Networks

Terminology Soup 

I note a lot of confusion around networking terminology, at least as applied to home and SOHO networking. I am sure that hard-core network professionals speak a more complex language and communicate just fine when it comes to industrial-strength networking. There is a growing community of amateur network geeks who like to build elaborate "home labs" where they tweak their networks as a hobby, so there is a lot of knowledge (and opinions), especially on YouTube.

What are the exact definitions of a gateway, an ONT, a modem, SDN, a switch, a router, AP, a VPN, QoS, IoT, DMZ, hotspot, and so on? The average internet-connected home user could probably care less and just wants things to work.

The term "gateway" usually refers to an all-in-one appliance. It does cable modem functions, DHCP services, NAT, firewall, and usually a multiport switch with Ethernet jacks. HOWEVER, at least one vendor - Ubiquity - uses the term "Cloud Gateway" for a family of devices that perform routing functions but do not have built-in modems. Switches are Ethernet connection devices that can be either unmanaged or managed. Unmanaged switches simply connect all the Ethernet ports so they become part of the same LAN. Managed switches can do more sophisticated things like VLANs, traffic shaping, etc. Confusing is the term router. Routers provide a firewall, NAT, DHCP services, and usually have multiple Ethernet ports. However, routers for home or SOHO also usually have WiFi as well, so the term is ambiguous. If you Google "router" you will mostly see devices with WiFi built in. These devices are aimed at the consumer market and have limited flexibility compared to "professional" equipment. This is where SDN - Software Defined Network - comes into play. If you want to separate the WiFi function and have greater control of your network, you need to look for routers without WiFi. These can then be connected to an Access Point, or AP, which will provide WiFi channels, often with the option for multiple SSIDs, which can help split and isolate traffic.

My Network is Too Simple

So, given all that, I have been reimagining my home network setup for a while now. Like many (most?) I rely on my ISP for a rented gateway to do all the heavy lifting and to keep things simple. My network is pretty much all WiFi-based, and the gateway with its built-in router and Wifi is adequate to cover most of my house. I do have one repeater in the garage to support my generator monitor project, since the monitor uses a Pi Zero W with a weak Wifi radio, but that is the extent of "complications" to my network. I have just one device connected directly via Ethernet to the router, a repurposed TV appliance box running a Lyrion music server for my music players (which are on WiFi). 

Here's the "modern" problem: like many homes these days, we have a bunch of IoT Wifi devices:

• smart switches

• dimmers

• Amazon Echos

• smart TV

• dumb TVs with Firesticks

• printers

• thermostats

• security system

all connected to the same Wifi SSID. Some of these could present a potential threat to my network - there are known examples of hacking exploits that can turn IoT devices into hijackers and therefore infect the stuff that matters, our computers, which have all our personal info, email, passwords, etc. Plus, my Chinese smart TV likes to "phone home" occasionally, and I wonder what it is saying to its parents, Haha. Am I being overly paranoid? Probably - but if I can put those fears to rest, so much the better.

One simple mitigation is to put all untrusted devices on a "guest" Wifi network. BUT - if you have an Xfinity gateway like me,  you'll find that it does not have that feature! Incredibly, Xfinity instead chose to only allow you to enable a Wifi "hotspot". Guests (or anybody nearby) can use this hotspot to get internet connectivity as long as they are Xfinity customers. I guess they were thinking this would drive more people to become customers, but why would I enable this on my gateway to share my WiFi, especially since it is useless for isolating IOT devices? That, plus the fact that anyone outside my home would be out of range of my gateway.

Options

• It is possible to put an Xfinity gateway into "bridge" mode. This essentially turns it into a dumb modem with no features such as a firewall, DHCP, NAT, or other router functionality (of course, they don't reduce the rental fee). A simple solution would be to connect a Wifi router to it, which DOES have those features, plus guest network functionality. These routers are commonly available for less than $100, depending on Wifi speed. Wifi  7 is now available, but very few client devices support it (so far). This would allow you to put all untrusted devices on the guest network, effectively isolating them. One potential downside of this approach is that Xfinity has been known to break bridge mode occasionally by doing equipment updates and resetting the gateway to a default configuration. This would be unacceptable to me since I am often away and rely on the internet to always be available for me to check on my home devices (those that don't connect via a cloud service). Should I be willing to take this risk?

