As a homelabber myself (enterprise networking + servers) there are quite a few things to consider before jumping ahead with such a setup. It can be rewarding but you'll need to commit to it and be prepared to troubleshoot - you're basically a small business IT shop at this point. Having some network/IT background is obviously helpful.

Keep in mind that the power consumption of all the equipment is quite substantial and must be taken into account before starting. Also as your setup becomes more complex backups, redundancy, and security must all be considered - it's easy to run your network dead in the water if you aren't prepared for it, and unlike a single home router you can't just simply reboot and reset if everything relies on the network. For instance assume that all your machines rely on your NFS server to access files - if that server goes down, how quickly can you replace it? If the RADIUS server goes down and your devices can't authenticate across your switches and APs, do you have a fallback method of access?

Finally unless your family knows how to maintain the system as well, you'll be the sole IT contact and will have to do quite a bit of support especially at the start. You'll need a plan of how to remotely manage everything if you're say on vacation since things like to crop up then.

> As a homelabber myself (enterprise networking + servers) there are quite a few things to consider before jumping ahead with such a setup

Well. I have over quarter of century of experience in IT, as a sysadmin, developer, electronics engineer and tech lead. It helps. I would never suggest anybody to do this just to have a nice WiFi at home...

> Finally unless your family knows how to maintain the system as well, you'll be the sole IT contact and will have to do quite a bit of support especially at the start. You'll need a plan of how to remotely manage everything if you're say on vacation since things like to crop up then.

Yep. I have VPN I can use to manage the network. All devices can be rebooted remotely.

I also have some backups -- the 5G router can be disconnected from the setup and used standalone and I have instructed my wife how to do this. Most of the files are synchronised to a cloud service where she can connect in need.

The passwords to everything are stored in tamper evident envelopes (and a paper books with a log in my own handwriting).

As to power consumption this probably is the weakest point of all of this. Yes, a lot of devices equals a lot of power, but my devices are extra power hungry. Although I tried to avoid unnecessary electricity waste (if only to keep it fanless) I never compromised quality for it. For example, I went out of my way to not buy an actual server even though there is a plenty of used servers that I would be perfectly happy with. Instead I built my own based on one of a kind motherboard that supports a consumer CPU and ECC RAM and uses relatively little power.

Hah from reading your original post I already knew you were good. My comment was really meant for those interested in these setups (I get asked about this quite often) without realizing the time and effort needed to maintain it. This can be a real rabbit hole as I started with an Edgerouter and Unifi AP and eventually worked my way up.

I really like your idea of having a separate router that can be used standalone if the main system fails, and might actually consider adopting that for my family as it would be very useful if I'm not available. Currently I'm looking into a virtual HA Opnsense setup on two servers to maintain routing if one fails and cannot restart for whatever reason.

We take this router with us on trips. It is nice to have your own fast, mobile Internet with you (no transfer or bandwidth limits). And when it does not serve as backup Internet it has site-to-site VPN to our home network.

I recommend anyone separate VLAN for your work at home environment. The company might spy but far more importantly, the risk of viral infections and hacks is so dramatically higher in a company than you alone at home with your family.

Yep, that's what I have.

One large bank I worked for was very surprised and practically enraged when they figured out I work on a VM and they don't actually control the device I am sitting on. It all started because they decided I am obliged to "provide for basic security" and install an antivirus. I told them there is absolutely no need for me to install an antivirus on this machine. This machine has only ever been used to connect to their network and I have neither installed anything or even visited any website from it. Moreover, it is snapshotted and restored from a snapshot every single day. It is fun to sometimes battle those mindless corporate drones.

I like this setup. Mine is much simpler, but I dig your vibe with the VLANs. I don't have any Internet failover or VPN, and have settled on:

- Regular VLAN: Access to LAN and Internet (I insist on having root on the device for it to go here)

- Guest VLAN: Access to Internet only

- Quarantine/IoT VLAN: Access to LAN only

I don't feel I need any more granularity than that. Of course the primary LAN backbone is 1Gig ethernet, but I have APs every 50 feet or so for phones.

I thought about 10Gig but then I decided almost no device I own can actually make use of it and even if it could, there are better ways to do it. I don't need to have 10Gig just to be able to edit videos/photos if I can easily solve the problem and copy them locally for the duration. Also almost everything uses WiFi and there are only two computers (my macbook pro and gaming PC) that are connected to ethernet.

As to APs, having multiple APs (well configured) and a good router (well configured) has much bigger impact on the quality of user experience than the actual throughput of the broadband itself.

Thanks for sharing this!

I'm a networking amateur, and one thing I've struggled to figure out is VLANs for wireless devices. It seems like VLANs are managed at switch level, so does that mean that all devices on a particular AP have to share the same VLAN? Or is there a way to segregate devices across multiple VLANs within a single AP?

Enterprise APs support VLAN tagging themselves, so you assign multiple VLANs to the AP uplink in the switch and then tell the AP which SSID belongs to which VLAN.

Yes. I set up VLANs on my Cisco switches. The APs are told what vlans and WLANS are configured through Ubiquiti management panel. The APs are all connected to their assigned ports on the switches and the ports are configured to see all necessary VLANS tagged and one (management) VLAN untagged. The untagged VLAN is how the management application talks to APs.

Eeach of 4 APs serves all 4 WLANs and each WLAN + VLAN are completely separated networks.

The traffic from various WLANS goes directly to their assigned VLANS and never mixes together -- the only way is either through the router or some other service like my proxy.

Gotcha, thanks for the extra details!

Is Aruba Instant On considered an enterprise AP? It is the cheapest and easiest way to do home networking with VLAN that I have found.

If you read my post is what I've done: separated VLANs (3) with a single AP and cable from the router.

>I don't have pictures but I can describe it.

That's very interesting, but how much power does the whole thing consume?

In my case all this setup is 45-50W, I thinks is a good goal.

I don't know how much all of this consumes. The networking itself is pretty power hungry, just the APs probably consume more.

On the other hand there are no fans in my setup except, incredibly, the laptop. But this fan is kicking in extremely rarely and only when I am actually using it, so no problem.

The backup NAS makes a bit of noise but this is happening during night when nobody cares.

What cooling is on the passive ryzen 5?

It is Ryzen 5 Pro 5750G. It is a unique CPU that supports ECC, has 8 cores 3.8GHz up to 4.6GHz (boost) but only 65W TDP. There is lots of options available but in the end I decided to make my own.