The secure, upscale network in the single-family house

Ubiquity recently added the UniFi Dream Machine Pro to their product line. It has many useful features at a very good price.

Come by sometime ..... there are some freebies for that

Since you yourself are an IT specialist, first define your requirement (Lastenheft). At this point in time, the selection of devices or the number and communication of the networks among each other is secondary; all of that results from your requirements (Pflichtenheft).

What exactly are your requirements? What do you want to operate in your network? If it's just about some surfing/streaming + printer + NAS, to be honest, I don't see why you should make it so complicated. I am also an IT guy, but at home it's nice when things just work and you don't have to configure much.

Since you are an IT guy yourself, first define your requirement (specifications). At the moment, the choice of devices or the number and communication of the networks among each other is secondary, that all results from your requirements (requirements specification).

Good point. And at the same time the crux. The requirements are not really fixed yet. Hence, I'm interested in what you have implemented and why. Kind of as a source of ideas. The only thing that is clear so far is that I want to segment the network for the usual suspect areas and it has to be compatible with Magenta TV, keyword IGMPv3.

We also have a switch with a 10GB uplink to the utility room on the upper floor. I'm not a fan of Wi-Fi, so we have pretty much run cables everywhere. I distributed almost 20 duplex sockets over two floors. On the ground floor utility room and the upper floor storage room, there is a patch panel with a switch each. In the utility room, there is also a NAS and various other stuff (FritzBox, Homematic central unit, Raspberry Pi, 3D printer, etc.). This way I have everything in one place and my wife doesn’t have the "ugly devices" cluttering the house. The smart home devices will get their own VLAN, you never know how much those things spy around.

Much depends on what you want to achieve, how well you know your way around, and what budget you have in mind. For me, if you are knowledgeable, definitely VLAN separation makes sense. Guests of course have no business on the regular network. Insecure devices (various smart home devices with cloud connect or TVs, TV sticks, etc.) also have no place in the network with my "private data."

If you don't want various services to communicate outside, a firewall is important. This ranges from OpenWrt (more of a "router+") to OPNsense or similar open-source providers to Sophos UTM/XG Home. (With version 18, I would now rather use XG instead of UTM). With a firewall, you can then also map many things depending on your needs. Transparent web proxy (unfortunately increasingly important – with SSL scanning), so that less experienced users do not accidentally download malware. Mail proxy if you want to store your mails directly on a home server. Routing between VLANs (the camera is only allowed to access the CIFS share and get the time from the firewall (or the video server accesses the camera), and the TV stick may only connect externally via http/s, possibly only to the Netflix servers, IPS, etc.). Much is possible if you want. How useful it is remains to be seen. The more you "secure," the more time you need to invest – also in maintenance and troubleshooting.

A dedicated server – with Windows 10 as "server OS," Server 2019 Essentials, Linux systems, NAS systems (Synology or QNAP), or also open-source NAS systems – and all that on whatever hardware, Raspberry or small Intel Atom motherboards up to real server motherboards with Intel Xeon CPUs or HP/Dell/... tower servers. Here the question is also what exactly you want to cover. If you want to run several virtual machines, productive VMs and test/tinkering/play VMs, you immediately need significantly more power than if you just want a small TV server for recording and watching TV (e.g., DVBViewer/TVHeadend) and maybe OpenHab or ioBroker, etc. (possibly as a Docker image). How much storage you want to accommodate would probably also be an important question.

There are also many possibilities for WLAN solutions. Currently, I would say you are generally best off with Unifi access points or Ubiquiti solutions. The price/performance ratio is simply right here. For me personally, no other solutions would be an option at the moment. Whether you then want Unifi AC APs or Amplifi – again a decision depending on what you might want to do with it in the future or what else you have planned for the network.

In the network area itself – many people who are already using Unifi also use switches from them. One interface is easier to manage than many individual interfaces, which also behave differently. However, some switch models also get quite warm – the environment should match the switch here. Because of the VLANs, you need a manageable switch anyway. Whether you then take the Unifi or a cheaper Netgear or, of course, other manufacturers like HP/Cisco etc. is also a question of budget. Possibly "old" switches are thrown out from a company and you get a suitable enterprise model for free or cheaply. You really don't need that at home though... PoE support directly in the switch can be very useful if the devices also support PoE (e.g., the APs). This way you don't need an additional power supply or adapters between the switch and patch panel.

If one knew a bit more about how big the budget should be or exactly what you plan to do, one could possibly address your case more specifically and give an opinion. Possibly a Raspberry with a FritzBox is enough for you at the beginning and it develops gradually from there.

The more you get involved, the more sources of error there are.