I upgraded all of my home networking equipment

I recently upgraded all of my home networking equipment, and I thought the reasoning and setup were interesting enough to justify writing a blog post about it.

Here I will only cover the actual networking stack; if you want to know which devices I have plugged into it, check out the separate "My Home Automation Setup" post which goes into more detail on that.

Why upgrade?

For over a decade, my home network was powered by nothing more than one of those consumer-level ASUS routers you can buy in any electronics store. While they work fine, two things that started bothering me over time:

• Inflexibility: As these routers/switches are designed to be plug-and-play, there is little to no support for more complex network configurations such as VLANs. This can result in an insecure home network, particularly if you’re like me and have lots of untrustworthy IoT devices connected to it like an Alexa or those god awful modern smart TVs that are essentially spyware.
• Performance: Even though my router had several gigabit Ethernet ports, in practice I would get considerably less than that simply because the router itself was not powerful enough to efficiently handle that pressure.

The choice

I chose to go all in on Ubiquity hardware for a simple reason: I wanted something that was designed for power users, but also that didn’t have too much of a learning curve. While I usually fit the criteria of a mega power user for this type of stuff, modern networks are extremely complicated, so I preferred to stop somewhere in the middle of the curve to avoid the stress of being unable to use the internet due to misconfigurations.

The hardware

By the way, before starting, I would like to note that this setup is extremely overkill for the average home network! I went for this simply because I thought it was cool, so if you’re reading this because you’re looking for equipment recommendations, keep in mind that something considerably less powerful would most likely already do the trick for you.

Router: Cloud Gateway Fiber

For the router, I chose the Cloud Gateway Fiber as this router is a complete bargain for what it brings to the table. Not only does it have three 10 Gbps ports (one of them being RJ45), including for WAN, it even has a PoE+ port that can power an AP. Usually something like this would be extremely expensive, but for some reason it just… isn’t, and I guess the market agrees, because finding one of these is a massive challenge. They are constantly sold out almost everywhere as of writing.

AP (WiFi): U7 Pro XG

For the AP, I chose the U7 Pro XG, which is a WiFi 7 router with support for the 6 GHz band. This thing even has a 10 Gbps uplink for some reason which I can’t even use as the PoE+ port on the router is “only” 2.5 Gbps, but it was a very cheap upgrade compared to the regular version, so it seemed like a no-brainer. Luckily I do have WiFi 7 devices around already (the newest iPhones), so I can and am already making use of it.

Switch: Flex 2.5G

Since I had lots of devices connected directly to the router via Ethernet, I chose to also get the Flex 2.5G switch, particularly because it has the same SFP+ port that the router has, allowing me to connect the two via fiber and get a clean 10 Gbps connection between them.

Extra: Pi-Hole

One piece of hardware that was not part of this upgrade but that is worth mentioning here is that I also have a simple Raspberry Pi 3b running Pi-Hole and my own recursive DNS server (via Unbound) for ad-blocking and privacy reasons. I only enable it for my phone and computer however to prevent guests from having issues with it, as it makes navigating certain websites slightly harder (including Google, e.g. because they wrap almost everything in sponsored ad links, which the Pi-Hole will reject).

I currently use Tailscale to access the server remotely, but am looking into migrating this to my router's built-in WireGuard functionality.

The setup

Now comes the part that is the other reason why I wanted to do this upgrade: allowing for more complex network setups.

Today, my network consists of a combination of “regular” devices (like my phone), servers, and random IoT devices. To connect these effectively and securely, I went for the following setup:

• VLAN1: Management
• Contains only the Ubiquity hardware. Has full access to everything.
• VLAN10: Trusted
• Phones, computers, and my “trusted” local servers (Pi-Hole and Home Assistant). Have mostly full access to everything, apart from gateway / admin console access which I have made so that only certain devices can access.
• VLAN20: IoT
• Everything home automation related, like smart switches, my Alexa, my dashboard tablet, and this sort of stuff. This VLAN is completely locked down from everything. It has no external internet access, and they cannot even contact each other (via Wi-Fi client isolation). They are only allowed very specific IP+port exceptions that I control at the firewall level, such as allowing some of the devices to send information to my Home Assistant for automation purposes.

For Wi-Fi, I have two SSIDs:

• An IoT one, which connects to the IoT VLAN. It only supports 2.4GHz and has somewhat low security protocols for compatibility reasons (which is fine as anything that connects to it is completely isolated by default)
• A “regular” one, which connects to the Trusted VLAN. Uses WPA3 and is tweaked for maximum performance and all of the latest WiFi features like MLO.

Some people also setup a third “Guest” VLAN and SSID for visitors which is completely isolated from everything else similarly to the IoT one, but I chose not to do so because it breaks things like Chromecast and AirPlay (I’m sure you can setup firewall rules for this, but it seemed too complicated so I chose not to bother). It would add more overhead to the AP, which I would like to avoid.

In short, I’m very satisfied with my hardware and setup choices. Like I mentioned above this is all extremely overkill for what I actually use my home network for, but since it resulted in me learning more about networks and having a safer / more powerful and future-proof network for all of my devices, I’m very fine with that :)