• A possible next step would be to buy a modem. Owning your modem (which must be compatible with your ISP) frees you from a rental agreement, although the break-even point will likely take a year. Most of the opinions out there on the web are that it is better to separate modem and router functionality. One justification is that modem technology changes slowly over time, and buying a DOCSIS 3.1 cable modem would allow for 1 Gb+ connectivity and be reasonably future-proof. Wifi and router technology, on the other hand, change rapidly, so replacing these functions may happen more often. Things get trickier if you are on fiber (requiring an Optical Network Terminator, or ONT), but I am currently still on cable. I "cut the cord" some time ago, so I only rely on streaming services for TV watching.

• So, if you decide to separate the modem and WiFi functions from the rest of the network, you need to look at dedicated, non-WiFi routers:

  1. One choice is to build a DIY software/hardware appliance that can handle all the typical router functions: firewall, DHCP, NAT, and added features such as intrusion detection and VPN. There are a couple of free open-source software options here: pfSense and OPNsense. OPNsense is a fork of pfSense and seems to be preferred by many. It runs on almost any computer platform with at least 2 Ethernet ports (in and out) and is typically used on microPCs like this one, which sells for $135. Since this example only has two ports, so you also need to add a switch for hardwired Ethernet. OPNsense seems to be very popular among network hackers.

  2. MikroTik makes what appears to be some of the lowest-cost small routers with full features: hEX S (2025) for $69. For full management, it requires a separate program that runs on a PC - called WinBox. Some users complain about the complexity of controlling MikroTik devices, but this stems from the large number of options supported. Presumably, the router runs the same OS as MikroTik's larger and more expensive commercial routers. 

  3. Ubiquiti also makes a small, mid-cost router, the Ubiquiti Cloud Gateway Ultra, for $129. It seems to be feature-rich, but it does not have a user manual. It looks like it can be controlled from a Ubiquiti cloud interface or the built-in management interface, which is purported to be pretty self-explanatory. Ubiquiti gear is favored among many network geeks. 

  4. TP-Link is another option. Their Omada series of SOHO devices is reasonably priced. The ER605 is described as a VPN router and is only $51 on Amazon. VPN routers have all the basic stuff, but add the ability to communicate between sites securely.. A big brother to this is the ER7206 for $140, which is described as a "professional" version. Omada devices can be centrally managed via an Omada "controller" node in the network, and there is also an app available. You can also buy a dedicated Omada controller appliance box for $80, but the software can even run on a Raspberry Pi if you want to do a DIY thing. 

  5. There is also a TP-Link  "Festa" FR205 5-port model for only $47 on Amazon. It claims to be easy to set up (as in zero configuration) and is aimed at small businesses. However, it requires a connection to a TP-Link cloud for management. and is not compatible with Omada. This is currently free, but they reserve the right to charge in the future. Sounds a little like "bait and switch" and possibly not very secure. 

  6. People are nervous about TP-Link in general, since there may be a government ban imposed on them for security reasons. This is very controversial, and TP-Link denies being either a China-controlled company or making products that can be exploited by attackers (at least no more so than the others).

  7. There are other examples like ASUS and Netgear routers.

• Regarding hacks and vulnerabilities, apparently, ASUS SOHO routers have been targeted recently (2025): see this article. Apparently, "state actors" have been planting backdoors in ASUS routers using a security vulnerability for some time in preparation for a massive global attack, and thousands of routers are affected. ASUS says they patched the routers to prevent further attacks, but the backdoor is reported to survive firmware updates and reboots. Sheesh!

• An AP (Access Point) would be a good approach for Wifi in addition to a dedicated router and would allow you to implement multi-SSID Wifi LANs. This is a typical application in business networks and mutltple APs are often deployed in commercial settings. One example of an inexpensive AP is TP-Link TL-WA3001. These are available used for as little as $30 on eBay. This offers great flexibility since you can have multiple independent WiFI SSIDs, allowing good isolation. Other options are available - see my decisions below.

