engineer who gets into a lot of adjacent stuff.
That sounds familiar. My official job is more system administration, but networking is my one true love… At least in terms of work and interests.
Ubiquiti makes pretty good wifi gear. If I’m not mistaken you’ll need a controller running 24/7 to ensure that roaming and stuff works, but IMO, that should always be the case. When I’m doubt, there’s always the cloud key.
Ubiquiti wireless supports VLANs, so you should be good there, if it’s just going to be another SSID on your WiFi. I help run an ubiquiti network at home, we have two main LANs. My network is comprised mainly of Cisco stuff, but I’m using a sonicwall for my gateway, the other network here is entirely ubiquiti, UDM Pro, unifi PoE switches, unifi access points (about 4 right now, mostly for speed/density, though that network only has about 30 devices on it at any given time). The UDM acts as the network controller/manager. I don’t love it because the routing is not where I’d like it to be (in terms of features and capability). Prime example is that I’ve been pushing into L3 switching and for that net we got an enterprise 48 PoE, which can do 2.5G with PoE+ on all ports, and has a slew of additional features including L3 switching. On my side I have a Cisco catalyst 4948, which is connected to the enterprise 48 on a 10G link, I wanted to use the 10G link for device to device routing. On the Cisco, everything worked like clockwork. On the ubiquiti side, you can define routes, but they’re only added to the controller, which only adds them to the gateway. So traffic from my net to the ubiquiti net goes from station to switch to switch to station, and return traffic from the ubiquiti side goes from station to switch to the UDM, then to my switch, to the target station. You can manually add the routes to the enterprise 48 by cli/SSH, but as soon as the unit restarts, the config is replaced with the current config on the controller (which doesn’t include the routing information).
I did it this way because my homelab, which everyone uses in some way or another, is hanging off my 4948 on a VLAN with L3 switching. I want to avoid the overhead of having it go through the extra devices and the bandwidth limits of going straight from my gateway to the ubiquiti gateway, and the enterprise 48 just won’t do it. On the control panel there’s no way to set what routes should be installed on which devices, so you’re kind of up a creek without a paddle.
I like ubiquiti, but for anything more advanced than all VLANs being handled by the gateway directly, I wouldn’t recommend it. Since most home users only need VLANs to go to the gateway at most, it’s my go to recommendation for home users. It’s inexpensive (relatively speaking) and it’s fairly easy to manage, all while being quite good at what most users need.
If I were to do it again, I’d skip the enterprise 48. It was much more expensive than the “pro” line, which would have been adequate (no 2.5G on the pro), or even the basic 48 PoE, which only has layer 2 (VLANs). I specifically bought the enterprise so it could do this and simply put, it doesn’t. I can force it to work, but I have to do the routes every time the unit restarts. It’s a huge pain.
If you’re only going to use ubiquiti for wifi though, have at it. It’s quite good. A bit basic IMO, but I’m used to Cisco aeronet, which is above most people’s heads with the options you can set. Ubiquiti is a good balance.
Yeah, I’m planning on three VLANs, each based on a WiFi SSID, but also with Ethernet plugs as well:
My home lab/NAS (same box for now) would be on 1 & 3, personal devices on 2. Then everything is assigned a VLAN based on SSID or physical network port. I’ve considered a fourth as a guest network (so internet only, no other devices), but that’s not common enough yet to worry about.
And yeah, the Ubiquiti controller software is annoying, and there’s no way I’m signing up for their cloud nonsense. But it works.
Sounds like a solid plan. If you want to discuss any particulars, I’m happy to discuss more, however, since it seems like you have a good grasp on what you’re after, I don’t really have a lot to add here.
So with that, I’ll bid you a good day.
Good luck, and I wish all the best for you.
Just hearing that someone who does this professionally thinks it’s reasonable is good enough. :)
Thanks for the discussion and the wealth of information you shared.