homelab-optimized/docs/infrastructure/tplink-archer-be800-setup.md

# 🌐 TP-Link Archer BE800 v1.6 Router Setup Guide

**🟡 Intermediate Guide**

This guide provides specific instructions for configuring the TP-Link Archer BE800 v1.6 router for your homelab, including static IP assignments, port forwarding, and disaster recovery procedures.

## 📋 Router Specifications

### **TP-Link Archer BE800 v1.6**
- **WiFi Standard**: WiFi 7 (802.11be)
- **Speed**: Up to 19 Gbps (11520 Mbps on 6 GHz + 5760 Mbps on 5 GHz + 1376 Mbps on 2.4 GHz)
- **Ports**: 1x 10 Gbps WAN/LAN, 4x 2.5 Gbps LAN, 1x USB 3.0
- **CPU**: Quad-core 2.2 GHz processor
- **RAM**: 2 GB
- **Antennas**: 8 high-gain antennas
- **Default IP**: 192.168.0.1 (can be changed to 192.168.1.1)

---

## 🚀 Initial Setup

### **Step 1: Physical Connection**
```bash
# 1. Connect modem to WAN port (10 Gbps port - usually blue/different color)
# 2. Connect computer to any LAN port via Ethernet
# 3. Power on router and wait 2-3 minutes for full boot
```

### **Step 2: Access Router Interface**
```bash
# Default access methods:
# Web Interface: http://192.168.0.1 or http://tplinkwifi.net
# Default Login: admin / admin (or blank password)

# If you can't access, find router IP:
ip route | grep default
# Look for: default via 192.168.0.1 dev eth0
```

### **Step 3: Quick Setup Wizard**
```bash
# The BE800 will launch setup wizard on first access:

# 1. Set Time Zone
Time Zone: America/Los_Angeles (or your timezone)

# 2. Internet Connection Type
# Choose based on your ISP:
- Dynamic IP (DHCP) - Most common
- Static IP - If ISP provided specific settings
- PPPoE - DSL connections

# 3. Wireless Settings
2.4 GHz SSID: YourNetwork_2.4G
5 GHz SSID: YourNetwork_5G  
6 GHz SSID: YourNetwork_6G
Password: "REDACTED_PASSWORD" password - save to password manager]

# 4. Admin Password
Username: admin
Password: "REDACTED_PASSWORD" admin password - save to password manager]
```

---

## 🏗️ Network Configuration for Homelab

### **Step 1: Change Router IP to 192.168.1.1**
```bash
# Navigate to: Advanced → Network → LAN

# Current Settings:
IP Address: 192.168.0.1
Subnet Mask: 255.255.255.0

# Change to:
IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0
```

**⚠️ Important**: After changing IP, you'll need to reconnect at `http://192.168.1.1`

### **Step 2: DHCP Configuration**
```bash
# Navigate to: Advanced → Network → DHCP Server

# DHCP Settings:
Enable DHCP Server: ✅ Enabled
IP Address Pool: 192.168.1.100 - 192.168.1.200
Default Gateway: 192.168.1.1
Primary DNS: 1.1.1.1
Secondary DNS: 8.8.8.8
Lease Time: 1440 minutes (24 hours)
```

### **Step 3: DNS Configuration**
```bash
# Navigate to: Advanced → Network → Internet

# DNS Settings:
Primary DNS: 1.1.1.1 (Cloudflare)
Secondary DNS: 8.8.8.8 (Google)

# Or use your Pi-hole if running:
Primary DNS: 192.168.1.100 (Atlantis Pi-hole)
Secondary DNS: 1.1.1.1 (Fallback)
```

