I have five Deco X20s for my wifi at home. I have been using them in “router mode”, so they are my DHCP server too. I have had two frustrations with this setup; a) i have to use my phone to manage my address reservations, and b) i’m reserving more addresses than they are comfortable managing for me.
I fiddled a bit with trying to get my pihole to be a DHCP server. That didn’t go well for me, so i’ve decided that i want to use my five Deco X20s in “access point mode” under a “proper” router.
@zeeclor 's mention of his Vigor 2927 got me asking ChatGPT what was possible with one of them. It turns out that i can script DHCP reservations using an api. With those mesh wireless access points i probably don’t currently need the router to have wifi. on the other hand, it might be nice to have wifi to fall back to if those Deco access points let me down one day.
It seems that Draytek are an Australian manufacturer and they make commercial grade gear instead of the consumer grade stuff that i’ve been using until now. Is that a fair assessment? Any other suggestions for me to consider before i start buying stuff?
You can probably get sufficient performance out of some sort of Mini PC; something like this guy from Ali would be sufficient for firewalling, routing, and running all of the fun services that you want in a box like this (incl. wireguard!).
It might be an option worth considering if you want to go the DIY route.
I replaced 3x Deco M5s at home several years ago after also getting frustrated with the need for the mobile app. They were only ever used as APs which meant 99% of their functionality wasn’t being used either, but they were perfectly serviceable as access points. I had them set up with ethernet backhaul between them and devices roamed around the house just fine. I suspect your Decos will be fine in access point mode for what you want out of them. Assuming they’re the same as mine, you’ve also got a single extra SSID/VLAN up your sleeve in an indirect way if you want to segregate some wireless clients (e.g., have any IoT stuff or “untrusted” devices on a different network). The Guest network feature of the Decos is actually a separate SSID and a VLAN tag (591) behind the scenes. For what it’s worth, I think it’s a great idea to keep the X20s and flick them over to AP mode.
(Edit: Probably should have opened with this - what flavour of NBN are you using? If it’s FTTN and you need a VDSL modem in the mix, that might change the below answer.)
Onto the router side of things, I haven’t directly worked with any Draytek gear since the very early days of xDSL in Australia so I don’t know what they’re like now. They had a good reputation, and others can probably comment more specifically on their current range.
Given your homelab setup and skillset, I honestly think you’re still going to end up frustrated with anything other than a MikroTik or building your own OPNsense / OpenWRT router. Perhaps Ubiquiti ticks the boxes too, but I haven’t played with any of their gear for 5+ years, so I can’t comment specifically on their current range.
In the “$100-ish” bracket, my suggestions would be:
[Haha, Kangie beat me to the punch and posted as I was typing my reply, so that saves me a link!]. A mini PC from AliExpress running OPNsense or OpenWRT will be infinitely flexible and you’ll learn a lot too. My other suggestion from a cost perspective would be to pick up an ex-lease/ex-government PC from the usual places around Brisbane and throw more NICs in it. Lots of <8th gen Intel stuff flooding the market at the moment for good prices (i.e., won’t run Windows 11 - example). Throw in an extra dual port gigabit NIC for a few bucks, or even a 10GbE NIC for <$100, and you’ve got a very capable router. It might even be worth waiting a month or two and seeing if more stuff hits the market after the looming October 14th Windows 10 EoS deadline passes.
On the MikroTik side, something in the hEX range (example) will give you that same flexibility and options to build and break and learn, and will serve you for a very long time. I recall that @mcrilly mentioned at one of the meets that he uses MikroTik gear as well, so he may have some more specific recommendations of his own.
I think it’ll come down to whether you want an “appliance” or not, but both of those approaches will be very capable for around that ~$100-150 mark.
You’ve also got the option to combine both approaches. Buy a MikroTik and get that really important mission critical, zero downtime stuff such as the rest of the family’s devices and the Decos moved over, then set up a separate subnet and build/spin up a VM running OPNsense for the homelab.
There are large parts of my home network that i can afford to stuff around with, and there are other parts that are “mission critical”. Plex seems to top the list, but work’s right up there too
So, i reckon i’ll get a hEX S, and play with a DIY alternative down the road a little.
Draytek (website) is Taiwanese. They have good support in Australia and England.
So one of those Intel N100s would be sufficient to run OPNsense and hook into my NBN box?
Ahh, they state as much. “Fanless Min PC Intel N100 J1900 N2840 N5105 J4125 4x 2.5G Ethernet Support Windows Linux Pfsense OPNsense OpenWrt Virt …”
I looked at the Draytek but it does not enable the redirection of DNS queries to the pi-hole and I found blocking outgoing DNS to other sites killed my self hosted email and servarr suite. It’s possibly a docker setup issue but I have permitted outgoing for the time being as those services had to work.
It looks like a comprehensive set of functionality. I wouldn’t be surprised if there was some redirect possible using the Firewall → Filter Setup or possibly somewhere in the NAT sections. Unfortunately the demo is static and doesn’t let me go much deeper than the initial landing page for each function so I’m not 100% sure there. You mentioned Layer 2 in another thread, and VLAN tagging is in the demo (under LAN)… just having a click through the demo, it seems like the Vigor 2927 is very full featured.
You may not need to go down the OpenWRT, etc. route until you’re ready to replace the router anyway, as the router you already have may do enough for your use case. There’s also the option of spinning up something in a VM or on separate hardware as discussed above, and playing with things in your own homelab subnet rather than potentially changing something on your production router and annoying the rest of the household.
I am going to follow @Belfry’s advice and run these in a VM to start with. I have run pfSense and OPNsense in VMs a few years ago but it was double NAT and that is trouble.
