Future owner(?) of hAP ac3

Hello all,
I am looking to purchase a hAP ac3 for my home office. My needs are that big, I have in total 10 LAN connections (via a cheap TP-Link switch) and 6 WiFi clients. My networking knowledge is minimal, I simply understand what is going on
Currently, my home network is this:

CPE/WiFI AP ↔ Switch ↔ AP ↔ WiFi clients
|—> LAN clients
The CPE and the 2nd AP cover the whole apartment not very well, but it’s sufficient. The main reason I want the hAP ac3 is to gain better access to underlying services (Firewall/DHCP) so as I can manage them via the API.

With the introduction of the hAP, I plan to use the CPE in bridge mode, disable WiFi on it and move the firewalling/DHCP/WiFi functionality to the hAP.

However, one other important need is to segregate the guest network traffic from my home traffic.
I want to have 2 guest networks on 5G and 2.4G. Is the hAP capable to do this? The way I understand it, guest networks are either implemented either via a separate chain (whatever that means), or a new bridged network via the routerOS. Correct? If so, which one is supported by hAP ac3?

How did you find out about the hAPac3? Was it recommended by a friend that can help you?

Most likely the hAPac3 can do what you want, but there isn’t a simple setup wizard to walk you through it. Just be aware that once you leave what the quickset “consumer router like setup” will configure with very little knowledge, starting to change anything will be much harder, at least if you don’t have a technical background and don’t want to learn by reading a lot of documentation. That’s not saying that you can’t do it, just that it is not going to be something you will be able to do in one hour. Expect to spend a lot more time than that, especially if what you said about your networking knowledge was true, and not you just being modest.

Maybe you should look here NEW USER PATHWAY TO CONFIG SUCCESS and read some of the documentation that is meant for new users. Because if that is hard to follow, then at least you will know what you are getting into.

There is also the RouterOS Documentation that you should look at, since many people on the forum will expect you to be able to follow examples from that documentation.

MikroTik Router OS can do a lot for what it costs, but it isn’t what I would consider to be meant for “consumer” consumption. It pre-supposes you know at least networking fundamentals; the kinds of things covered by this youtube series:

Buckeye makes some great points.

Mikrotik is more like a blank canvas, paint, and brushes.

Quick question is the TPLINK an unmanaged switch??

Draw a network diagram showing what you want connected to all ports…
eth1 WAN
eth2 —Wired office connection?
eth3 - Access point but what model (is it vlan capable (smart device).
eth4- TP link switch (type unmanaged or smart)?
eth5-??

I am a Linux engineer/ architect, so technically, I know a couple of things. But I am not a network engineer.
Now that the post is up, I will add a diagram explaining what I want and what are my plans for the future.

This is the diagram:

The plan is to introduce 10G network at the near future (possibly using a Mikrotik switch)
The Zyxel CPE is already the weak link. Browsing is slower in my VDSL than an average 4G connection.
On top of that, I have no control on the machine. As I said, I have the need retrieve information from DHCP, I want a much better firewall, updates, management through Ansible, API, name it. For the time being I don’t see the need to use VLANs (unless someone explain to me why it would be a good idea).

I know that routerOS has a steep learning curve, not an issue, I will figure it out along with some help from the forums etc.
So, back to my original question: How does the specific router implements the Guest networks?

Your stated needs are reasonably basic. That’s one reason I asked why you were considering the hAP ac3.

If you want to use the router as an “appliance” like most home users, I probably wouldn’t recommend a MikroTik, just like I wouldn’t recommend a fully manual SLR as a camera to someone that just wants a simple point and shoot camera that would be better served by their mobile phone that they carry with them all the time.

MikroTik is based on the Linux kernel, but doesn’t give you direct access to the linux shell. Its more like embedded linux with indirect access to networking features.

Which linux distro do you use? Arch, Ubuntu, Debian, Mint? That may provide more info about whether RouterOS is a good fit.

I hadn’t seen your latest post when I responded.

Is your guest network limited to wireless? And will a single access point on the router be sufficent? Often all-in-one router with wifi built in doesn’t get placed where the access point should be. The reason I ask, is that you should probably at least consider that you may want to use vlans in the future, so any switches you purchase should at least have the capability to use them. That means a vlan-aware switch (at a minimum the “smart” switches). vlans allow you to have multiple independent lans sharing the same hardware/wires.

As long as you don’t mind learning, I think you will be able to pick up RouterOS, there are other network OS’s that may be easier to learn and feel more natural since you have a Linux background.

For what’s involved with setting up a guest network, there are many places that have already covered this, so I suggest a google search for mikrotik guest network for some pointers.

I suggest you consider the MikroTik RB5009 as your router. I do no recommend Tik wireless because they generally underperform … for your wireless and based on your network diagram the TP-Link EAP660HD will provide excellent wireless performance to all your wireless devices. RoS supports vlans and all the gear I suggest are all vlan capable. Vlans will give you very effective separation … so you can have as many as you may need to have , guest, office, playroom, etc. the RoS firewall when configured can provide you with excellent protection from incoming traffic regardless of wired and/or wireless.