---

## 🖥️ Static IP Reservations (DHCP Reservations)

### **Navigate to: Advanced → Network → DHCP Server → Address Reservation**

#### **Add Reservations for All Homelab Hosts:**

```bash
# Primary Infrastructure
Device Name: atlantis
MAC Address: [Find with: ip link show on Atlantis]
Reserved IP: 192.168.1.100
Status: Enabled

Device Name: calypso  
MAC Address: [Find with: ip link show on Calypso]
Reserved IP: 192.168.1.101
Status: Enabled

Device Name: concord-nuc
MAC Address: [Find with: ip link show on Concord]
Reserved IP: 192.168.1.102
Status: Enabled

# Virtual Machines
Device Name: homelab-vm
MAC Address: [Find in VM settings or with ip link show]
Reserved IP: 192.168.1.103
Status: Enabled

Device Name: chicago-vm
MAC Address: [Find in VM settings]
Reserved IP: 192.168.1.104
Status: Enabled

Device Name: bulgaria-vm
MAC Address: [Find in VM settings]
Reserved IP: 192.168.1.105
Status: Enabled

# Specialized Hosts
Device Name: anubis
MAC Address: [Find with: ip link show on Anubis]
Reserved IP: 192.168.1.106
Status: Enabled

Device Name: guava
MAC Address: [Find with: ip link show on Guava]
Reserved IP: 192.168.1.107
Status: Enabled

Device Name: setillo
MAC Address: [Find with: ip link show on Setillo]
Reserved IP: 192.168.1.108
Status: Enabled

# Raspberry Pi Cluster
Device Name: rpi-vish
MAC Address: [Find with: cat /sys/class/net/eth0/address]
Reserved IP: 192.168.1.109
Status: Enabled

Device Name: rpi-kevin
MAC Address: [Find with: cat /sys/class/net/eth0/address]
Reserved IP: 192.168.1.110
Status: Enabled

# Edge Devices
Device Name: nvidia-shield
MAC Address: [Find in Shield network settings]
Reserved IP: 192.168.1.111
Status: Enabled
```

### **Finding MAC Addresses:**
```bash
# On Linux hosts:
ip link show | grep -E "(ether|link)"
# or
cat /sys/class/net/eth0/address

# On Synology NAS:
# Control Panel → Network → Network Interface → View details

# On Windows:
ipconfig /all

# On macOS:
ifconfig en0 | grep ether

# From router's DHCP client list:
# Advanced → Network → DHCP Server → DHCP Client List
```

---

## 🔌 Port Forwarding Configuration

### **Navigate to: Advanced → NAT Forwarding → Virtual Servers**

#### **Essential Port Forwards (Configure First):**

```bash
# VPN Access (Highest Priority)
Service Name: WireGuard-Atlantis
External Port: 51820
Internal IP: 192.168.1.100
Internal Port: 51820
Protocol: UDP
Status: Enabled

Service Name: WireGuard-Concord
External Port: 51821
Internal IP: 192.168.1.102
Internal Port: 51820
Protocol: UDP
Status: Enabled

# Web Services (If needed for direct access)
Service Name: HTTP-Proxy
External Port: 80
Internal IP: 192.168.1.100
Internal Port: 8341
Protocol: TCP
Status: Enabled

Service Name: HTTPS-Proxy
External Port: 443
Internal IP: 192.168.1.100
Internal Port: 8766
Protocol: TCP
Status: Enabled
```

#### **Gaming Services (Optional):**

```bash
# Satisfactory Server
Service Name: Satisfactory-TCP
External Port: 7777
Internal IP: 192.168.1.103
Internal Port: 7777
Protocol: TCP
Status: Enabled

Service Name: Satisfactory-UDP
External Port: 7777
Internal IP: 192.168.1.103
Internal Port: 7777
Protocol: UDP
Status: Enabled

# Left 4 Dead 2 Server
Service Name: L4D2-Game
External Port: 27015
Internal IP: 192.168.1.103
Internal Port: 27015
Protocol: Both (TCP & UDP)
Status: Enabled

Service Name: L4D2-SourceTV
External Port: 27020
Internal IP: 192.168.1.103
Internal Port: 27020
Protocol: UDP
Status: Enabled

Service Name: L4D2-Client
External Port: 27005
Internal IP: 192.168.1.103
Internal Port: 27005
Protocol: UDP
Status: Enabled
```

---

## 🌐 Dynamic DNS Configuration

### **Navigate to: Advanced → Network → Dynamic DNS**

#### **For Common DDNS Providers:**

```bash
# Synology DDNS (if using vishinator.synology.me)
Service Provider: Synology
Domain Name: vishinator.synology.me
Username: [Your Synology account]
Password: "REDACTED_PASSWORD" Synology password]
Status: Enabled

# No-IP
Service Provider: No-IP
Domain Name: yourdomain.ddns.net
Username: [Your No-IP username]
Password: "REDACTED_PASSWORD" No-IP password]
Status: Enabled

# DynDNS
Service Provider: DynDNS
Domain Name: yourdomain.dyndns.org
Username: [Your DynDNS username]
Password: "REDACTED_PASSWORD" DynDNS password]
Status: Enabled

# Custom DDNS (if using other provider)
Service Provider: Custom
DDNS Server: your-ddns-provider.com
Domain Name: yourdomain.example.com
Username: [Your username]
Password: "REDACTED_PASSWORD" password]
Status: Enabled
```