I was also trying to get ipv6 running through that setup. I did have a couple of ipv6 sites but I really did not trust my firewall setup and subsequently took those connections down.
Anyone running ipv6 services behind their firewall?
Nah, i’m still hoping that IP6 is a fad that the industry will move on from eventually.
Maybe i shouldn’t be so scared of it.
The reason i’m so “head in the sand” is that i like being able to ping or ssh to 192.168.???.???if i have any doubts about name resolution on a host. The third octet is known, so there’s just one integer for each host.
I’ve been assuming that IP6 meant that your home network would be hard to deal with without name resolution working reliably.
Is there a similar “private subnet” convention like 192.168.0.0 for IP6 ?
I also don’t know how my DHCP reservation approach would translate.
Has anybody else been trying to ignore IP6 like me?
No way! IPv6 rocks . I’ve been running IPv6 at home since 2009, initially via tunnel brokers, then natively shortly thereafter when Internode launched their IPv6 trial. There have been various challenges along the way (mainly due to really poor router implementations of IPv6 in the early days), but I’ve had IPv6 successfully ticking along at home that whole time.
Pretty much, yes. Of course, in reality everything IPv6 is going to be dual stack so you’ve got the IPv4 address at your disposal. Nothing changes there.
Yes, but I’d suggest moving away from that paradigm of RFC1918 addresses being “the” address for your local devices. Your devices probably also have one or more addresses in the fe80 prefix which are analogous to the old 169.254.x.x addresses in IPv4 land. It’s quite possible that a lot of the background magic has already happened and your devices may even have a global IPv6 address right now.
I’ve never bothered with DHCPv6 on the LAN side. RAs and SLAAC does all the hard work if you’ve got the router configured correctly (essentially, does the router connect to the ISP via v6 successfully? then the rest is probably just “magic”, barring a few configuration options for prefix size) and one can set fixed IPv6 addresses for servers and add AAAA DNS records, etc. You can make these memorable to a certain extent. The classic is Facebook.com resolving to something with :face:b00c: in its IPs. I have a tendency to use things such as :b33f:b33f:b33f or :c0ff:eec0:ffee a lot, just because I can remember them and can have a quiet chuckle to myself .
Yes, on occasion. Months ago at the Chermside meetup where I had Open WebUI running, that was hosted on IPv6 behind the scenes (on something ending in b33f:b33f:b33f, for what it’s worth ). Using that and Cloudflare is a good way to expose your homelab services to the world too. Cloudflare will proxy your AAAA record and present an IPv4 A record to the world, so anyone can access that A record and Cloudflare will forward it to your IPv6 only address.
There’s some pretty good training material for free available at Hurricane Electric IPv6 Certification for anyone interested in learning about IPv6. I’m also happy to answer questions where I can, if anyone in the group wants to know anything specific or debug their own IPv6 setup in their homelab.
My affection came from learning about it and then setting it up when I was on Internode who gave every sub a block of static IP’s the size of grains of sand at the beach!
And I could run them up instantly and put a million separate webservers on the IPV6 internet if I wanted and had the resources.
No NAT, no Conntrack, no local only network, etc, only a firewall is needed.
Every IPV6 IP is unique, including those behind your gateway, and only the gateway controls which of your IP’s is internal, external or both.
You actually have it backwards, the one that won’t last is IPV4, because of its limitations of difficult maintenance, troubleshooting and implementation.
I haven’t had working IPv6 since I moved up here… I suspect that my bridged modem is a pile of garbage as I had full dual stack working on fttc down south.
Never did host anything open to the world, I always just VPN in if I need to!
Noting the intricacies of running openWRT and OPNsense, I came across IP Fire. It was a fork of IPCop which I remember from twenty years ago. It advertises itself as a simple yet comprehensive firewall.
However it does not support ipv6 out of the box so I am back to thinking OPNsense might be my best option.
IMO OPNsense is the best options for running on x86 (and now arm64) hardware. The firewalling is pretty easy to configure. If you recall a few weeks ago when I couldn’t join the Jitsi, all I had to do was add an alias called ‘JITSI_PORTS’ that points to all the ports that jitsi needs, add it to my “allowed to access the internet” rule and suddenly traffic was going out - it’s all driven by the GUI (for better or worse!) but there are plenty of guides out there, and it’s easy to start small and build up from there - adding a second connection for other VLANs if you have the spare interface before working up to trunking. Also you can backup and restore your config quite easily!
Thanks for prompting me to come back to this issue during tonight’s meeting, @zeeclor.
The DrayTek can do it, but the terminology is different in the UI. Rather than using NAT rules, you can set up a wildcard * redirect of all DNS queries to an internal server (which is almost certainly building NAT rules in the background to make the redirect work).
This article on the DrayTek KB covers the config, and although the 2927 isn’t explicitly listed in the article, the option looks to be in the 2927’s UI according to the demo under Applications > LAN DNS / DNS Forwarding.
I strongly doubt it will block any encrypted DNS (DoH/DoT, etc.) traffic, but setting it up per the KB article should capture standard DNS lookups from devices on your network that are set to alternate DNS servers and aren’t honouring your DHCP assigned one(s).
Given that there’s nothing in the KB article about it, I assume the DrayTek is clever enough not to redirect requests from the Pi-Hole back to the Pi-Hole. If not, then that’s a perfect opportunity to set up DoH outbound from your Pi-Hole too.
. I’ve been running IPv6 at home since 2009, initially via tunnel brokers, then natively shortly thereafter when Internode launched their IPv6 trial. There have been various challenges along the way (mainly due to really poor router implementations of IPv6 in the early days), but I’ve had IPv6 successfully ticking along at home that whole time.
or 
a lot, just because I can remember them and can have a quiet chuckle to myself 
.