Jump to content
c4forums | The Control4 Community

Evaluating new install: Can I bring a PFSense box and Ubiquity AP's to the party?


Recommended Posts

We purchased a new house and rather than go the DIY route i've decided to go with a c4 dealer to set us up. I'm ok trading $ for time & a professional setup however I'm evaluating the proposal the dealer made and was wondering about places where I might save a few bucks here and there.

He's pushing an araknis 310 switch and, although it seems a bit pricey, i sounds like a solid unit from what I've read here and it's what they are used to configuring so I'm prepared to go with that. I'm less convinced I need the router he's proposing... I'd rather keep my PFSense firewall and open a door for him to get through to the 310. Also the araknis APs seem a bit pricey for what they offer. I've seen some folks waving people off of the Ubiquiti AP's due to some specific network config requirements. I would expect a quality installer to know enough networking to deal with that properly. Thoughts?

 

Link to post
Share on other sites

As you will have seen from this forum, the Araknis switches/routers are "fine" but the primary reason dealers sell them is that SnapAV supports them (and I don't know but assume for dealers the markup is good).  Dealer wants to be able to call Snap and get live support, and get hardware replaced/ordered quickly and easily - Snap does that. 

It's not a given that your dealer will be a networking whiz - some are (especially here on this forum), some aren't.  A number of the dealers I have dealt with on the ground came over from the AV world, and networking intricacies are not their specialty - they need the live support for tricky stuff.

Also - learning something unique for your house is going to sound like a hassle to them.  New interface, not OVRC, etc. etc.

That said, Araknis APs are overpriced, and you will get better performance at lower price with Unifi APs.  Speaking from experience, they work fine with Araknis gear - they are indifferent to the networking gear behind them. I'm guessing you will have to administer them yourself - but given your post, it sounds like you are capable of doing that.

Link to post
Share on other sites

First,  and this is just my opinion, but the place to save money is not on one of the most critical aspects of you new home infrastructure.   In this day and age, even if you weren't installing a Control4 system, home networks are being heavily taxed with home school, work from home, more and more streaming, more and more wireless IOT devices, etc. This means they need to be rock solid or your experience is not going to be pleasurable. 

PFsense makes great stuff, but if your dealer knows zero about how they work or how to configure them properly then your experience and system performance may not be very pleasurable. 

Araknis gear is... ok... I'd consider it budget gear compared to the majority of equipment available on the market. Its a bit more expensive then Ubiquiti gear with a bit less reliability and features.  Ubiquiti makes good gear at a decent price but the margins are absolutely horrible, like $10 or less, on any given piece of equipment.  This is why a lot of dealers hate the them. Personally we educate our clients on all of this and don't sell them on individual equipment costs but package costs that include our expertise, which allows us to make up some of that margin.  We still lose some of the margin but our clients are getting quality networking gear, at a reasonable price, installed, configured, and eventually monitored by a single source. All of this leads to a better overall experience. 

Shopping individual components of an install really is the worst thing you can do as a consumer, it might save you a few bucks on the front but what you lose is much bigger.

In the end if they aren't comfortable with anything other then Araknis and you're not then you may need to look for a dealer who carries other Unifi or other equipment.  Just remember the grass isn't always greener and quality rock solid networking equipment that's well thought out comes at a price. 

Link to post
Share on other sites
10 hours ago, HeBeCb said:

I've seen some folks waving people off of the Ubiquiti AP's due to some specific network config requirements. I would expect a quality installer to know enough networking to deal with that properly.

As per above, no I wouldn't count on the majority of perfectly fine dealers to know enough networking to 'deal' with a ubiquiti setup. Araknis and Pakedge gear is more or less 'pre-loaded' to work for home automation/smart home/IoT.

21 minutes ago, cdepaola said:

Its a bit more expensive then Ubiquiti gear with a bit less reliability and features.

Ehh. Current lineup is on par in reliability maybe even in slight favour of Araknis at this point, still too many updates on ubiquiti at this point for my liking. And features can cause issues when in the wrong hands.

 

PFSense, again, is something that is a good piece, but not geared towards a smart home install.

 

Don't be surprised if your dealer just doesn't want to accept using 'your' gear - in the end, the dealer gets the call in 99% of the time when 'the internet' is down - you may be the 1%, but a C4 installer that isn't particularly versed in networking may just not want to deal with it (the VAST majority of issues reported are networking - while this leads to the comment that 'too often dealers point to the network vs other items', that doesn't change the stats - but to the majority of the client it's ALL "Control4").

