
Redoing all my home networking - msh
https://blog.jessfraz.com/post/home-lab-is-the-dopest-lab/
======
CommieBobDole
I've found that the home lab is a great place for cast-off corporate equipment
either bought from ebay or scrounged from data center upgrades. Mine,
assembled at little to no cost, consists of:

42u IBM-branded cabinet

Cisco ASA 5510 firewall

Dell R610 running ESXi

Old Dell 2950 full of 2TB drives running FreeNAS

Cisco 'Small Business' 50 port managed switch

A couple of 4U server cases containing the guts of obsolete gaming systems,
repurposed as assorted servers

If you've got the space and can deal with the noise, I can't say too many good
things about the R610s - available dirt cheap, and though they're about four
generations old at this point, still perform decently since Intel/AMD have,
until recently, pretty much stagnated on CPU performance.

Luckily I have a basement.

~~~
mentos
Someone shared this website with me a while back to find used servers on ebay
[https://www.labgopher.com/](https://www.labgopher.com/)

What do you think of that?

I am trying to put together a render farm where I need a lot of parallel CPUs
to run Unreal Engine Swarm [0] but I just don't have the time or experience to
execute on it. My goal is 16 Xeon chips across maybe 8 'boxes' to get to
around 64/128 cores.

Anyone know where I could look to find someone I could contract to put
something like this together?

[0] -
[https://docs.unrealengine.com/udk/Three/Swarm.html](https://docs.unrealengine.com/udk/Three/Swarm.html)

~~~
AlphaSite
Have you looked into one of these guys [1]? They go for ~800USD for 16/32
cores/threads. You can get a good high-end build for ~1500USD. It behaves like
a modern system with good power profiles and single threaded and multithreaded
performance.

Or dual epyc for a single box 64/128 system?

[https://www.newegg.com/Product/Product.aspx?Item=N82E1681911...](https://www.newegg.com/Product/Product.aspx?Item=N82E16819113447)

~~~
mentos
I had done some very basic research on it and found that the performance for
the 'Lightmass' program used in Unreal Engine called Swarm was not ideal
[https://forums.unrealengine.com/community/off-
topic/1388243-...](https://forums.unrealengine.com/community/off-
topic/1388243-ue4-dev-rig-threadripper-1950x-or-i7-8700k)

From that thread: "Definitely not the threadripper - there were some
benchmarks scattered around in other topics and it's actually slower at
compiling and lighting builds than my 7820X, while costing more to build a
system with."

But not sure if I should trust those opinions from the dev community as the
benchmarks aren't too sophisticated.

I'll continue doing more research on those thank you! I think dual epyc could
be interesting for the cost.

------
wyc
One of my favorite pieces of equipment in my home lab has to be an APU2
running OpenBSD as a router. It's cheap, feels solid, and pf lets me configure
complex network routing rules with quite a nice interface. Hasn't choked yet.
IPsec built into the OS!

[https://www.pcengines.ch/apu2.htm](https://www.pcengines.ch/apu2.htm)

~~~
chrissnell
Can that APU2 do filtering at full wire speed on those 1Gb NICs? In my
experience, many of the smaller SBPC routers can't keep up. I'm running a
Netgate 4860 at home and it keeps up with my gigabit fiber connection but
several of my previous attempts would not (Soekris, etc.).

~~~
lucaspiller
I also have gigabit, and in my research it seems that the APU2 tops out around
600mbit. Newer hardware like the Celeron 3855U should handle gigabit fine
though.

------
walrus01
One of the best possible things you can do for your home network, if you have
the knowledge to do it properly, is to separate the functions of modem, router
and WAP into three separate devices. The cablemodems provided by Comcast,
Charter and other that have built in NAT and wifi are atrocious and bug-ridden
security nightmares.

Example of a basic separated setup:

DOCSIS 3.0 cablemodem that is a dumb layer 2 bridge:
[https://www.amazon.com/TP-Link-Download-Certified-
Spectrum-T...](https://www.amazon.com/TP-Link-Download-Certified-Spectrum-
TC-7610/dp/B010Q29YF8/ref=dp_ob_title_ce)

router good for up to a 150-200 Mbps class cablemodem connection, $50:
[https://www.amazon.com/Ubiquiti-Networks-ER-X-
Router/dp/B014...](https://www.amazon.com/Ubiquiti-Networks-ER-X-
Router/dp/B0144R449W)

if you want to mess around with stuff from the CLI, a ubiquiti edgerouter is
actually a very tiny debian system. their edgerouter OS is a fork of vyatta
and is developed by a team of people they hired away from vyatta when brocade
acquired them.

802.11ac 2x2 MIMO dual band WAP: [https://www.amazon.com/Ubiquiti-Unifi-Ap-AC-
Lite-UAPACLITEUS...](https://www.amazon.com/Ubiquiti-Unifi-Ap-AC-Lite-
UAPACLITEUS/dp/B015PR20GY)

or go for the more expensive 3x3 MIMO and 802.11ac wave2 WAPs if you really
feel the need for it.

set up the unifi controller in a virtualbox VM that runs on your laptop and
use it to do the initial setup/provisioning. bring up the VM whenever you need
to make changes.