### **Test DDNS Configuration:**
```bash
# Wait 5-10 minutes after configuration, then test:
nslookup vishinator.synology.me
dig vishinator.synology.me

# Should return your external IP address
# Compare with:
curl ifconfig.me
```

---

## 📶 WiFi Configuration

### **Navigate to: Wireless → Wireless Settings**

#### **2.4 GHz Band:**
```bash
Network Name (SSID): YourNetwork_2.4G
Security: WPA3-Personal (or WPA2/WPA3-Personal if older devices)
Password: "REDACTED_PASSWORD" password - save to password manager]
Channel: Auto (or manually select 1, 6, or 11)
Channel Width: 40 MHz
Transmit Power: High
```

#### **5 GHz Band:**
```bash
Network Name (SSID): YourNetwork_5G
Security: WPA3-Personal
Password: "REDACTED_PASSWORD" as 2.4G or different - your choice]
Channel: Auto (or manually select DFS channels for less congestion)
Channel Width: 160 MHz (for maximum speed)
Transmit Power: High
```

#### **6 GHz Band (WiFi 7):**
```bash
Network Name (SSID): YourNetwork_6G
Security: WPA3-Personal (required for 6 GHz)
Password: "REDACTED_PASSWORD" as others or different]
Channel: Auto
Channel Width: 320 MHz (WiFi 7 feature)
Transmit Power: High
```

### **Guest Network (Optional):**
```bash
# Navigate to: Wireless → Guest Network

2.4 GHz Guest:
Enable: ✅
Network Name: YourNetwork_Guest
Security: WPA3-Personal
Password: "REDACTED_PASSWORD" password]
Access: Internet Only (no local network access)
Bandwidth Control: 50 Mbps (limit guest usage)
```

---

## 🔒 Security Configuration

### **Firewall Settings**
```bash
# Navigate to: Advanced → Security → Firewall

SPI Firewall: ✅ Enabled
DoS Attack Protection: ✅ Enabled
VPN Passthrough: ✅ Enabled (for WireGuard/Tailscale)
UPnP: ✅ Enabled (for automatic port mapping)
```

### **Access Control**
```bash
# Navigate to: Advanced → Security → Access Control

# Block malicious websites
Online Security: ✅ Enabled

# Time-based access control (optional)
Parental Controls: Configure as needed

# MAC Address Filtering (high security environments)
Wireless MAC Filtering: Configure if needed
```

### **Admin Security**
```bash
# Navigate to: Advanced → System → Administration

# Remote Management (disable for security)
Web Management: Local Only
SSH: Disabled (unless needed)
Telnet: Disabled

# Session Timeout
Timeout: 10 minutes

# HTTPS Management (enable for security)
HTTPS: ✅ Enabled
HTTP Redirect to HTTPS: ✅ Enabled
```

---

## ⚡ Performance Optimization

### **QoS Configuration**
```bash
# Navigate to: Advanced → QoS

# Enable QoS for better performance
QoS: ✅ Enabled

# Set bandwidth limits (adjust for your internet speed)
Upload Bandwidth: [Your upload speed - 10%]
Download Bandwidth: [Your download speed - 10%]

# Device Priority (set homelab hosts to high priority)
High Priority Devices:
- atlantis (192.168.1.100)
- calypso (192.168.1.101)
- concord-nuc (192.168.1.102)

# Gaming Mode (if hosting game servers)
Gaming Mode: ✅ Enabled
Gaming Device: homelab-vm (192.168.1.103)
```

### **Advanced Wireless Settings**
```bash
# Navigate to: Wireless → Advanced

# Optimize for performance
Beamforming: ✅ Enabled
Airtime Fairness: ✅ Enabled
Band Steering: ✅ Enabled (automatically move devices to best band)
Load Balancing: ✅ Enabled
Fast Roaming: ✅ Enabled

# WiFi 7 Features (BE800 specific)
Multi-Link Operation (MLO): ✅ Enabled
320 MHz Channel Width: ✅ Enabled (6 GHz)
4K-QAM: ✅ Enabled
```

---

## 🔧 Homelab-Specific Features

### **Port Aggregation (Link Aggregation)**
```bash
# If you have multiple connections to NAS devices
# Navigate to: Advanced → Network → Link Aggregation

# Configure LACP for Synology NAS (if supported)
Group Name: NAS-Bond
Member Ports: LAN1, LAN2
Mode: 802.3ad (LACP)
```