I do not know if your switch is vlan capable … the AP connected to the RB5009 will provide you with the ability to generate vlans for your wireless clients …. If you needed to have separation for your wired clients as well then you must get a smart switch

For the 10G, it appears this will be dedicated and isolated for “storage”. So as drawn it really should have very little interaction with the rest of the network, other than keeping storage traffic off the other network interface on the PC, but that traffic would already be mostly isolated by the closest switch, as long as the storage and the PC are on the same subnet (so the traffic does not need to be routed).

Are you using iSCSI with your storage ? If so using jumbo frames on that isolated segment would probably help.

Wow! Impressive responses. Many many thanks for your feedback!

All the answers:

• RHEL/Fedora/openSUSE is the distros I use
• The 10G network will replace the existing 1G network, so, it will not be for storage but general purpose.
• I cannot use one WiFi AP, due to coverage. So, I have to use at least 2 AP. One right next to the CPE in my office and the other one on the opposite side of the apartment. Both of the existing AP support VLANs, Guest networks. However, I have to change the Zyxel because it’s performance (wired & wifi) is awful.
• For the time being I don’t see the need to create VLANs for the LAN network. Even the standard WiFi can be on the same VLAN.
• The RB5009 is an amazing device, but it costs as much as the hap and the CRS305-1G-4S+IN together!

And 2 questions from my side as well. They way I understand it, in order to improve the WiFi performance I need a MIMO/Dual chain device. Is that correct?
hAP ac3 does not have dual chain, correct?

In principle, you could set up a Linux box in place of the hAP ac³: a 1U server with a 4-port network card and a USB wireless dongle would run circles around it. The thing is, it’d pull something on the order of 100W of continuous power to do that, meaning the hAP will literally pay for itself inside a year in power costs alone.

A second factor is management: if you have the skills to issue firewalld commands and set up dnsmasq and everything else available on a RHEL box to replace the hAP features point-by-point, you get a much more powerful general-purpose device that can do anything. The hAP is a much more limited device in terms of CPU power, available RAM, software features, and so on.

Yet, if the hAP does everything you want while pulling less power and taking less space, there is no rational choice between Linux and RouterOS. Only if you need something outside the wide scope of RouterOS does it make sense to speak on the topic. One that came up recently was a mail server: RouterOS doesn’t do that, so if mail service absolutely positively has to happen on the same box, RouterOS isn’t for you.

I say all this because if you choose the relative simplicity of RouterOS over the general purpose do-anything Linux option, your Linux skills largely go out the window. It’s not that there aren’t points of commonality, but that they’re far enough apart that it’s effectively a whole new world. Both OSes use the same kernel, but you’re not going to get a naked Bash shell on the RouterOS box. This has many consequences. Just off the top of my head:

• There’s a CLI on the RouterOS box, but no “vi” and no piles of /etc files to edit.
• Though both OS’s firewalls are based on netfilter and thus have certain necessary points of commonality, RouterOS firewall commands don’t match Red Hat style firewalld commands
• RouterOS provides a DHCP server, and a DNS server, and a bunch more, but they aren’t dnsmasq and BIND, so you’re likely to run into expectation mismatches from time to time
• There’s an SSH server on RouterOS, but it isn’t OpenSSHD, and there isn’t a POSIX shell behind it, so a bunch of the trickier things you can do with SSH can’t be done directly on RouterOS, like tar piped thru the SSH tunnel to back up a config subdirectory.
  
  
  

• The 10G network will replace the existing 1G network, so, it will not be for storage but general purpose.

I’d recommend against messing with jumbo packets and such, then. Get the thing running and stable before playing nonstandard optimization games. Chances are, your devices have more latency in their software, OS, and I/O than can yield any consistent benefit under anything less than an artificial benchmark anyway. It doesn’t matter if you can peg the SFP+ limits with iperf3 if what you’re actually doing is running a piggy modern web browser to download files off the Internet.

I cannot use one WiFi AP, due to coverage.

Then I’d put in a third-party mesh system and stop trying to play mix-and-match games with dual (dueling!) APs.

Yes, a good mesh system costs more than a cheap hAP router. There’s a reason for that.

I > have > to change the Zyxel because it’s performance (wired & wifi) is awful.

Putting it into bridge mode as you plan should fix that. It should then be able to shuttle data at wire speed, being a mere media converter between vDSL and Ethernet. If it’s still underperforming in bridge mode, either:

1. its broken, possibly by design;
2. it’s mismatched to the line’s capabilities, though that’s unlikely if it’s ISP-provided CPE
3. the vDSL line or the ISP beyond it is the true bottleneck, and no amount of futzing about with CPE will fix that
   
   
   

I don’t see the need to create VLANs for the LAN network

Nor do I. For home use, I find that an isolated guest WiFi network gives me all the security I want with respect to IoT threats and such.

But to get it, you either need a cooperating wireless mesh or a VLAN backbone, else you’re trying to push insecure traffic over the secure network, with all the risks that attach thereto.

Even the standard WiFi can be on the same VLAN.

You trust the TV’s spyware on your LAN?