~~~
DeltaWhy
What's the benefit of separating router and WAP vs. running OpenWRT on a
wireless router?

------
cdancette
I really like Mikrotik hardware
([https://mikrotik.com/products](https://mikrotik.com/products)) for home
routers and wireless access points. Their products are not very expensive, the
hardware is great, and the OS is highly configurable.

~~~
mbesto
How is Mikrotik's software? I find UBNT's to be excellent for someone who
doesn't want to do _everything_ via CLI.

~~~
isostatic
Some things are better via the gui (web or a windows exe that's wineable), but
I prefer ssh access.

I like the fact everything is included, ospf, bgp, pim, mpls/vpls, you name it
it's there (aside from decent user management). I used to run bgp at home but
moved to ospf recently

~~~
cdancette
Yeah it's pretty impressive to have all of those protocols included in such
"low cost" routers (less than a hundred dollars).

Why do you need bgp/ospf for your home network? Are you just experimenting?

I used to manage the network of my school campus, we connected about 1000
persons, and ospf was working great! We didn't use mikrotik though, we used
extremenetworks routers

~~~
isostatic
Multiple subnets to keep the wireless domain, wired domain, protected domains
and dmz apart. I used to run the backbone over wireless when I rented
(couldn't run cat5 through the walls), so didn't vlan everything back to a
single router.

OSPF makes it far easier to manage those, but I did used to run BGP as it made
more sense to me when I learned about routing protocols and was more forgiving
of wireless issues (which could have been me using the wrong OSPF mode to be
honest)

In addition to the normal fixed infrastructure, I have a cluster of 5 cheap
mikrotiks that I use for a little experimentation with things like failover
time, but that's mainly for work purposes.

~~~
colanderman
Mikrotik does in fact support VLAN bridging over WiFi (only between Mikrotik
devices), unless you're running in CAPsMAN mode.

When I switched to CAPsMAN, I ended up using VPLS for my wireless backbone,
thus giving me proper layer 2 isolation, without fragmentation (MPLS not being
limited by the L3 MTU).

~~~
isostatic
One goal was to keep layer 2 multicast network off wireless where possible.
Mikrotik's don't do IGMP snooping (until very recently). The wireless backbone
had to support multi-networked traffic of course, but local traffic (between a
couple of devices in one room) could be kept off the link

------
TheAceOfHearts
Looking at the Unifi controller setup, I'm a bit perplexed as to why they
would choose to use MongoDB, although I'll admit I lack experience with
everything related to networking. I'd think that using SQLite would allow for
a simpler setup while providing better performance. Am I missing or
misunderstanding something?

Does anyone have suggestions for beginner friendly guides to home networking?
My home setup is pretty hacky, and I'd love to setup something more secure as
well as improving my understanding. Right now I have an ASUS RT-AC66U router
with asuswrt-merlin, and it runs an OpenVPN server, so I can remotely access
my home network.