### **VLAN Configuration (Advanced)**
```bash
# Navigate to: Advanced → Network → VLAN

# Separate IoT devices (optional)
VLAN ID: 10
VLAN Name: IoT
IP Range: 192.168.10.1/24
DHCP: Enabled

# Separate guest network
VLAN ID: 20
VLAN Name: Guest
IP Range: 192.168.20.1/24
DHCP: Enabled
```

### **VPN Server (Built-in)**
```bash
# Navigate to: Advanced → VPN Server

# OpenVPN Server (alternative to WireGuard)
OpenVPN: ✅ Enabled
Service Type: UDP
Service Port: 1194
Client Access: Internet and Home Network
Max Clients: 10

# Generate certificates and download client config
```

---

## 📊 Monitoring and Maintenance

### **System Monitoring**
```bash
# Navigate to: Advanced → System → System Log

# Enable logging
System Log: ✅ Enabled
Log Level: Notice
Remote Log: Configure if using centralized logging

# Monitor these logs:
- DHCP assignments
- Port forwarding activity
- Security events
- System errors
```

### **Traffic Analysis**
```bash
# Navigate to: Advanced → Network → Traffic Analyzer

# Monitor bandwidth usage
Traffic Analyzer: ✅ Enabled
Real-time Monitor: ✅ Enabled

# Set up alerts for unusual traffic
Bandwidth Monitor: ✅ Enabled
Alert Threshold: 80% of total bandwidth
```

### **Firmware Updates**
```bash
# Navigate to: Advanced → System → Firmware Update

# Check for updates monthly
Auto Update: ✅ Enabled (or manual for stability)
Update Check: Weekly
Backup Settings: ✅ Before each update

# Current firmware info:
Hardware Version: Archer BE800 v1.6
Firmware Version: [Check TP-Link website for latest]
```

---

## 🚨 Disaster Recovery Procedures

### **Backup Router Configuration**
```bash
# Navigate to: Advanced → System → Backup & Restore

# Export current configuration
Backup: Click "Backup"
Save file as: archer-be800-config-$(date +%Y%m%d).bin
Store in: ~/homelab-recovery/router-backups/

# Schedule regular backups (monthly)
```

### **Factory Reset Procedure**
```bash
# If router becomes unresponsive:

# Method 1: Web Interface
# Navigate to: Advanced → System → Backup & Restore
# Click "Factory Restore"

# Method 2: Hardware Reset
# 1. Power on router
# 2. Hold Reset button for 10 seconds while powered on
# 3. Release button and wait for reboot (2-3 minutes)
# 4. Router will return to default settings (192.168.0.1)
```

### **Quick Recovery Checklist**
```bash
# After factory reset or new router installation:

☐ Connect to http://192.168.0.1 (default IP)
☐ Run initial setup wizard
☐ Change router IP to 192.168.1.1
☐ Reconnect to http://192.168.1.1
☐ Configure DHCP pool (192.168.1.100-200)
☐ Add all static IP reservations
☐ Configure port forwarding rules
☐ Set up Dynamic DNS
☐ Configure WiFi networks
☐ Enable security features
☐ Restore from backup if available
☐ Test all services and external access
☐ Update documentation with any changes
```

---

## 🔍 Troubleshooting

### **Common Issues and Solutions**

#### **Can't Access Router Interface**
```bash
# Check connection
ping 192.168.1.1  # or 192.168.0.1 for default

# Clear browser cache
Ctrl+F5 (Windows) or Cmd+Shift+R (Mac)

# Try different browser or incognito mode
# Try direct IP: http://192.168.1.1
# Try hostname: http://tplinkwifi.net

# Reset network adapter
sudo dhclient -r && sudo dhclient  # Linux
ipconfig /release && ipconfig /renew  # Windows
```

#### **Slow WiFi Performance**
```bash
# Check channel congestion
# Use WiFi analyzer app to find best channels

# Optimize settings:
# - Use 160 MHz on 5 GHz
# - Use 320 MHz on 6 GHz (WiFi 7)
# - Enable all performance features
# - Update device drivers
# - Position router centrally and elevated
```

#### **Port Forwarding Not Working**
```bash
# Verify settings:
# 1. Correct internal IP address
# 2. Service is running on internal host
# 3. Firewall allows traffic on internal host
# 4. External port is not blocked by ISP

# Test internal connectivity first:
telnet 192.168.1.100 8341  # Test from inside network

# Test external connectivity:
# Use online port checker or different network
```

