Which is the best/most secure router / firewall for my future setup?
Hello Madams and Sirs!
I have a ethernet-wired home, with outlets in almost all rooms, total area of 280m2, 3 floors.
The ethernets are patched in a cable-box in the basement.
I plan to go complete Omada-setup.
3 or 4 EAP653, wired PoE from a SG2210MP switch, also connected to the OC200.
I am considering the ER7206 as router connecting to the fiber-internett.
Also, i have kids, and parental controls are important, so will probably set up a Raspberry-Pi with either Pi-Hole, or KeexyBox, although i will use whichever settings in the Omada to maybe create a "Kids" VLAN.
Security is important for me. Is the ER7206 up for it? or do you suggest something else?
Im a noob but im a nerd and eager to learn :D
Best regards.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
You can specify DNS servers per LAN subnet with Omada routers (that makes the Wifi really easy)...LAN connected devices require a little more work with VLAN, port profiles, and possibly some MAC/IP fixing.
One of the nice (I think anyways) features of PiHole is you can spec whichever upstream DNS servers you want to use. You might even want a PiHole instance per user-class subnet and use a safe DNS service on one, and a less safe one on another.
- Copy Link
- Report Inappropriate Content
Most FTTH (fibre to the home) services are done via PON (passive optical network) which shares the fibre capacity among multiple users (essentially with another hidden layer of VLANs). The termination of these services is via a device called an ONT (optical network terminator) which is the device that understands the encryption and higher level VLANs used by your provider. You need to be sure that this function can be retained, I know because this is what I have done with one site with a provider we'll call Hell. They have a number of home modem options, the most recent have the ONT integrated into them directly on the mainboard. However, a few generation back they had a gigabit capable home modem that had a removable ONT in SFP form factor...after much negotiation they finally came and installed this version and I immediately removed the ONT SFP and installed it in an SFP-GbE media converter which I used to feed my Omada solution. After that, the Omada 'IPTV' feature takes care of having multiple WAN-side VLANs, but this is only relevant if you have on ONT solution that works with the Omada setup.
- Copy Link
- Report Inappropriate Content
Hi, I think ER7206 is OK.
I have seen a post related to Parental Control before, don't know if it can help you.
- Copy Link
- Report Inappropriate Content
Thanks for great tips!
Is there a solution making it possible for the kids to use one set of primary & secondary DNS, and for the adults to use a different set of primary & secondary DNS?
Would the creation of 2 VLANs make this work?
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
The ER7206 is the ONLY TPlink router I would buy at this time for feature set, stability and support. The ER605v1 seems to be struggling to catch up...and the newer 8411, 7212 (3in1) and even upcoming 707 (7206v2) seem to lag behind the 7206 in firmware features. The 2210MP is overkill for what you are trying to do as the 2210P still has 50W of available POE power across all 8 ports (I have EAP615-wall units that consume 3.5W only). I too run offboard piholes for DNS filtering (one in a Docker container, the other on a Libre (Raspberry clone) board). There is rumour that onboard DNS has been accepted as a feature, but it won't have anything like the capabilities of a PiHole, and I'm sure will be pretty limited in the features you are looking for.
You can definitely create two LAN subnets and isolate them from each other by VLAN and even give them different DNS server IPs. You can even attach different WiFi SSIDs to those LAN subnets by assigning the same VLAN ID to the WiFi network name.
- Copy Link
- Report Inappropriate Content
I've been using a Firewalla Purple as a "prosumer" pfsense and pihole equivalent router\gateway\firewall solution with my Omada switches\APs\controller and it's worked pretty well. It can do that separate DNS per defined groupings\vlan or physical network segments (in the case of Gold model).
I've looked at the Omada routers and feel the ER7206 is probably the one worth getting for the more complete firmware features (as @d0ugmac1 says) but I'd prefer the ER605v2 if it gets feature updated to match since it's much cheaper and I don't need the extra VPN capabilities of the 7206. 605v2 probably will get those features based on the beta firmware currently released but the slow release of expected foundational features (like mDNS reflectors) is a concern. I would need to setup pihole or NextDNS (or combo) but that's not hard to do (either docker or rpi device). I was looking at this option when I ran into a problem with my Firewalla last month (was resolved, not a product fault) and was debating going all in on Omada so looked into your same question at the time.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
You can specify DNS servers per LAN subnet with Omada routers (that makes the Wifi really easy)...LAN connected devices require a little more work with VLAN, port profiles, and possibly some MAC/IP fixing.
One of the nice (I think anyways) features of PiHole is you can spec whichever upstream DNS servers you want to use. You might even want a PiHole instance per user-class subnet and use a safe DNS service on one, and a less safe one on another.
- Copy Link
- Report Inappropriate Content
My ISP supplies me with fiber with a trunk consisting of 3 virtual nettworks: Admin, IPTV, and Internet.
I plan to replace the modem supplied by the ISP, with the TL-ER7206. I will plug the Fiber(with TV-included) directly into the 7206,
Is it possible to configure a VLAN to bypass the firewall in the 7206? It would be a waste of firewall-resources to have firewall also cover all IPTV traffic..
- Copy Link
- Report Inappropriate Content
Most FTTH (fibre to the home) services are done via PON (passive optical network) which shares the fibre capacity among multiple users (essentially with another hidden layer of VLANs). The termination of these services is via a device called an ONT (optical network terminator) which is the device that understands the encryption and higher level VLANs used by your provider. You need to be sure that this function can be retained, I know because this is what I have done with one site with a provider we'll call Hell. They have a number of home modem options, the most recent have the ONT integrated into them directly on the mainboard. However, a few generation back they had a gigabit capable home modem that had a removable ONT in SFP form factor...after much negotiation they finally came and installed this version and I immediately removed the ONT SFP and installed it in an SFP-GbE media converter which I used to feed my Omada solution. After that, the Omada 'IPTV' feature takes care of having multiple WAN-side VLANs, but this is only relevant if you have on ONT solution that works with the Omada setup.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2629
Replies: 9
Voters 0
No one has voted for it yet.