How do people setup their home network domain name and device hostnames? I
have the router set to update a public DDNS entry each time it connects to the
internet, and a LAN DHCP Server with manually assigned IP and hostname for
each known MAC address. This works alright for home devices, but it gets
awkward for mobile devices and laptops. How do you restrict sharing
functionality to VPN connections? Should your hostname remain the same
regardless of what network you're connected to, or should it vary?

Do you use IPv6? My ISP supports IPv6, and I had enabled it on my router for a
few months, but eventually ended up turning it off since I felt uncertain that
everything was configured securely. Am I just being paranoid?

Is it ever worth setting up a RADIUS Server for WPA2-Enterprise wireless
security? I kinda like the idea of having a centralized location for handling
authN/authZ, but the relationship between the different technologies
(Kerberos, LDAP, ActiveDirectory, etc) is pretty confusing, and nobody seems
to do a good job at explaining how it all ties together. Right now I just
generate an SSH key per device, and I import it to each device which should
allow connections. But that increases the friction of deploying home services,
which gets a bit demotivating.

What monitoring tools do people setup for their home network? Do you handle
updates manually or do you have that process automated? Every time I consider
setting up a network monitoring tool, I kinda end up going down the rabbit
hole and getting overwhelmed by the huge number of options. Many of these
tools kinda assume that the user is already familiarized with best practices
and that they know exactly what they want, which couldn't be further from the
truth in my case.

~~~
notwedtm
Just letting you know that the reason you are probably not receiving any
responses is because nearly every question you ask is either easily Google-
able, or you are asking for opinions versus facts.

Want to know if IPv6 is secure? Do research to find out. Then you will know
for sure.

~~~
aquaticsloth
This comment gives very little to the discussion. The original poster had
plenty of valid questions that are very hard to find the answers to as its
mainly enterprise/business systems.

I would say you will have a hard time figuring anything out for yourself when
your infrastructure uses business-class solutions and is cross vendor.

------
chrissnell
Pulling your SSH keys from Github to your authorized_keys file is a terrible
idea, even with 2FA enabled on the GitHub side. You're trusting Github to
manage access to your home network and all of its SSH-able machines!

~~~
StavrosK
True, but it would be pretty nifty if there were a thing that would download
an authorized_keys file, check the PGP signature against a key I had
specified, and copy the file to the SSH dir if the signature was okay.

~~~
craftyguy
Uh, why couldn't you just sign your authorized_keys file and post it somewhere
public? Then you just literally download, verify signature, and 'import' it
(overwrite or append to existing file).

~~~
StavrosK
Yes, that's exactly what I said "would be nifty" above. I meant a client-side
bash script or similar.

~~~
craftyguy
Here's a start:
[https://bpaste.net/show/049673c13cbf](https://bpaste.net/show/049673c13cbf)

You can clear sign an authorized_keys file with "gpg --clearsign
<authorized_keys>", then just pass the resulting *.asc file to this script. It
will verify the signature and 'import' it by copying it to ~/.ssh.

~~~
StavrosK
Looks good, thanks! Good way to update all my machines' SSH keys.

------
jonstewart
Ignorant dev here: why would I want to buy custom hardware when whatever off-
the-shelf 2013ish netgear/linksys router I have can do port forwarding and max
out my connection?

~~~
colemickens
My Netgear WND4000 was updated to a build that makes it trivial to permanently
lock yourself out of your router. In fact, it will nearly guaranteedly happen
if you install their most recent firwmare update from a wireless client.

My Mikrotik and Netgear both regularly shut down when I max out my Internet
connection. I've had days where I've had to manually restart them numerous
times trying to push large docker images to AWS.

They both have spotty upnp implementations, which I need to work because there
are game consoles in this apartment and upnp is necessary to get them online
reliably. The Mikrotik's AP is pretty terrible. Doesn't even span a small 1BR
in Seattle.

Netgear's models are notorious for being vulnerable to stupid exploits even
after numerous hacky patchy series.

The most handwavey one: I find consumer routers just sorta need to be replaced
every few years.

