Beyond using Opnsense on whatever box you want for your router, what networking hardware do you use? Unifi? Microtik?
I don’t the idea of Unify because their software gives them so much visibility and access behind my firewall. But maybe I’m overreacting? I heard microtik was good. I need to upgrade my managed switch and thought I’d take the opportunity to check in with you all to see what you like (and what you don’t like).
Beyond using Opnsense on whatever box you want for your router, what networking hardware do you use? Unifi? Microtik?
I use Ubiquity for switch and AP.
I don’t the idea of Unify because their software gives them so much visibility and access behind my firewall. But maybe I’m overreacting?
Yes you are, because you can just deactivate the cloud and all things run locally.
While you set up your Ubiquity setup you get asked if you want to locally continue or login to the cloud.
I understand the convenience of network auto-configuration, that comes with UniFi devices.
But to bring an analogy, the reason why I am favoring Linux over macOS is to have control over my operating system, not letting a third party manage settings and risk getting enclosed in a wallet garden ecosystem. Sure, there is a learning curve - but gaining basic networking knowledge IMO always is a good investment.
Why does UniFi setup even ask for a cloud option with regards to a low-level network switch? Personally this is a red flag on its own, as the promise of running everything locally is not provable due to closed-source, proprietary software, residing in similar league as “we value your privacy” statements. Besides, reliance on some separate, proprietary controller software (with so much power) doesn’t feel right to me neither.
I’d recommend to just use opensource software/FOSS where possible, such as OPNsense for the routing/firewall layer and OpenWrt for access points. Then, from privacy perspective it shouldn’t matter that much, what is used for link-layer/switch devices (MikroTik seems good choice though), since their outgoing connections (if any) are restricted by your FOSS network firewall. IIRC this is different to UniFi, where controller software has extensive permissions to configure link and routing layer.
I’d recommend to just use opensource software/FOSS where possible, such as OPNsense for the routing/firewall layer and OpenWrt for access points.
This is my current setup. Opnsense is just on a simple Protectli box. I need a managed switch though. So I came here to ask around.
I was leaning toward the Microtik CRS328-24P-4S+RM but if other people here have gear that they like, I would love to hear about it.
Edit to add:
Then, from privacy perspective it shouldn’t matter that much, what is used for link-layer/switch devices
True, but I need to create a number of different internal networks for network isolation. So it’s not that I need more ports, but need to isolate the homeassistant stuff from the personal machines from the work machines. I could do all of this in opnsense but it is beyond cumbersome to manage it all. As you said, using closed source software makes me nervous, so I’m here.
No experience with it but SPR[0] has been on my consideration list. Open-source software. Hardware might be also but not sure. Seems to have some cool security features. Each device gets its own subnet.
But it’s also a small project and I’d hate to get stuck with something that gets abandoned.
@debsidian Your reasoning is perfectly fine. I should have added, that I commented on
The usual solution is to use OPNsense or other machine as VLAN router/firewall, then buy some cheap managed switch(es) to connect devices to their intended VLANs, and connect switches to router via trunk port. VLAN requires a bit fumbling initially, but OPNsense config itself is not that hard to do. So maybe give it a try. An alternative would be L3 managed switches, but opensource is rare to find here.
Idea sounds cool. But can’t you just assign separate SSID/VLAN per device e.g. in OpenWrt?
But to bring an analogy, the reason why I am favoring Linux over macOS is to have control over my operating system, not letting a third party manage settings and risk getting enclosed in a wallet garden ecosystem. Sure, there is a learning curve - but gaining basic networking knowledge IMO always is a good investment.
The analogy with apple is not bad imho, but one thing should be mentioned. You still need to set up the switch and AP, it isn’t autoconfigured.
And if you have a bigger setup it might even be more complex than a switch from Aruba for example.
Why does UniFi setup even ask for a cloud option with regards to a low-level network switch? Personally this is a red flag on its own, as the promise of running everything locally is not provable due to closed-source, proprietary software, residing in similar league as “we value your privacy” statements. Besides, reliance on some separate, proprietary controller software (with so much power) doesn’t feel right to me neither.
It does not.
For that I need to explain how Unifi works. You have your unifi devices, the switches, the APs, the firewalls, the routers, the cameras etc. All of them can not be configured standalone. You need a management server called UnifiOS. You can buy an Unifi gateway which has this server pre-installed or self-host it on a VM, barebone or LXC. Docker might also be possible, though you need to create your own docker image.
This management console, will then connect with the devices, save logs and let you manage the devices.
While you set up the management console you can choose between local-only or cloud.