Understand that I don't subscribe to that philosophy of not accepting customer preferences in networking, but I do understand the reasoning behind it. Heck I'm on my way to a client now that likely has an ISP router or modem issue who is essentially 'blaming' Control4 - when in reality the issue is with internet only, with some possible indirect consequences to his C4 system.

Link to post
Share on other sites
11 hours ago, HeBeCb said:

I'd rather keep my PFSense firewall and open a door for him to get through to the 310

If you're comfortable with pfSense and are savvy enough to open specific ports, you should be fine. 

 

11 hours ago, HeBeCb said:

I've seen some folks waving people off of the Ubiquiti AP's due to some specific network config requirements

I've run into no issues in this regard. Still, general rule of thumb is to hard-wire EVERYTHING as much as possible.

That said, @Cyknight's points are correct on where "blame" gets laid; if you're running pfSense and can speak to that and why you're sticking with it, you're already more advanced than about 95% of C4 customers. As long as you can troubleshoot a bit and determine where the issue is, you should be fine. Just note that firewall rules and getting inter-VLAN traffic to play nice can very quickly mess up a wonderful and working C4 install. 

If your local dealer is making you feel uneasy about your own networking gear or you feel you're getting pushed, perhaps go with a remote dealer and find a local low-voltage electrician if you need more networking or speaker cable run for various aspects. Most are all familiar with C4 or installing this type of equipment (but not necessarily configuring it).

I'd highly recommend @chopedogg88 as a remote dealer. 

Link to post
Share on other sites
14 minutes ago, Cyknight said:

Ehh. Current lineup is on par in reliability maybe even in slight favour of Araknis at this point, still too many updates on ubiquiti at this point for my liking. And features can cause issues when in the wrong hands.

Don't be surprised if your dealer just doesn't want to accept using 'your' gear - in the end, the dealer gets the call in 99% of the time when 'the internet' is down - you may be the 1%, but a C4 installer that isn't particularly versed in networking may just not want to deal with it (the VAST majority of issues reported are networking - while this leads to the comment that 'too often dealers point to the network vs other items', that doesn't change the stats - but to the majority of the client it's ALL "Control4").

Understand that I don't subscribe to that philosophy of not accepting customer preferences in networking, but I do understand the reasoning behind it. Heck I'm on my way to a client now that likely has an ISP router or modem issue who is essentially 'blaming' Control4 - when in reality the issue is with internet only, with some possible indirect consequences to his C4 system.

Yeah, completely opposite of my experience with Araknis so much so we've moved to no using it at all.  We will do Ubiquiti, Access Networks, or Ruckus Unleashed.

I do however understand everyones mileage may vary. 

Link to post
Share on other sites
28 minutes ago, cdepaola said:

Yeah, completely opposite of my experience with Araknis so much so we've moved to no using it at all.  We will do Ubiquiti, Access Networks, or Ruckus Unleashed.

I do however understand everyones mileage may vary. 

We've seen issues in the x00 line before espiecially routers, but in the last year/year and a half gave the x10 lines a try and they've been VERY solid - basically no complaints in reliability at all. Our 'budget' option over more advanced setups.

Link to post
Share on other sites
45 minutes ago, Cyknight said:

PFSense, again, is something that is a good piece, but not geared towards a smart home install.

With all due respect, you're comparing an apple and a pig. pfSense is open source firewall/router and cares not about what you have on the LAN. 

Personally it's a smart thing to protect your network. some people might want more than NAT and pfSense is a great FW choice.

On the negative side, some implementations of pfSense are not for the novice.

Link to post
Share on other sites
1 minute ago, ekohn00 said:

With all due respect, you're comparing an apple and a pig. pfSense is open source firewall/router and cares not about what you have on the LAN. 

Personally it's a smart thing to protect your network. some people might want more than NAT and pfSense is a great FW choice.

On the negative side, some implementations of pfSense are not for the novice.

Not really - I'm simply pointing out that A PFSense router isn't geared to IoT because it by default is likely to be blocking things that IoT and/or smart home requires.