I spent less doing the whole Unifi thing recently than I've spent on routers
and such in the last 6 years. I don't think I'll be needing to replace this
gear any time soon, and Unifi isn't really custom hardware at all. They non-
rack mount stuff is relatively affordable if you're willing to make a moderate
investment.

~~~
colanderman
> The Mikrotik's AP is pretty terrible. Doesn't even span a small 1BR in
> Seattle.

Which AP do you have? They sell many, which vary greatly in transmit power.
Some (like the RB951G-2HnD) support up to the legal maximum of 30 dBm, but
most (like the cAP lite) run at 20 dBm. The notorious RB951-2n (my first) ran
at only 15 dBm, which _is_ underpowered.

The 20 dBm models are designed to be used in a multiple-AP scenario, e.g. one
AP per room. They definitely _won 't_ span multiple rooms, by design. (This is
for several reasons, both to properly segregate client devices onto separate
APs, and to ensure TX power parity between the AP and devices, which often
operate in the 17 dBm range.)

I've run exclusively MT for years and never had one lock up under load. What
model do you have and what sort of bandwidth are you talking about? I
regularly run 200+ Mbps transfers to/from my NAS (across a wAP ac) and never
have trouble. (I did once own a hAP ac that would – after an electrical event
that destroyed some other equipment of mine – reboot occasionally.)

~~~
colemickens
I'm not sure which one I have and I'm not at home sadly. When I was having
problems most was at my first apartment where I had symmetric gigabit.

------
darrmit
Unifi gear is great until you need something that the UI can’t do and figure
out you’ve got to load a custom JSON config file from the controller. Their
support is also atrociously bad.

The Unifi product is getting better, but I sometimes wish I had gone with
their EdgeRouter line instead of Unifi for routing and switching.

I would say it’s certainly good enough for home, but I’d hesitate to use it in
a lab environment where configs might get a little more unique.

~~~
ssijak
Doing stuff from terminal is easy. Finding anything on their forum is easy.
And they answer all the questions. I got all things UNIFI, same as the guy
that made the post, and I am not network engineer. Setting up the networking
was easy and fun.

~~~
darrmit
With the Unifi line it doesn't matter how easy the terminal is since the
config gets overwritten by the controller on each re-provision. So not only do
you get to figure out what config works via terminal, you also get to insert
it into the config via JSON and find the right way to provision it.

It's certainly not rocket science, but I don't know too many junior sysadmins
who could do it without hours of research and pain. Whereas making a change on
an EdgeRouter is more legacy - find, apply, save. Done.

~~~
ssijak
If I can do it easily with 20mins of research and I am just a software
engineer without networking background than any sysadmin should be able to do
it to. Btw I have unifi ap, switch and router, also rocking backup 4g link on
wan2 and some NAS storage.

------
tgarma1234
The best thing about the home lab is that I can buy whatever I want and I
don't have to sit there arguing with a sysadmin at work about whether this is
going to be a problem on the network.

------
KaiserPro
I have:

o Zotac dual nic with pfsense o netgear 24 port switch with vlans (no PoE, too
expensive) o i5 NUC o quadcore atom ZFS storage box o 2x unifi AC APs o Many
raspberry pis for environmental sensors/control and the like

There are a number of VLANs some for public things like cheapy chinese CCTV
(don't want that seeing the internal network) media and the spouse(s)

Everything was controlled with puppet, now migrated to ansible. I was tempted
to replace most of it with an old HP z600, but that would blow the power
budget (all the compute when on consumes < 45watts) a z600 with dual CPU pulls
about 100-130.

There is an hosted Atom box that provide website, VPN and backup coordination.

------
jlgaddis
Both Ubiquiti and Mikrotik gear are great for home use, especially for us
techies, and the Ubiquiti stuff especially can often be hacked on a bit. Just
remember to protect your management interfaces and keep everything up-to-date.

------
outworlder
> I always have some random side project I am working on, whether it is making
> the world’s most over engineered desktop OS all running in containers

Identified the author immediately by the opening sentence. The
"overengineered" CoreOS deskop was great, I wish it became an actual project.

------
sandGorgon
im actually very puzzled why more people dont use Mikrotik/RouterOS switches ?
they seem super powerful at a fraction of the cost of "enterprise switches".
It almost feels that Cisco is aspirational..