The cloud provides three features that are not working in local-only (daily backups to the cloud, that you can access it from a smartphone app and threat-intelligence¹).
So the switch does not need or want a cloud connection, the management console asks if you want one on the first setup of it.
1: For Threat-intelligence you must have a cloud and this feature is only useful if you have a firewall from Unifi.
I’d recommend to just use opensource software/FOSS where possible, such as OPNsense for the routing/firewall layer and OpenWrt for access points. Then, from privacy perspective it shouldn’t matter that much, what is used for link-layer/switch devices (MikroTik seems good choice though), since their outgoing connections (if any) are restricted by your FOSS network firewall. IIRC this is different to UniFi, where controller software has extensive permissions to configure link and routing layer.
Not really the Unfi devices as well as the UnifiOS are behind my OPNSense, so I can still deny everything. And they have the same possibilities as MikroTik.
Thanks for that explanation @Onscreen5341 , not that well versed with Ubiquiti devices.
I still would have pain in the gut letting a proprietary app manage all my network configuration. The fact, it can be self-hosted does not supersede, that this app is closed-source and not verifiable. Basically a binary blob for network administration.
It probably comes down to the FOSS vs. proprietary software debate and whether you put enough trust in a California-based technology company not trying to sell your data. Controller software also becomes a single point of failure from security perspective.
Sounds like a good compromise, if you have a more complex network setup, want some management convenience and still have a gatekeeper at the end. For simpler cases I just would just omit Ubquiti stuff and use VLAN switches with a FOSS firewall solution.
Coming back to OP question: Apart from VLAN, do you have specific requirements for those switches?
… so you’ve got some bigger network to manage?
I use Gl.iNet routers: 2 Flint v2 and 1 Spitz AX. They act as switch and as extender simultaneously.
But my cable network not so big, so can afford such setup. If something, main internet gateway is Spitz AX over cellular. Than it go two Flint v2.
I still would have pain in the gut letting a proprietary app manage all my network configuration. The fact, it can be self-hosted does not supersede, that this app is closed-source and not verifiable. Basically a binary blob for network administration.
Does this not apply to MikroTik too? Their switches are proprietary too, right?
… so you’ve got some bigger network to manage?
Mostly PoE requirements, high-speed data transfer for video and lots of wired devices. I strongly prefer wired ethernet over WiFi for stability reasons. Family + homelab + work = lots of stuff. Buying (and learning to use) good, reliable networking equipment has always been an investment that has paid dividends.
You are right, Microtik sofware is proprietary too. I don’t see one as good and one as bad. I actually set up the cloud-based version of unifi for my cousin. It was the full setup with router and everything. There was a lot of automation which was good but a lot of abstraction which would have been fine but since things like adblocking are mostly abstracted, it is just a simple yes/no selection, which I found annoying. If you’re used to adguard home, pihole, pfblockerng, etc., then the binary-ness of that is a tough pill to swallow.
I assume that’s just for the router and not switches or ap’s but i wouldn’t know what they’ve abstracted unless i learned about it first somewhere else (like with microtik?).
But sometimes I overthink this stuff lol.
UDM Pro and UniFi switches/APs.
Beyond using Opnsense on whatever box you want for your router, what networking hardware do you use? Unifi? Microtik?
I don’t the idea of Unify because their software gives them so much visibility and access behind my firewall.
Welll, it’s unifi, lol. It does not feel like the most private option, but for my home router I’m most concerned about automatic security updates and avoiding the possibility of incorrectly configuring something. For a wireless AP the basic express 7 is good for both of those aspects. Other services can go offline until I fix them if necessary, but I want this working nonstop since this is my sole routing device as well as the WAN firewall.
Onscreen is right that you have a lot configuration options to customize it and don’t have to have everything cloud enabled. And sace is right about openwrt/opensense being the “best“ option (if you can handle the configuration and maintenance).
You can install NextDNS via the CLI which is nice. So my whole house runs through it.
I use an old HP JG924A with OpenWrt on it.
This is an area of active investigation for me so I can’t say. If OpenWRT can do it that’s useful information.
Yes, true. But as said, with a bare network switch like from MikroTik, proprietary software at least is limited to that device and isolated within networking layer/L2. Let’s assume this thing stolidly wants to blow out telemetry to its company or even do malicious things, then it still would need to travel through your IP router / L3 gateway. I.e. this traffic still can be monitored and blocked.
In contrast UniFi controller controls both L2 and L3 via auto-configuration - you basically put all networks eggs in one basket and let third party manage own network (if not having an additional outer firewall as you did).