It may not care what's happening on the LAN (though even that is inaccurate, it's still your router/gateway for the local LAN, handling IP assignment as well monitoring multi-cast and concurrent connections to name a few things) - but what it WILL care about what is passing between the LAN and WAN (considering that is what it's meant to do) which can have huge impact on certain aspects - think licensed drivers, authentication connection for apps to servers, remote access from servers to apps or local devices.

I'm NOT saying not to use it, just pointing out that many dealers will not want to have to deal with it and to be aware that is not going to be plug and play.

Link to post
Share on other sites
50 minutes ago, Cyknight said:

Not really - I'm simply pointing out that A PFSense router isn't geared to IoT because it by default is likely to be blocking things that IoT and/or smart home requires.

It may not care what's happening on the LAN (though even that is inaccurate, it's still your router/gateway for the local LAN, handling IP assignment as well monitoring multi-cast and concurrent connections to name a few things) - but what it WILL care about what is passing between the LAN and WAN (considering that is what it's meant to do) which can have huge impact on certain aspects - think licensed drivers, authentication connection for apps to servers, remote access from servers to apps or local devices.

I'm NOT saying not to use it, just pointing out that many dealers will not want to have to deal with it and to be aware that is not going to be plug and play.

Many dealers are going to have a rude awakening as network requirements get more complex, which they are and will continue to do so.  They'll need to get educated, bring on network engineers, or rely on companies like Access Networks to get the set-up and maintained. 

Link to post
Share on other sites
1 hour ago, Cyknight said:

Not really - I'm simply pointing out that A PFSense router isn't geared to IoT because it by default is likely to be blocking things that IoT and/or smart home requires.

It may not care what's happening on the LAN (though even that is inaccurate, it's still your router/gateway for the local LAN, handling IP assignment as well monitoring multi-cast and concurrent connections to name a few things) - but what it WILL care about what is passing between the LAN and WAN (considering that is what it's meant to do) which can have huge impact on certain aspects - think licensed drivers, authentication connection for apps to servers, remote access from servers to apps or local devices.

I'm NOT saying not to use it, just pointing out that many dealers will not want to have to deal with it and to be aware that is not going to be plug and play.

Actually pfSense would be an excellent Firewall for IoT because it knows to block, it has the capability to allow specific traffic, it can help find DDOS attacks, etc, etc.

And to clarify my response, pfSense or any firewall doesn't care what your doing on your LAN. Obviously it is well aware of protocols, addresses, etc. But for the most part it won't doesn't care if you're running a smart home or just web browsing. And yes, there are exceptions with NGFWs.

 

 

Link to post
Share on other sites

I think the setting up of inter-vlan firewalls will be their sticking point but maybe I'll get a chance to talk to one of their networking guys when I go to their showroom on Thursday.

I can do the networking myself if need be but, I'm throwing $ at this to save myself time and get a quality initial setup. @cdepaola Your point about where to skimp or not is reasonable and while i'm not convinced the 310 is the best value for the money, i'm prepared to invest there to make the integrator's job easier but I'm resistant to just tossing out the perfectly good pfsense box I purchased. Anyway... as I said you make a fair point about keeping my eye on the end product... the dealers seem to have a good local rep and they were brought in by the GC i'm using for my renovation project who i've obviously also decided to trust (but verify... as I've gotten competitive bids from another installer)

If you care, I'll report back on my experience after meeting with the installer again (i'll not give names or my location on the open forum but if you're genuinely interested you can DM me)

Link to post
Share on other sites
1 hour ago, ekohn00 said:

Actually pfSense would be an excellent Firewall for IoT because it knows to block, it has the capability to allow specific traffic, it can help find DDOS attacks, etc, etc.

And to clarify my response, pfSense or any firewall doesn't care what your doing on your LAN. Obviously it is well aware of protocols, addresses, etc. But for the most part it won't doesn't care if you're running a smart home or just web browsing. And yes, there are exceptions with NGFWs.

 

 

I never said it couldn't do a good job - just that it isn't going to do that out of the box/after standard setup.

 

But again - you're arguing a completely different point than what I am trying to make. I'm not debating the PFSense as such - I'm just arguing that reality is that the vast majority of dealers (that can still setup a perfectly find system in every other respect!!!) won't want to deal with it, nor with most user setup networking. And they have something of a point:

-90% of installers don't want to deal with it (in general, not PFSense specific), because it's out of their comfort zone and they want something that they know/can make work well.