~~~
lucaspiller
Over the summer I upgraded to gigabit symmetric fibre and wanted something a
bit more 'enterprise' at home that wouldn't have any issues keeping up
(compared to consumer wifi router running OpenWRT I'd used before). I bought a
Mikrotik RB750Gr3 "hEX" and Unifi UAP-AC-Lite - it was around €180, so the
same as buying a good consumer router.

I admit I haven't had any performance issues with the router (although I'm not
running any complicated routing rules), and out of the box it was setup to run
as a NAT router, so it was just plug and play. However once I started digging
into it I started reaching the limitations. As others have said the
documentation is pretty bad, and the only way to tell if something is
supported by your hardware is usually to try it and see what happens (or read
a 40 page thread in the forums). Here are a few things I had issues with:

\- Using a USB LTE dongle as a backup WAN connection. At first the device
wasn't recognised, I then connected it through a powered USB hub and it
worked, but then after rebooting it wasn't recognised again, but if I
physically reconnected it then it worked - but for a 'backup' that kind of
sucked (this was later fixed in a software update).

\- VLANs. I wanted some ports to be tagged on a certain vlan, no matter what
the device was sending (I want to have a 'media' VLAN), after I while I found
out the hardware doesn't support that though, so I gave up on that idea. I
setup the AP to have a guest network running on a separate vlan, and wanted
that to have no access to my network, after trying for a few hours (and
usually locking myself and having to factory reset the router each time) I
gave up. This was only a stop-gap anyway, as I'd planned to get a managed PoE
switch.

\- VPNs. I wanted to setup an outgoing OpenVPN client, and route some traffic
through it based on IP (Netflix). I also wanted to setup an incoming OpenVPN
server, so I could access my network from the outside. RouterOS has built in
support for OpenVPN, but the features are somewhat limited, for example as a
client it doesn't support certificate authentication (but as a server it
does).

The Unifi was a breeze in comparison, like the Apple of networking gear, but
in the same way the options are somewhat limited (and having to install an
application to configure networking gear feels weird). To be honest I liked
OpenWRT better than both of these... the documentation, ease of use, and being
a developer I feel right at home editing configuration files. I assume PFSense
would be a good choice too.

~~~
colanderman
> I setup the AP to have a guest network running on a separate vlan, and
> wanted that to have no access to my network, after trying for a few hours
> (and usually locking myself and having to factory reset the router each
> time) I gave up.

It probably took me _weeks_ to get a working guest network setup on my MT.
That is one thing I wish they'd automate. I don't regret it, as I'm partly
into MT so I can learn more about networking, but it makes it hard to
recommend to others who want a basic home router.

(CAPsMAN helps a little, in that you can direct it to isolate all clients on a
given SSID from each other, even across APs, but that still leaves you with
configuring routing. It also has a packet fragmentation problem in that mode…)

I had my own VLAN fun when I tried to configure VLANs through the switch menu.
Turns out that doing so overrides port master/slave configuration with no
warning. I ended up bridging my WAN and LAN ports for a few days… (Now MT is
thankfully starting to move away from direct configuration of the switch chip
and instead using it to transparently accelerate bridges.)

------
torvald
I often ask people I interview what their home network looks like and what
their visions are. This often open doors to both inner motivation and thoughts
you don't find elsewhere in an ordinary tech interview.

~~~
cthalupa
Asking about home labs/home networking runs the risk of being a very
discriminatory question if you take the negative as a mark against the
question. I highly recommend not asking about it.

Particularly, it is discriminatory in that it penalizes people based on their
home situation, both from a time and financial perspective. People with
children, especially single parents, are often not in positions to actively
maintain a home lab or complex home network, due to time constraints.

Others just might not have the inclination, and it doesn't say anything at all
about their ability to perform the job.

Even if you're not going to take the lack of a home lab as a negative, it can
throw a candidate off - candidates are very conditioned to feel that a hard no
to an interview questions is going to be taken as a mark against them, and
this is going to effect their ability to answer other questions as
effectively.