#### **DDNS Not Updating**
```bash
# Check DDNS status in router logs
# Verify credentials are correct
# Test manual update:
curl -u "username:password" \
  "https://your-ddns-provider.com/update?hostname=yourdomain&myip=$(curl -s ifconfig.me)"

# Check if external IP changed:
curl ifconfig.me
nslookup yourdomain.ddns.net
```

---

## 📱 Mobile App Management

### **TP-Link Tether App**
```bash
# Download from app store: "TP-Link Tether"

# Features available:
- Remote router management
- Guest network control
- Device management
- Parental controls
- Speed test
- Network map
- Firmware updates

# Setup:
# 1. Connect phone to router WiFi
# 2. Open Tether app
# 3. Create TP-Link ID account
# 4. Add router to account
# 5. Enable remote management
```

### **Remote Management Setup**
```bash
# Navigate to: Advanced → System → TP-Link Cloud

# Enable cloud management
TP-Link Cloud: ✅ Enabled
Account: [Your TP-Link ID]
Device Name: Homelab-Router-BE800

# Security considerations:
# - Use strong TP-Link ID password
# - Enable 2FA on TP-Link account
# - Regularly review connected devices
# - Disable if not needed for security
```

---

## 🔗 Integration with Homelab Services

### **Pi-hole Integration**
```bash
# If running Pi-hole on Atlantis (192.168.1.100):

# Method 1: Router DNS Settings
Primary DNS: 192.168.1.100
Secondary DNS: 1.1.1.1

# Method 2: DHCP DNS Override
# Advanced → Network → DHCP Server
Primary DNS: 192.168.1.100
Secondary DNS: 1.1.1.1

# This will make all devices use Pi-hole for DNS
```

### **Tailscale Subnet Routing**
```bash
# Configure router to work with Tailscale subnet routing

# 1. Ensure UPnP is enabled (for automatic port mapping)
# 2. Add static route if needed:
#    Advanced → Network → Routing
#    Destination: 100.64.0.0/10 (Tailscale network)
#    Gateway: 192.168.1.100 (Atlantis - Tailscale exit node)
#    Interface: LAN
```

### **Monitoring Integration**
```bash
# Enable SNMP for monitoring (if needed)
# Advanced → Network → SNMP

SNMP: ✅ Enabled
Community: public (change for security)
Contact: admin@yourdomain.com
Location: Home Lab

# Add router to Prometheus monitoring:
# - SNMP exporter configuration
# - Router metrics in Grafana
# - Bandwidth monitoring
# - Device count tracking
```

---

## 📋 Configuration Summary

### **Quick Reference Settings**
```bash
# Network Configuration
Router IP: 192.168.1.1
Subnet: 192.168.1.0/24
DHCP Range: 192.168.1.100-200
DNS: 1.1.1.1, 8.8.8.8 (or Pi-hole)

# WiFi Networks
2.4 GHz: YourNetwork_2.4G (WPA3, 40 MHz)
5 GHz: YourNetwork_5G (WPA3, 160 MHz)
6 GHz: YourNetwork_6G (WPA3, 320 MHz)

# Essential Port Forwards
51820/UDP → 192.168.1.100:51820 (WireGuard Atlantis)
51821/UDP → 192.168.1.102:51820 (WireGuard Concord)
80/TCP → 192.168.1.100:8341 (HTTP Proxy)
443/TCP → 192.168.1.100:8766 (HTTPS Proxy)

# Static IP Assignments
Atlantis: 192.168.1.100
Calypso: 192.168.1.101
Concord-NUC: 192.168.1.102
Homelab-VM: 192.168.1.103
[... all other hosts as documented]
```

---

## 🔗 Related Documentation

- [Disaster Recovery Guide](../troubleshooting/disaster-recovery.md) - Complete router failure recovery
- [Port Forwarding Guide](port-forwarding-guide.md) - Detailed port configuration theory
- [Tailscale Setup Guide](tailscale-setup-guide.md) - Alternative to port forwarding
- [Network Architecture](networking.md) - Overall network design
- [Security Model](security.md) - Security considerations

---

**💡 Pro Tip**: The TP-Link Archer BE800 is a powerful WiFi 7 router with advanced features. Take advantage of the 320 MHz channels on 6 GHz for maximum performance with compatible devices, and use the multiple 2.5 Gbps ports for high-speed connections to your NAS devices!