Me, I want it to go out to the Internet and nothing else. If I were more paranoid, I’d even control specifically which services each individual IoT device could use on the Internet.

Always remember: the “S” in IoT stands for “security.”

The RB5009 is an amazing device, but it costs as much as the hap and the CRS305-1G-4S+IN together!

I’m not sure where that recommendation is coming from, when you speak of vDSL. It’s been an awful long time since I’ve done anything with DSL, but i’m seeing “up to 52 Mbit/sec”. A hAP ac³ can manage that, even with full routing, queues, firewalling, and small packets in play.

Now, if you were planning on replacing that Internet link with something more robust, then yes, we can definitely talk you into a gruntier router with perfect justification.

in order to improve the WiFi performance I need a MIMO/Dual chain device. Is that correct?

Radio is an incredibly complex topic. There’s an awful lot that goes into a “good” WiFi system than just that one bullet point. This is one of many reasons I’m recommending that you get your WiFi from a specialist provider, not try to bundle it. MikroTik’s fallen behind, and it’s my opinion that this isn’t out of some personal failing on the part of the EEs over in Latvia but because the state of the art has progressed far past the COTS stage.

Once upon a time, everyone bought WiFi chips and radios and antennas off the shelf and integrated them, leading to weak-tea appliances like your Zyxel. In the past 5 or so years, though, there have been a few vendors that have gone after this area hard in an attempt to work around the many problems of running gigabits over a shared medium. If you know what you’re talking about, it becomes clear that we shouldn’t be speculating about what’s gone wrong at MikroTik but what kind of Satanic rite the top-tier providers went through to get their stuff to work as well as it does.

Since you are on a budget and a learning curve.
a. keep the hapac3 it will do well enough for local WIFI service in the same area
b. do follow Mozerds advice for the other AP
c. much easier, to keep everything apples and apples so put main lan on vlan as well (assuming this is your trusted subnet - all smart devices will get an IP on this VLAN).
d. you make no mention if the switches shown (since no model) if they are managed or not, assuming managed but I dont like to assume.

KISS, to many cooks will spoil the broth. Nothing wrong with the hapac3 for now, in terms of wired performance, up to 1gig fiber.
It also should provide good enough wifi for your needs.

Note: If later you like the ‘new AP’ so much you can always turn the hapac3 wifi off and add another AP next to the router.
The 5009 is too hard to find and extra to your requirements in terms of routing. Its very very nice to play with if you can afford it …but overkill.

How I see it:

1. Hap as a step-gap solution. This solution seems to solve 2 of my problems: And and API that I can use to query the DHCP (so I can rapidly build VMs without worrying about IPs and names), to create firewall rules on the fly and other things that currently I cannot think of since my equipment is relatively dump. I hear a lot or praise from other colleagues about Mikrotik and how wonderful they are, so I am leaning towards this solution. And your responses and discussions makes me think that this is probably the best solution since I can rely on more experienced users for support!

2. Small PC to run pfsense or similar as router/firewall. Obvious negative is the power consumption. A lot of positives here: Much more RAM can provide me with options like create permanent VPN connections to my customers/associates, better stats, access to the “internals”. However, there is no official API and this probably makes the decision more difficult. For some reason, I think I need it, although it could be just my idea.

3. WiFi mesh to solve WiFi issues and solve the lagging Internet at a later stage. This option has the additional issue of device’s shape! I need to have them wall mounted due to limited space and so far I see devices that look like a vase. I don’t want to have visible or take valuable space in the living room or even worse in my office. On top of that, a mesh system means that I need at least 2 more switches for connect the wired devices on them. So, for now it looks like the dual APs with different channels is the best I can do for the WiFi, until I find a mesh solution that has a (at least!) 3 ports switch in one of them. So, the immediate future, my idea has to utilize a second smaller hAP again in a different channel to replace Tenda (although Tenda is quite OK for the WiFi needs in the living room (aka kids+wife )

The internal security is compromised as you pointed out since the TV access the internal LAN for media consumption, so, I need to find a solution. This is wired network, so in theory simpler to solve.

The hAP ac³ specs shows 2 chains for 2.4Ghz and 5Ghz.

I don’t have one, so I can’t comment on real world performance.

To see throughput improvement, both AP and client have to support multiple chains. My experience so far is that most phones and tablets, aven though they support ac/ax, only have single chain (so the support for ac/ax only means higher VHT/MCS classes).

If you purchase more switches, make sure they are vlan capable, whether you think you will need them or not. Once you discover how useful vlans are, it is hard to live without them.

Vlan capable switches do cost more, but when you want to start to keep things separate without running extra wires, you will be glad for the capability. You can use any existing switches to expand the number of access ports there are for a specific vlan.

And I agree with @tangent, if the new switch isn’t dedicated to storage, don’t mess with jumbo frames. They can cause more problems than they solve when not everyone is using them on the lan.

This is where you lose me…
So, the immediate future, my idea has to utilize a second smaller hAP

As noted, followed Mozerds advice concerning wifi… l8r

There is no way 1 AP to reach the other side of the apartment and the balcony with all those brick walls in between. The solution would be either mesh (which seems not feasible) or a second AP like now