Hello,

in the near future I want to add some more cameras to my network and I am running out of network ports.
I want to use this opurtunity to change my network from Unifi products erx and switches to Mikrotik.

I started to do some network layout and choose the Mikrotik RB5009UPr+S+IN as my main router that should take care of Firewall and the intervlan routing.
In the layout there are two indefined Mikrotik switches that I am not sure about the model to choose. All in all I am not sure If I even choose the right router.

I would appreciate some product and network recommendations. Thank you.

Any reason you're choosing to put your APs and Proxmox behind a switch but plug the cameras into the Router? I would suggest getting a basic unmanaged PoE switch for the cameras instead. You probably would be fine with basic 100BASE-TX ports for the typical cameras, unless you're streaming raw mosaics, in which case the question is “why”? At that point evaluate however many cameras you're planning to add and size the switch accordingly.

Just floating in to say the 5009 needs to be powered via DC or 2 pin connector if you would like to make use of the PoE functionality

3 proxmox servers ... 3 SSIDs ... 7 VLANs at home?

I find it a bit overwhelming for a home setup lol but if that's what you need and/or want, go for it.

Here are my thoughts:
- No NVR for cameras? If you're considering one, might want to move over cameras to their own POE switch and plug in the NVR there (-1 port on rb)
- Splitting devices via 2 switches is more of location within the house? You might want to use just one switch and lay cables from there if possible. This switch can potentially be the same as that of the camera. (-1 port on rb)
- Directly connect APs to rb (-3 on rb)
- Where is your controller? Docker in rb or in proxmox? (no port consumption)
- Internet (-1 port on rb)

This leaves you with 2 spare ports in rb and multiple ones from the camera and data switch should you wish to consolidate or split. Personally, I'd consolidate as it will give me less devices to manage since I got VLANs anyway.

Mikrotik RB5009UPr+S+IN as my main router

I don't see why you want that model given that you have an Internet router already — the FritzBox — and you want to add a PoE switch.

If it were me designing it, I'd move the PoE role to a separate switch, then either choose the non-PoE model of the 5009 and put it in place of the FritzBox, or leave the FritzBox as the main router and skip the 5009. Dual routers implies dual NAT, which is almost always bad. I don't see how you justify having both.

Dual PoE isn't as bad, but it does lead to the situation which others have called out, where your design becomes incoherent because you've split the PoE responsibilities, putting PoE devices both at the border routing layer and ahead of it.

Firewall and the intervlan routing.

While it is nice to put those two responsibilities into a single box, it's something you do when the network is much smaller so that having a single choke point makes sense. In this network, I think you're much better off splitting the roles.

I think you should look at the CRS328-24P for the core switch, and let it hoist the major VLAN processing load, since it will do VLAN filtering in hardware, on the switch ASIC. Only packets destined for the Internet go from there up to the router. If you decide to replace the FritzBox with the RB5009, you can do it over a 10G fiber link.

(VLAN filtering isn't quite "inter-VLAN routing," but it's a big component of it, and likely enough for everything you need from VLANs. If you need true inter-VLAN routing, that can bounce up to the main router and back down into the core switch.)

Yes, the CRS328 is overkill for your purposes, but alas, there isn't anything smaller that doesn't lose important features, IMHO. I've been wanting an 8+4 port PoE/SFP+ switch from MikroTik for years now, but the closest they've come so far is the CSS610, which only runs the "lite" version of the already lite-beer SwOS. If they'd give us a what we might call a CRS610 or a PoE version of the CRS310, that's what I'd be recommending instead for this network.

My suggestion to move the PoE stuff off the RB5009 leaves its wired ports unused except for the single uplink. You might benefit from switching to a smaller router. Your model of the FritzBox is designed for 300 Mbit/sec DSL uplinks. Although it seems you're not using that function, and are using it for GigE routing to the fiber modem, that still makes the 5009 massively overkill. A hEX S is plenty of router for this situation unless you have short-term plans to upgrade the Internet link beyond 1G.

(I'd actually recommend a hAP ax² instead of a hEX S these days if you can talk yourself out of a fiber link between the core switch and the Internet router. That's because there are two major features that rely on ARM hardware, containers and ZeroTier, and I'd hate to leave them out, since there are things best done at the border gateway. The CPU in the hAP ax² is also faster, giving it more overhead for a 1G link, which is borderline on the hEX S. You can turn off the radios in the ax² if you like and use it as an upgraded hEX.)

Alternately, maybe you want to move all of the "public" services you presumably have running under Proxmox to one server connected to the RB5009, then configure it as a "DMZ," with partial Internet access for those services provided by the 5009. That would be a much better use of these ports than IP cameras, which IMHO should be shielded deeply inside the private network, not out on the border like that. If you want a way to watch the cameras from outside the LAN, there are better ways to do it than by putting them right on the border.

What would help is if we knew how much of the wiring was fixed-in-place and which could be moved or replaced. I'd also like to know if that gray box is a single room, as it seems to be. "Mixed VLAN zone" doesn't give me the physical layout, which is important in planning a network redesign.

I ask because without that, I go off into green-field dreaming and come up with this design:

• The light gray box looks like a home office/lab, in a single room. I'd put the CRS328 here as the LAN's core switch, using its four SFP+ ports for the main PC, the NAS, the bigger of the two Proxmox servers, and an uplink to the main router. I realize that you say your office and gaming PCs are both 1G, but I'd upgrade one to 10G as part of this, if only for faster access to the NAS.
• I'd run the "Office" and "Living Room" links (blue and green boxes) to the core switch, not to the main router. The core switch is doing the primary VLAN processing in this design, so it is best if those links go through it, not hairpin through the border router. This keeps VLAN load off the main router, allowing it to focus on its one job: routing packets to and from the Internet once the core switch decides who goes through and who stops right there.
• The rest of the equipment scattered around the house can go back to the CRS328 for PoE or out to one of the few ports on the main router. If you still want to put an auxiliary switch in here, that's fine, but I'd move as much to the core switch as possible.

3 proxmox servers ... 3 SSIDs ... 7 VLANs at home?

I run MPLS/VPLS at home across more than 10 mikrotik devices. Why not?

3 proxmox servers ... 3 SSIDs ... 7 VLANs at home?

Yes this the bare minimum for a properly managed "home"...

If the proxmox servers are in a combined cluster then minimum 3 nodes (or 2 nodes + 1 quorum device) is standard practice/requirement

. That would be a much better use of these ports than IP cameras, which IMHO should be shielded deeply inside the private network, not out on the border like that.

what do you mean there ? Fritzbox -> rb5009 -> switch ? Where camera would be on the switcb in their vlan?

Fritzbox -> rb5009 -> switch ?

I already argued against back-to-back routers above.

To address your broader question, the cameras can go anywhere else on the LAN; that's one of the things VLANs give you. Presumably each camera is nearer one of the PoE switches than another, so that would set your best wire-pulling path.

If there is only the RB5009 providing PoE, then you're stuck, but I tried arguing for a PoE core switch above, too.

To address your broader question, the cameras can go anywhere else on the LAN; that's one of the things VLANs give you. Presumably each camera is nearer one of the PoE switches than another, so that would set your best wire-pulling path.

That makes sense yes. The way you turned it was letting me thinking it was more complicated