Network

flowchart TB
    %% Node Definitions
    Internet((BT Internet))
    
    subgraph WAN [LAN 192.168.50.1]
        direction TB
        TPLink[fa:fa-broadcast-tower TP-Link VR400<br/>DSL Router]
    end

    subgraph Core [WAN: 192.168.50.2]
        direction TB
        USG[fa:fa-shield-halved USG-3P<br/>Gateway/Router]
        USW[fa:fa-server USW-Pro 48 Port Switch]
        USG -- Gateway: 172.16.0.1 --- USW
    end

    %% Physical Connections
    Internet -- PPPoE --- TPLink
    TPLink -- DMZ --- USG

    %% VLAN 1: Management
    subgraph VLAN1 [VLAN 1: 172.16.0.0/24]
        direction TB
        APs@{ shape: procs, label: "fa:fa-wifi Unifi Access Points"}
        NUC["fa:fa-microchip Intel NUC [.94]<br/>UniFi Controller"]
        MgmtiMac["fa:fa-desktop Office iMac [.108]"]
        AdminSSID[fa:fa-signal SSID: ttcadmin]
        %% Enforce stacking
        NUC ~~~ APs ~~~ MgmtiMac ~~~ AdminSSID
    end

    %% VLAN 10: Public
    subgraph VLAN10 [VLAN 10: 172.16.10.0/24]
        direction TB
        PublicSSID[fa:fa-signal SSID: hamptonhilltheatre<br/>Public WiFi]
    end

    %% VLAN 30: General
    subgraph VLAN30 [VLAN 30: 172.16.30.0/24]
        direction TB
        GeneralWired["fa:fa-network-wired General (wired)"]
        DectPhone["fa:fa-phone DECT Phone [.3]"]
        %% Enforce stacking
        GeneralWired ~~~ DectPhone
    end

    %% VLAN 40: Admin
    subgraph VLAN40 [VLAN 40: 172.16.40.0/24]
        direction TB
        BarTills["fa:fa-cash-register Bar Tills [.13, .14]"]
        CCTV["fa:fa-video Reolink CCTV [.12]"]
        Alarm["fa:fa-bell CSL/Dualcom Alarm [.20]"]
        PCs["fa:fa-computer Office PC [.8]<br>Box Office PC [.21]"]
        Printer["fa:fa-print Sharp Printer [.109]"]
        
        %% Enforce stacking
        BarTills ~~~ CCTV ~~~ Alarm ~~~ PCs ~~~ Printer
    end

    %% VLAN 50: Pixalite
    subgraph VLAN50 [VLAN 50: 172.16.50.0/24]
        direction TB
        PixCtrl[fa:fa-network-wired Pixalite controller]
        PixSockets["fa:fa-network-wired Coward Sockets<br>Sound Prep"]
        PixaliteSSID[fa:fa-signal SSID: pixalite]
        %% Enforce stacking
        PixCtrl ~~~ PixSockets ~~~ PixaliteSSID
    end

    %% Logical VLAN Trunks
    USW ==> VLAN1
    USW ==> VLAN10
    USW ==> VLAN30
    USW ==> VLAN40
    USW ==> VLAN50

    %% Styling
    style Internet fill:#f9f,stroke:#333,stroke-width:2px
    style USG fill:#fff,stroke:#0055ff,stroke-width:3px
    style USW fill:#fff,stroke:#0055ff,stroke-width:3px

Network Controller

  • Platform: UniFi Network Application 10.0.162
  • Hosting: Self-hosted Intel NUC 172.16.0.94
  • Role:
    • Configuration and management of all UniFi devices
    • VLAN, SSID, and firewall policy definition

Gateway / Routing

  • Primary gateway: UniFi Security Gateway (USG-3P)
  • Fallback gateway: TP-Link VR400 (DSL termination)
  • Normally left in router mode
  • DMZ configured pointing at UniFi gateway WAN IP
    • Reduces double-NAT impact
    • Preserves rapid failover capability

The TP-Link provides immediate local internet access during UniFi gateway failure.

Switching

  • Core switch: UniFi USW-Pro-48
  • Provides:
    • VLAN segmentation
    • PoE for selected devices
    • Central L2 connectivity

Wireless Access Points

  • 2 Pro APs: Powered directly by PoE from USW
  • 4 LR APs: Powered via 48V->24V converters by PoE from USW

VLAN & Network Segmentation

VLAN 1 – Management (Native)

Purpose

  • UniFi infrastructure and management access

Contains

  • USG
  • USW
  • UniFi APs
  • NUC (UniFi Controller)
  • Office iMac (guaranteed Unifi Network Management access)

Characteristics

  • Flat L2 network
  • No dependency on inter-VLAN routing to reach controller
  • Trusted / restricted access

SSID ttcadmin

Rationale

  • Doubles as emergency Wi-Fi without extra SSIDs
  • Continues to function during USG failure, as APs can DHCP from TP-Link
  • Provides wireless access to UniFi Network Management UI (NUC)

Behaviour

  • Normal operation:
    • Password known only to trusted staff
  • During outage:
    • Password may be temporarily shared
    • Rotated immediately post-incident

Printer access

  • Explicit firewall allow rule:
    • Management LAN 1 → Office printer (VLAN 40)
    • allows WiFi access to printer from ttcadmin

VLAN 10 – Public Wi-Fi

SSID hamptonhilltheatre

Purpose

  • Public Wi-Fi for visitors and members

Characteristics

  • Internet-only access
  • Isolated from other internal VLANs

VLAN 30 – General Wired

Purpose

  • Non-admin wired devices

Contains

  • General wired endpoints

Characteristics

  • Isolated from other internal VLANs

VLAN 40 – Admin Wired

Purpose

  • Wired admin devices

Contains

  • Bar tills
  • CCTV
  • CSL/Dualcom alarm
  • Office PCs & printer

Characteristics

  • Treated as sensitive
  • Isolated from other internal VLANs

VLAN 50 – Pixalite lighting controller

SSID pixalite

Purpose

  • Controls LED lighting in Coward studio

Characteristics

  • No internet access
  • Isolated from other internal VLANs

Port Map Reference

See separate Port Map Document for individual 48-port switch assignments.