Get a Protectli box with a very good CPU, 4 Ethernet ports, install OPNSense, and have at it.
I'm surprised the UDM Pro cannot route 2x 1 Gbps on two WANs. I thought it was rated higher than that.
Your test might be running into the 1 Gbps limit backplane problem on the built in switch for UDM Pros.
Maybe he's just testing something temporarily. Like something he bought is having trouble connecting, probably because he's using the same SSID for 2.4 and 5 GHz, but the shitty IoT device can't handle that. So he's messing around, trying to get it to connect.
Unless he's a good friend, I'd just ignore it. You make a comment to the typical person about his WiFi, and he'll become super paranoid about why you even noticed.
Then we'll get a post on this sub from him on how his "creepy neighbor" is hacking his hidden SSID and 60 key password. And now his IoT lightbulbs are now dimming on their own.
And so goes the flow of this sub.
The bitrate of 4K from streaming services like Disney and Netflix is much, much lower than your UHD Blu-ray rips. They recommend having a 16-25 Mbps connection to stream 4K, but the average bitrate is even lower. It's closer to 6-8 Mbits. They just recommend a higher Internet connection because of how streaming works (small bursts of higher rates with a lot of idle time in between).
You can calculate it accurately by just downloading the movie (if the streamer lets you, like premium subscriptions do) to see the file size, and then dividing that size by the length of the movie in seconds. That will give you the average bits per second by definition. You'll be surprised how low it is, because streamers use compression, while "pure" UHD Blu-ray avoids compression to satisfy purists.
As to how much data a streamer uses, it's immense. It's a huge chunk of the data on the Internet at any given time, with estimates in 40-60% range for all the streamers in aggregate. Look into "Content Delivery Networks" (CDNs) to see how it's delivered on a global scale. It's actually very impressive.
There is no set answer, because everyone's environment is different. You'll just need to test it for yourself and see.
First, do speed tests with and without the secondary mesh node. Run a dozen in each configuration to get a usable sample size. Use different speed test sites too.
Then do a continuous ping test to your Default Gateway (your router's LAN address, for example 192.168.1.1 is common, but just check) with and without the secondary mesh node. Run that test for an hour each or more during busy network times, like in the evenings. Compare the results.
Then see which you prefer.
The placement of your mesh nodes, test computer, how busy your WiFi is in general, and layout of your home will determine test results. So there is no set answer.
I will say that, with wireless backhaul, you should just use the least number of nodes you need for full coverage. Four seems excessive. Most homes need only two mesh units to cover everything, three for bigger or unusually shaped houses.
Fooling someone into installing malware is far, far more effective than someone trying to penetrate your firewall with a frontal attack, or brute forcing passwords, or faking certificates, man in the middle, or anything "hacking".
Ransomware, one of the proven successful cyber attacks, is pretty much just trying to get a secretary to click on an email attachment that is malevolent. Or faking an ID badge or uniform and just walking into a company and installing ransomware off of a USB drive. Or promising you a new iPhone if you just install this little file to verify you've won. Or pretending to be the IT department and asking someone for their passwords.
Social Engineering has always been magnitudes easier to do than any kind of "using computers to break into other computers" that we normally think of when "hacking" is mentioned.
Installing pirated games is a known and common tactic for getting malware behind your firewall, no direct hacking needed. Just set the bait, and the fish hook themselves.
Just having a basic firewall, which all routers provide, has proven to be enough for home users. Whether it's because no one cares to even hack a home user unless the door is wide open (because he's worthless), or a basic firewall has proven very difficult to bypass through "frontal attack" means, regardless of the reason, home users just aren't being hacked to any significant, measurable degree. If they were, it'd be the central focus of every government and law enforcement agency because of all the money, and political motivation of the outraged people, to make it stop.
Instead, we have almost literally everyone on the planet using the Internet to move / trade large amounts of money every second of every day. There isn't even rumors about anyone we know getting hacked and robbed that way, because Social Media would explode with those kinds of legitimate stories. Unless you are a big or key technology corporation or a government, you simply aren't worth any real skilled hackers time at all, and that's the truth of it.
If you're getting a fiber plan, you don't need a cable modem at all. Save that money. You just need a router of some sort.
1500 sq ft can usually be covered with just one router usually, depending on the layout of your home. If your townhouse is tall and thin, then where your ISP connection is located will determine if you can just use one router, or if you need more coverage.
Before committing to any system, I'd look at what kind of wiring is already included in the house. Often, coaxial cable (using MoCA Adapters) or old telephone wiring can be converted to Ethernet. If this is possible, it not only reduces the need for WiFi (perhaps you can cover everything with one router and 2.4GHz WiFi in the extreme corners because everything important and demanding is now wired in, so that's good enough), but also opens your choices up tremendously on what system to buy into not just Orbi.
If you or your partner already have a router from your past home, consider using it for the first month until you evaluate your wiring situation correctly, and then make a hardware choice.
You should look at the postings on this sub. Many (especially ones with pictures) are all about converting coaxial cable into Ethernet, or rewiring old phone lines into Ethernet. Read some of those and you'll start to see a lot of possibilities for your home network.
It's a sophistry to geoblock China on security grounds and recommend and upvotes that advice, but then recommend Chinese hardware like TP Link Omada for the bedrock hardware for your home network. Yet I see TP Link Deco and Omada recommended on here every day, and upvoted into positive numbers too.
How could you possibly trust that geoblocking on Chinese hardware even works on their hardware? They get firmware updates from servers hosted in the USA, which in turn get firmware images from China. Obviously TP Link servers in the U.S. don't block China. So how effective is geoblocking if you went ahead and bought your hardware from a Chinese controlled company to save $100?
