22 Nov 2022 03:07 PM
Your problem is really the Omada controller - if you can't get a TP-Link (Omada supported) router which supports DHCP Opt61 then there's little to no point going full TP-Link as much of the SDN stack simply won't work.
Its much like Unifi was before they finally supported Opt61 - you had to mess around with gateway.json files to get the router working. NB - I wouldn't recommend Unifi/UI these days as their AP's are overpriced garbage and switches are bug-ridden piles of junk (everyone who was any good left UI many years ago). Note that I have installed hundreds of commercial Unifi/UI systems in the past but its impossible to justify using them other than for their AirMax kit now. IMHO they never recovered from being scammed out of millions and their owner buying a US sports team.
Personally I gave up on SDN stacks with Sky and now use a Mikrotik router (you can configure them for literally anything) with a couple of QNAP 10Gbit switches and a TP-Link EAP660HD. I don't get the nice eye-candy/pane of glass interface but it does the job well and isn't a total lottery when updating firmware/software (hi again Unifi!).
YMMV of course.
22 Nov 2022 03:31 PM
This is great advice Mr+Slant,
So I should go for these?
Is it possible to have pfsense installed to run all this and can depend on the mikro to do all the work for me even when the pc is turned off.
I hope to be adding more IOT's and other security features such as IP cams lateron
22 Nov 2022 04:40 PM - last edited: 22 Nov 2022 04:43 PM
I'd suggest you buy a Mikrotik router which is somewhat more "future-proof" than that.
For example I bought a CCR1009-7G-1C-PC which frankly pre-Brexit wouldn't have been my first choice but its currently quite difficult to source Mikrotik kit from within the UK. I'd have preferred an ARM-based cpu but Tile-based cpus are capable enough for this application if a bit more power-hungry due to their age. I wasn't prepared to wait 4-6 months for an ARM-based router to come into stock or order it from the EU (customs duty/possible returns issues) is all.
As you can see here - https://mikrotik.com/product/CCR1009-7G-1C-PC#testresults - it ought to be fine for any BB domestic service I'm likely to have available to me in the next few years. NB - every port on the CCR1009 is capable of routing or bridging, unlike most consumer "routers" where you only have one or two "WAN" ports.
https://mikrotik.com/products/group/ethernet-routers is the best place to have a browse through their products - take note of the test results to ensure it's suitable for your needs.
You aren't going to be putting pfSense on Mikrotik kit - RouterOS is FAR more capable and is compiled for the hardware by Miktrotik (there are updates on the stable channel several times a year).
Re your other queries - the EAP660HD is very stable on latest f/w (stays up until you reboot it, hasn't ever crashed); the QSW-M408-4C switches likewise (I have VLANs/port bonding active) and the Mikrotik router is exactly as you'd expect - rock solid 4 9's reliability (if it crashes/reboots its because you've screwed up rules). No experience of the outdoor TP-LInk AP so can't advise on that.
NB - there can be a fairly significant learning curve on some Mikrotik routers depending on your existing networking knowledge. They're not consumer devices although a quick search on the Mikrotik forums/elsewhere will give you basic IPv4/IPv6 configs which are secure.
22 Nov 2022 06:14 PM
Blimey!
I really appreciate the time and effort you put in to make me understand better
If it's not to much to ask, how have you set up your system?
I will definitely read up on mikrotik website and watch countless YT vids and articles related to these products and functionality especially the test results and get to know what these hardware devices can actually do for the needs of what I would like them to do
Now knowing SDN stacks is not really an option especially a noob like me brings me some hope that I may be able to order a few devices to monitor the traffic etc
What im essentially trying to do is have a system that can detect any abnormal traffic, warn me of any potential threat by sending me notifications via smart phone and allow me to manage control instantly and stop people snooping on my network.
Not sure if any firmware can do this with mikrotik or if they have their own GUI that helps with this.
But ya, gonna have to really do my homework ><
23 Nov 2022 09:00 AM
You can use Suricata to achieve some IPS/IDS functionality although for a domestic scenario IPS/IDS is a total waste of time and resources (IMHO) - you'll simply end up with nothing being flagged other than the very occasional false positive. IPS/IDS is only worthwhile when you have a very large network and a lot of BYOD clients. Even then the vast majority of alerts will be false positives.
https://forum.mikrotik.com/viewtopic.php?f=2&t=111727 discusses Suricata "integration" with Mikrotik routers.
In terms of notifying you on your phone you'd need a method to push messages to it. Could be an email to SMS service of which there are many, so you'd need to do your own research as to what services would suit in terms of cost and functionality.
23 Nov 2022 09:36 AM
Thank you so much for your time and effort Mr+Slant
23 Nov 2022 10:41 AM
Oh and in terms of "setup" the answer is that it'll vary depending on the router model and what you want to do.
In very broad terms you pick a port and define it as a WAN (eg Sky_WAN), define some other port/ports as "Local" (ie on your LAN), create a bridge between the Sky_WAN and Local ports and put in place whatever routing/firewall rules you require. There's various guides around to setting up a set of firewall rules for an IPv6 /56 PD (which Sky use) as obviously there's no NAT on a proper IPv6 setup.
Eg I have the "Combo" port defined as the Sky_WAN, another port defined as Local, another port defined as a WAN for a 4G failover and some other ports setup as global IPv4 connections (I have a block of IPv4 addresses from another provider connected via L2TP tunnels over the Sky connection).
Regarding DHCP Opt61 - you'd select the IP/IPv6 DHCP client settings and create Option 61 clientid and clientid_duid entries with the hex string which equates to the abc123@skydsl|abc123 string Sky expects to see. You don't need to convert it to hex, just enter it as 'abc123@skydsl|abc123' and the router will convert it automatically.
22 Jan 2023 08:38 PM
Hi Mr Slant,
Happy new year!
Sorry for the late reply,
I have send you a private message regarding setting up a similar network like yours and would be extremelly greatful if you could help me out with step by step hardware and software needed or anything regarding tp link omada setup
The info you gave me for sky i still have not had a chance to do this because i sent back the tp link equipment through a fit of depression.
I will buy them all again but if you could help me along the way i would be indebted to you
Thank you
No problem. Browse or search to find help, or start a new discussion on Community.
On average, new discussions are replied to by our users within 4 hours
New Discussion