A much better question is to ask how someone approaches learning new
technologies or keeping up with the changes in technology in general. For some
people that will be work related, for some it will be home labs, and is an
important skill regardless of how much time you have available. People with
home labs will almost universally talk about it, and you can get the same
discussion with them, without risking discriminating against people that have
to keep their skills sharp through other methods. It's also more likely to be
directly relevant to the skills related to the job, rather than random
projects that might be tech related but not relevant to the position being
interviewed for.

~~~
dvdgsng
This statement is so generic, you could replace "home labs/home networking"
with literally anything.

~~~
cthalupa
Not literally anything - but things outside of work. In which case, yes, it
still all applies.

You should focus on the things required for the job. Not what people do in
their free time.

~~~
ericd
The reality is that spending your free time on job-related stuff is likely
correlated with improved job-related skills, though. It's not a correlation of
1 obviously, but it's probably not 0 either, so it is relevant.

~~~
cthalupa
Except that studies show reduced capacity to work after a certain number of
hours. Does doing the equivalent activity to "work" at home count against
those hours? I don't know the answer there.

We do know that diversity increases the effectiveness and problem solving
ability of a team - at worst, getting a bunch of people that have home labs is
actively detrimental to this, and at best does nothing to improve it.

There's limited time available in interviews, and you're probably better
suited asking relevant questions.

(And from a personal perspective, asking about home lab details would benefit
me. I've got ten gig fiber throughout the house and close to a terabyte of RAM
consumed by my VMs... But none of that is realistically making me a better
employee)

~~~
ericd
Interesting, I'm not sure if it counts against one's ability to work, but it
seems like it might, since it's a similar activity. And you're right that
other activities can also yield helpful skills.

I agree that competency testing, especially project based, is better. The only
reason I'd ask about their off time is to get a sense of what they like and
better getting to know what kinds of projects they might gravitate to, given
the choice.

------
xupybd
I love playing with this sort of stuff, but my home network works really well
with one AP and really cheap gear. If I had a few more people using it maybe
then I could justify that sort of investment.

------
Niten
TIL that you can run an SSH agent using an OpenPGP smartcard on a non-rooted
Chromebook now.

EDIT: Tried following the linked instructions but nassh just hung while trying
to connect, with no prompt from Smart Card Connector :( Oh well, at least it's
possible in principle.

[https://chromium.googlesource.com/apps/libapps/+/master/nass...](https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/hardware-
keys.md)

------
andrewguenther
For all the people asking "why?" It's the same reason people pour money into
home theater, cars, or any other hobby. People do this because they enjoy it.

~~~
krolley
I like to have the "perfect" setup. Of course, that definition is relative and
ever-changing. In reality, I end up spending an insane amount of time
adjusting, switching to different software, or trying to get the last 1% of a
feature working. It's not always enjoyable :-)

------
x0x0
Worth it for the link to Carolyn's my little pony k8s cluster, mastered by
Twilight Sparkle. Obvs.

[http://carolynvanslyck.com/blog/2017/10/my-little-
cluster/](http://carolynvanslyck.com/blog/2017/10/my-little-cluster/)

~~~
mindslight
It's weird the things that people do when discovering personal computing. No
sense in transcoding one's DVDs (and even buying more machines to do it
faster?!) when they can be torrented quicker and with higher quality even! But
we've all got to start somewhere, I suppose.

The simple approach is to make a list of your physical media collection, stow
it away for backup purposes, and download the collection over time. Then
eventually you can even move towards torrenting the rest of your media and
drop that netflix subscription that's supporting the destruction of net
neutrality!

~~~
philsnow
"we've all got to start somewhere" is pretty condescending.

If the author is in the united states, torrenting the videos would violate
copyright (when you torrent (if you don't have uploading disabled somehow),
you redistribute without authorization). Transcoding DVDs you've already
bought is not distribution.

~~~
dzdt
In the United States, ripping the DVD's to a drive violates the DMCA. You are
illegal either way, just by transcoding you are violating a grossly unjust law
instead of a disproportionate but justifiable one. And no one will catch you
for ripping discs, except possibly if you brag about it on the internet.

