Network Design
Diagram
flowchart TB
%% Node Definitions
Internet((BT Internet))
subgraph WAN [Office]
direction TB
TPLink[fa:fa-broadcast-tower TP-Link VR400<br/>DSL Router]
end
subgraph Core [WAN: 192.168.50.102]
direction TB
USG[fa:fa-shield-halved USG-3P<br/>Gateway/Router]
USW[fa:fa-server USW-Pro 48 Port Switch]
USG -- Gateway: 172.16.0.1 --- USW
end
%% Physical Connections
Internet --- TPLink
TPLink -- DMZ --- USG
%% VLAN 1: Management
subgraph VLAN1 [VLAN 1: 172.16.0.0/24]
direction TB
APs@{ shape: procs, label: "fa:fa-wifi Unifi Access Points"}
NUC[fa:fa-microchip Intel NUC<br/>UniFi Controller]
AdminSSID[fa:fa-signal SSID: ttcadmin]
MgmtiMac[fa:fa-desktop Office iMac]
%% Enforce stacking
NUC ~~~ APs ~~~ AdminSSID ~~~ MgmtiMac
end
%% VLAN 10: Public
subgraph VLAN10 [VLAN 10: 172.16.10.0/24]
direction TB
PublicSSID[fa:fa-signal SSID: teddingtontheatreclub<br/>Public WiFi]
end
%% VLAN 30: General
subgraph VLAN30 [VLAN 30: 172.16.30.0/24]
direction TB
GeneralWired["fa:fa-network-wired General (wired)"]
end
%% VLAN 40: Admin
subgraph VLAN40 [VLAN 40: 172.16.40.0/24]
direction TB
BarTills[fa:fa-cash-register Bar Tills]
CCTV[fa:fa-video Reolink CCTV]
Alarm[fa:fa-bell CSL/Dualcom Alarm]
OfficePC[fa:fa-computer Office PC
Box Office PC]
%% Enforce stacking
BarTills ~~~ CCTV ~~~ Alarm ~~~ OfficePC
end
%% VLAN 50: Pixalite
subgraph VLAN50 [VLAN 50: 172.16.50.0/24]
direction TB
PixCtrl[fa:fa-network-wired Pixalite controller]
PixSndPrep[fa:fa-network-wired Sound Prep]
PixCoward[fa:fa-network-wired 2 Coward sockets]
%% Enforce stacking
PixCtrl ~~~ PixSndPrep ~~~ PixCoward
end
%% Logical VLAN Trunks
USW ==> VLAN1
USW ==> VLAN10
USW ==> VLAN30
USW ==> VLAN40
USW ==> VLAN50
%% Styling
style Internet fill:#f9f,stroke:#333,stroke-width:2px
style USG fill:#fff,stroke:#0055ff,stroke-width:3px
style USW fill:#fff,stroke:#0055ff,stroke-width:3px
Overview
flowchart TB
Internet@{ shape: bolt, label: "BT"}
Internet -->|BT Internet| TPLink["TP-Link VR400
DSL Router"]
TPLink -->|DMZ| USG["USG-3P
Gateway/Router"]
USG --> USW["USW-Pro 48 Port Switch"]
%% VLAN fan-out
USW --> VLAN1
USW --> VLAN10
USW --> VLAN30
USW --> VLAN40
%% Management VLAN
subgraph VLAN1["VLAN 1 – Management / Native"]
direction TB
NUC["NUC
UniFi Controller"]
MgmtiMac["Office iMac"]
%%APs["UniFi Access Points"]
APs@{ shape: procs, label: "Unifi Access Points"}
MgmtSSID["SSID: ttcadmin
(Management Wi-Fi)"]
APs --> MgmtSSID
MgmtiMac -.-> NUC
end
%% Public Wi-Fi VLAN
subgraph VLAN10["VLAN 10 – Public Wi-Fi"]
PublicSSID["SSID: teddingtontheatreclub"]
end
%% General wired VLAN
subgraph VLAN30["VLAN 30 – General (wired)"]
GeneralWired["Non-admin devices"]
end
%% Admin VLAN
subgraph VLAN40["VLAN 40 – Admin (wired)"]
BarTills["Bar tills"]
CCTV["Reolink CCTV"]
Alarm["CSL/Dualcom Alarm"]
OfficePC["Office PC
Box-Office PC"]
end
%% Styling
%%style VLAN1 fill:#e3f2fd,stroke:#1565c0,stroke-width:2pxNetwork Controller
- Platform: UniFi Network Application
- Hosting: Self-hosted in Docker on Intel NUC
- Role:
- Configuration and management of all UniFi devices
- VLAN, SSID, and firewall policy definition
The controller is treated as critical infrastructure.
Gateway / Routing
- Primary gateway: UniFi Security Gateway (USG-3P)
- Fallback gateway: TP-Link VR400 (DSL termination)
TP-Link operating mode
- Normally left in router mode
- DMZ configured pointing at UniFi gateway WAN IP
- Reduces double-NAT impact
- Preserves rapid failover capability
The TP-Link provides immediate local internet access during UniFi gateway failures.
Switching
- Core switch: UniFi USW-Pro-48
- Provides:
- VLAN segmentation
- PoE for selected APs
- Central L2 connectivity
The USW is considered part of the management plane.
Wireless Access Points
- Total APs: 6 (UniFi)
Power
- 2 APs: Powered via PoE from USW
- 4 APs: Powered via existing PoE injectors
- Originally required due to 24V assumptions
- Incidentally improves emergency resilience
Result: some APs can remain operational even if the USW PoE subsystem is unavailable.
VLAN & Network Segmentation
VLAN 1 – Management (Native)
Purpose
- UniFi infrastructure and management access
Contains
- USG
- USW
- UniFi APs
- NUC (UniFi Controller)
- Office iMac (management jump host)
Characteristics
- Flat L2 network
- No dependency on inter-VLAN routing to reach controller
- Trusted / restricted access
VLAN 40 – Admin LAN (Bar Systems)
Purpose
- Bar tills and payment systems
Contains
- Bar till terminals
Characteristics
- Routed via gateway
- Restricted access to management VLAN
- Treated as sensitive / PCI-adjacent network
VLAN 30 – General Wired LAN
Purpose
- Non-admin wired devices
Contains
- General wired endpoints
Characteristics
- Routed via gateway
- No access to Management VLAN
VLAN 10 – Public Wi-Fi
Purpose
- Public internet access
Characteristics
- Internet-only access
- Fully isolated from all internal VLANs
Wired Clients
Office iMac (Management Jump Host)
- Connected to: VLAN 1 (wired)
- Role:
- Primary administrative access point
- Guaranteed UniFi UI access during outages
Firewall behaviour
- Explicit allow rule:
- Office iMac → Office printer (VLAN 40)
- All other VLAN 40 → VLAN 1 access denied
This provides controlled cross-VLAN functionality without exposing management infrastructure.
Wireless Networks (SSIDs)
ttcadmin SSID
Purpose
- Trusted staff support and emergency access
Network
- Native / Management VLAN (VLAN 1)
Behaviour
- Normal operation:
- Known only to trusted staff
- During outage:
- Password may be temporarily shared
- Rotated immediately post-incident
Rationale
- Continues to function if APs DHCP from TP-Link
- Provides wireless access to UniFi UI
- Doubles as emergency Wi-Fi without extra SSIDs
teddingtontheatreclub SSID
Purpose
- Public Wi-Fi for visitors and members
Network
- VLAN 10 (Public Wi-Fi)
Behaviour
- Internet access only
- No access to internal VLANs