Same goes for Chinese security cameras. Everyone talks about using VLANs to isolate them, so their being compromised will not "spread" to the rest of your network. But if a compromised Chinese camera has the ability to crack the "root" account on Linux, Android, and IOS, and the "Administrator" account on Windows if left on the same VLAN, then why would it have any difficulty at all cracking the "admin" account on your router, rendering VLAN separation useless? What makes the router OS so much more resistant to takeover from that compromised IoT device versus other OSes?
It's the logic gymnastics that "security experts" on here must do to justify geoblocking China, but then recommending (or upvoting) TP Link Deco and Omada to save $100 that's hard to take seriously. Are they a threat or not? If so, how can you allow the recommendation of China owned company hardware to users with a straight face? Where is the precaution now?
What about smartphones? Smartphones all have GPS tracking, a camera, a microphone, and an Internet connection that's pretty much always on. They are the ultimate spying device that everyone carries voluntarily, even after experiencing events like talking about a certain product on the phone to your mother, and getting ads for that exact product as embedded ads hours later.
We might trust Alphabet and Apple not to sell our information to China and Russia directly, as they actually want to comply with Western laws. But isn't it also logical to believe that Alphabet and Apple sell personalized ad information to "reputable" buyers, who in turn sell it to a company that is degree less reputable, who in turn sells it to another company that's two degrees less reputable, and so on, until it gets to a seller that doesn't discriminate against any buyers, or are a front for the Chinese and Russian government itself?
They might not even need to buy this information through layers of middle men. TikTok has over 100 Million users in the US, mostly as an App on smartphones. TikTok is a Chinese owned company, and are very much a target for a complete banning by the U.S. government, but not quite there yet for everyone else (maybe due to foreign lobbying efforts?). Even with all these warning signs, 100 Million US users do not care or take it seriously, and film you and your family on their App behind your geoblocking firewall.
What about hostile governments using services that are completely legal in the U.S. directly? The same Intelligence agencies that recommend you geoblock Chinese inbound and outbound traffic have also warned that China and Russia use platforms like Facebook, X / Twitter, Instagram, and even Reddit as giant Propaganda and misinformation machines to influence politics and thinking in the West. Even now, these foreign influences still propagate unchecked, with only token "moderation" attempts to combat it (and how do we know we can trust these moderators?). The EU is currently threatening to de- platform X because of lax moderation efforts, right now, in real time.
So go ahead and geoblock China and the rest of the evil countries if it makes you feel better. But it's as effective as trying to keep your kid from looking at porn by blocking his MAC Address on your home network. There are so many other ways for access that you do not control that your single act of defiance is essentially meaningless in the bigger picture. Your personal information has already been packaged and sold to every available buyer, because we were all asleep at the wheel at the dawn of Social Media and smartphones, and did not control that information at all. Anyone and Everyone with an App or cookies were tracking and packaging you. Only recently have smartphone OSes begun to lock down your personal information, but it's far too little a decade too late.
The toothpaste is out of the tube.
Ethernet cables do not "sort out" and treat data communications differently by any kind of categorization. They will transmit any kind of valid data, without discrimination of the source. Internet traffic is not special and does not need to be treated any differently. It just happens to come from farther away.
So you can use your one cable to have the observatory communicate to any amount of devices, from your home or from the Internet, as long as your network topology and settings are configured to do so. Most likely, yours already is. You can test this by "pinging" your observatory equipment's IP Address from the PC controller inside your home.
Your diagram is fine, and a pretty standard "Advanced Home Network" we see around here.
Anything can be made to talk to anything across different VLANs by choosing to allow it on pfSense. If everything on one VLAN needs to talk to a server in another, you should evaluate if that server is in the right VLAN, or does it really belong with the others.
The big problem with VLANs in home environments is that you need to make so many exceptions just to get everything to work like you want. If you're trying to use VLANs as an extra step in security, how much security are you really getting with so many exceptions on pfSense?
Your layout and questions are not at all unusual, I guess I'm just always wondering if VLANs are being pushed too hard onto typical home users who will waste more time trying to tune them than any benefits they actually receive.
You're into tech, so it won't be a problem. I do suspect that you'll become lazy over time and just stick things in the main VLAN with broken promises to "fix it one day" as your personal time diminishes.
Post a link to this thread in the previous one. All those people in your original thread deserve to see this, but might not for whatever reason. Just reply to one of the many people begging for follow-up on the previous thread with a link to this one.
Got to give props to Spectrum on this one. They came out immediately and did right by you. It's surprising, and satisfying.
Also major props to the cabling experts in this sub for giving you all the words and ideas you needed to tell Spectrum to get such a good result. I honestly believe the cabling guys on here are changing so many families' lives for the better with their advice. It's one of the best free services on Reddit, yet still a secret.
Are your WiFi devices actually dropping every 5 seconds, or are you just worried about WiFiman readings?
If it's just WiFiman, you seem to be extremely close to the router at -30 dBm, like touching it. Try backing off a little.
If devices are dropping, try plugging the ASUS into a different power outlet, or better yet, a UPS outlet if you have one. Try not using a power strip if you are plugging into one.
If somehow available, try a different power cord for the ASUS.
As a longer-shot, reflash the latest firmware again, or try Merlin Firmware if your ASUS model supports it.
With your setup, if two devices want to communicate, and their ports and the ports on the switches they connect to all supports 10G, then they'll communicate at 10G.
If any of the ports is 1G, even if every other port is 10G, it'll drop down to 1G for that particular communication pathway. That drop down does not "spread" to other pathways.
Having a 1G device plugged into a 10G switch does NOT affect anything else on that switch. Each connection has the "right" to connect at 10G as long as everything along the communication pathway supports it, and is not affected by other concurrent connections that are happening alongside it. Switches can compartmentalize each connection as its own.