~~~
philsnow
.... IANAL but yeah I think you're right. walp

------
nodesocket
I currently have an Apple AirPort Time Capsule (latest 2 TB version with AC
support), but I've been looking at Google Wifi. Honest question, why spend all
the extra cash for Unifi gear? Google Wifi is mesh, and should all just work.

~~~
chaboud
I had a few simple reasons:

1) PoE wired backhaul.

2) _Way_ more management and configuration control.

3) Separability of routing, switching, and wireless.

4) Simple L2TP VPN endpoint support.

I'm very happy with my choice, and I just installed AP's only at my folks'
place over Thanksgiving. Simple remote management may be Overkill, but I'm
willing to wager that the lifecycle in this gear will be much better than the
once-every-18-months dance that they've been doing with extenders, routers,
etc.

------
dreta
I wanted to find out more about the author, because the post looked
interesting. Should not have started with Twitter. Why do people feel the need
to wear their political agenda on their sleeve so much in this industry.

 _" I love writing opinionated blog posts that make dudes go all ape shit and
territorial if I didn’t do it the same way as them. Think for yourselves :)
there can be more than one way ya doofuses it’s all about what your personal
tradeoffs are."_

Is this the kind of response you want to have to people sharing their opinions
on a public forum; having a productive discussion that you started.

------
2bluesc
I've been experimenting with pfSense running via KVM on my Linux workstation.
Was considering buying a Ubiquiti ER-4, but I don't think I can go back.

I'm considering buying a CompuLab fitlet 2 to give pfSense a permanent home
but may end up leaving it on my workstation. The increase in power consumption
over leaving my workstation on 24/7 is probably neglible. But the fitlet2
seems simpler.

------
amq
Had great experience with sub-$50 TP-Links + LEDE. I can hardly justify $149
and can't imagine buying one for $549.

------
purplezooey
The home lab is dead. With EC2 spot instances you can get machines for far
cheaper than it costs to power them at home, unless you live in a place with
super cheap power like less than $0.08/Kwh.

------
rdl
I don't think I'd spend the money for UAC-AC-SHD ($600?) vs. UAC-AC-PRO
($100). Maybe UAC-AC-HD ($250) if I had a lot of 4-stream devices, but enh.

------
tlrobinson
I have an irrational fetish for rack-mount gear in my home lab. Are there any
good rack-mount NUCs, or similar?

~~~
blinkingled
Some older workstations (e.g. Dell T7500) are rack mountable. If you use
Windows 10 they can suspend and wake up on LAN to save you power and they
should cost you less than the NUC on eBay. It's what I use - Hyper-V on domain
joined W10 Pro which can be remote managed so no monitor necessary - it's
suspended most of the time - WOL and my VMs are ready to go!

------
EGreg
So how much does it cost to set up UniFi for the home and what are the
benefits?

~~~
madlynormal
I'm a huge fan of using UniFi products in the home. I run a UniFi Switch 8 and
UniFi UAP-AC-Pro, covering around 2300sqft. The setup cost around $250.

~~~
craftyguy
How quickly do they patch vulnerabilities, and what guarrantees do they
provide to continue doing so for the life of the product? As "sexy" as these
products look, they look to me like yet another walled garden.

~~~
letsgetphysITal
Ubiquiti had patches for the KRACK vulnerability before public disclosure.

[https://help.ubnt.com/hc/en-
us/articles/115013737328-Ubiquit...](https://help.ubnt.com/hc/en-
us/articles/115013737328-Ubiquiti-Devices-KRACK-Vulnerability)

------
matt_wulfeck
You’re interested in advanced home networking, a dual nic nuc running pfsense
is going to give you a ton more options while at the same time teaching you
real networking.

~~~
SteveNuts
Are there dual NIC Intel NUCs now? Last time I looked I couldn't find one.

~~~
tjoff
You can hook up an extra nic on the miniPCI-e slot. But that is a bit hacky.

You can also use one NIC and VLANs.

~~~
insertnickname
Are there any disadvantages to using a single NIC with VLANs rather than two
NICs for a router?

~~~
azdle
It's also easier for misconfigurations to lead to security issues since your
switch resetting to default means your network is now connected directly to
the internet. I had this happen after the power went out last time, luckily
I'm on a PPPoE connection so it wasn't _really_ connected to the net. Replaced
my NUC + managed switch setup after that.