• Another WiFi option is to implement a mesh network. I have some experience with eero at another property, but don't like the fact that full management features require a pricey subscription. Other mesh systems are available from the major network vendors. Mesh setups tend to be somewhat pricey, but have the advantage of complete, seamless WiFi coverage.

Decision Time

Putting all this together is a pain, so is it worth the effort? Yes and no. Everything is a tradeoff. On the plus side, it frees me from Xfinity and provides a lot of added security and peace of mind. On the negative side, there is some work to get this all working seamlessly and ongoing management (updates, monitoring, etc.) requires effort. Plus, if something happens to me (the network admin), who could take over and understand or fix problems down the road? 

So, throwing caution to the wind, I decided to try some of the TP-Link Omada gear. I got the ER605 VPN 5-port router and an Access Point. Specifically,  TP-Link AC 1350, which allows up to 8 SSIDs on both the 2.4 and 5 GHz frequencies (this one does not do WiFi 7, but I don't have any compatible devices). Total out-of-pocket costs were only $105.

I decided that a lot of the concerns and a possible ban on TP-Link are probably red herrings. The company has been US-based for several years now (yes - it was originally China-based), and the gear I got was manufactured in Vietnam. 

I kept the Xfinity gateway running and put it into bridge mode. One note of caution - after placing the gateway into bridge mode and connecting the router, I had no access to the internet! After a moment of panic, I power cycled the gateway, and after it rebooted  - about 5 minutes - all was good. The router got IP addresses from Xfinity, and I was back online. 

At some point, I may buy a modem and ditch the Xfinity box, but I did not want to make too many changes at once. 

For small networks like mine, Omada recommends using the built-in web UIs for configuration needs (rather than the Omada Controller or the Cloud). I found the UI for both the router and the AP to be pretty easy to understand, and the manuals are really good. Very detailed and clearly written. Also, the built-in UIs are much more extensive than you find in typical consumer devices.

What Does Grok Say?

I order to get my head around all this, I started a dialog with Grok. I described my concerns about security, isolation, and organization. Grok came up with a pretty good plan. I asked Grok to put all this into a handy chart, and it (he, she?) produced the following in markup format. I converted it into a Google Doc for easier formatting. Grok even suggested passwords for each SSID.

Grok seems to have the ability to look up and read manuals on specific devices and can make detailed recommendations about configurations and settings. I decided to stop taking additional advice and learn about the Omada devices on my own and make further decisions based on what I learned.

Of course, I am changing all the names for security reasons and will probably have different VLAN IDs, but this served as a starting point for me. 

As soon as I got the router up, I updated the firmware. There was a very recent (May 2025) update with some vague mention of vulnerability fixes. The default firewall settings seem adequate, but can be tweaked. 

One thing that is pretty important and makes life easier is to add an SSID for the legacy network, using the old password. This allows some devices to stay connected for easier transitioning to the new SSIDs, since you can still log into them and make changes. 

I gradually moved devices over to the new SSIDs in order not to break things or make my network unstable. 

Some of my legacy devices were a bit of a pain to change over. The Raspberry Pi-based devices required me to remember how to log into them via SSH (and this required some guessing since I had neglected to record the login info). Eventually, I was able to log in by trial and error (my memory was tested) and use the raspi-config tool on them to change the SSIDs from the legacy setup. I encountered errors with the tools until I did a "sudo apt upgrade" on all the devices, after which the changes worked except for one pi. I had to run "nmtui" to edit the "preconfigured" connection that had the old SSID. Apparently, the old wpa_supplicant.conf configuration method has been deprecated and newer versions of Raspbian use Network Manager.  Linux can be strange.

So, lesson learned - I documented all login info! 

Also, while the legacy SSID was still active, I had a few other devices that kept reverting to it, so I had to tell them to forget that SSID. I then deleted the SSID and checked the networks over a few days to make sure things were stable. 

I had a couple of devices still connected to the legacy SSID and couldn't think of what they were until I looked up the MAC addresses - they were both Amazon devices. One was my wife's Echo Dot, which I had completely forgotten. I had to change the network to the IoT SSID via the Alexa app. I noticed the Alexa app has all kinds of devices listed, including remote sensors for my Ecobee thermostats (which are Alexa-enabled)! Wonder how much of a security hole that is!!!