-95% of end-users have no desire to deal with their networking at all - they just want it to work.

So usually, it isn't an issue - and it's not as if the general cost difference, compared to an overall system, are so huge that it's REALLY a problem financially either.

 

Y'all on here always seem to lose track of the fact that those of us on here, by and large, are NOT particularly representative of the 'norm' of C4 users OR dealers.

 

Once more - I'm NOT saying to OP to not use the PFSense.

But there's a lot of C4 (and Elan, and.......) dealers/installers out there that want exactly what the end-user wants. A nice, stable network that keeps everything in the house up and running smoothly - that is easy to install, easy to monitor and easy to maintain.

And I can't say that is a bad thing as such.

Now arguing on HOW to achieve that goal - should all C4 dealers have full IT pro's (which will make them more expensive, so is that really going to save the end-user money if devices are cheaper, but the cost of getting it set up is higher?), should they use a geared to them solution that may cost more, should they use an external solution provider such as Access Networks or CIS (also not cheap), should they......{come up with a solution here} - that is another matter. But I'm not looking to discuss that in this thread.

Link to post
Share on other sites

I would argue that the worst outcome is when C4 dealers that accept unknown (such as user setup) network solutions, or try and use cheaper gear that either doesn't work well, or they can't 'handle' properly.

In the end, most end-users with issues end up blaming Control4 - inaccurately - for issues that are actually caused by network issues.

Don't know about all of you - but I would much rather hear that people (in general) think Control4 systems 'require an expensive network to work' than that they think 'it doesn't work'.

🤷‍♂️

 

 

Link to post
Share on other sites
22 minutes ago, HeBeCb said:

maybe this is what I should do when I finally decide to retire 🙂

Fill your retirement first getting numerous other company types up to speed first.

In the past 3 months alone I've:

-told a 'home spa/sauna' brand to take a hike as they wanted me to ensure the router in use wasn't blocking random IP requests at the WAN port

-told a thermostat designer trying to do a beta on a kickstarter to go back to the drawing board as they expected it to be required to have a full DMZ to their control hub (not just in beta!)

-yelled at a fitness company because they started to rip out an enterprise network (at an actual enterprise!!!) and replace it with some OEM junk to make their equipment work AS PER manufacturer instructions

-hung up on the engineer from a lock manufacturer that kept telling me that to use the hyper-expensive biometric lock they made I had to turn off inbound logging (it exposed their encryption key)....

 

Link to post
Share on other sites
40 minutes ago, Cyknight said:

Fill your retirement first getting numerous other company types up to speed first.

In the past 3 months alone I've:

-told a 'home spa/sauna' brand to take a hike as they wanted me to ensure the router in use wasn't blocking random IP requests at the WAN port

-told a thermostat designer trying to do a beta on a kickstarter to go back to the drawing board as they expected it to be required to have a full DMZ to their control hub (not just in beta!)

-yelled at a fitness company because they started to rip out an enterprise network (at an actual enterprise!!!) and replace it with some OEM junk to make their equipment work AS PER manufacturer instructions

-hung up on the engineer from a lock manufacturer that kept telling me that to use the hyper-expensive biometric lock they made I had to turn off inbound logging (it exposed their encryption key)....

 

lmao sounds like my current job (software architecture) 🙂

Maybe I need a different plan 😉

 

Link to post
Share on other sites
2 hours ago, Cyknight said:

-hung up on the engineer from a lock manufacturer that kept telling me that to use the hyper-expensive biometric lock they made I had to turn off inbound logging (it exposed their encryption key).

This takes the cake for me 🤣

 

I work for a software company with a cloud solution. Just had a VERY large customer working with Oracle support to open up some ports and allow SHA1 and MD5 auth for "secure" connection for reporting to our database. Let's just say both were very upset when I sent them security documents (both internal and published) stating that we'd refuse to do so on the grounds that neither are secure.

Link to post
Share on other sites

I run pfsense with ubiquiti APs. Here is the bottom line. Assuming you are going to have a separate vlan for IoT devices, then just make sure they are all on that vlan (including C4). If you do that, it works well. Now if you want to do some more complex stuff like allow casting, airplay, or Sonos across VLANs, then there are more issues. But that has nothing to do with C4, and you can google out solutions to each. 
 

As long as you keep C4 and all the devices it controls on same VLAN, it will work fine. And pretty much out of the box.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...