Extending & Future Upgrades
Purpose
This runbook captures the correct architecture, terminology, decision points, and upgrade paths for extending RockLAN networking to outbuildings (shop, sheds, barns) using wireless bridges, VLAN isolation, and roaming Wi‑Fi, without trenching or legacy technical debt.
1. Core Principles (Non‑Negotiable)
- No buried copper between buildings
- Wireless bridge replaces underground conduit
- Isolation is enforced centrally (OPNsense + VLANs)
- Backhaul ≠ Wi‑Fi mesh
- AP roaming ≠ mesh backhaul
- 10/100 gear is scaffolding only, never infrastructure
If any design violates these principles, stop and reassess.
2. Correct Terminology (Canonical Definitions)
Wireless Bridge (PtP / PtMP)
- A Layer‑2 Ethernet replacement over RF
- Transparent to VLANs and protocols
- Example: Ubiquiti airMAX NanoStation / LiteBeam
Backhaul
- The link between buildings
- In RockLAN: wireless bridge = wired backhaul equivalent
Wi‑Fi Roaming (What users usually mean by “mesh”)
- Multiple APs
- Same SSID / security
- Client devices roam automatically
- Preferred with wired (or bridged) backhaul
Mesh Backhaul (Not Recommended Here)
- APs relay traffic wirelessly between themselves
- Each hop reduces throughput
- Higher latency and instability
VLAN Trunk
- Multiple tagged networks carried over one physical/bridge link
- Required for central isolation
3. Architecture Overview
3.1 Current State (Baseline / Transitional)
Goal: Extend connectivity quickly with zero trenching and minimal spend while avoiding technical debt.
- Core routing, DHCP, DNS handled by OPNsense at the house
- Temporary or legacy switches/APs allowed only at the edge
- 10/100 gear permitted only for non‑critical devices
- No permanent reliance on consumer mesh backhaul
House/Core ──(existing LAN)── Temporary switch/AP ── DevicesThis state is acceptable only as a stopgap.
3.2 Future State (Target / Locked‑In Design)
Goal: Treat every outbuilding as if it were connected by a short Ethernet cable, with full VLAN support and centralized security.
Core / House
- OPNsense router
- VLANs + firewall rules
- Central DHCP + DNS (Pi‑hole VIP)
Inter‑Building Backhaul
- Ubiquiti airMAX NanoStation M5 (or AC equivalent)
- Configured as transparent Layer‑2 bridge (WDS)
- One Point‑to‑Point (PtP) link per building (preferred)
Outbuilding Edge
- 1 GbE switch (managed preferred)
- AP(s) in AP / bridge mode
- No routing, no NAT, no DHCP
House/Core ── NanoStation ))))) NanoStation ── GbE Switch ── AP / Cameras / PCs4. VLAN & Isolation Model (Authoritative)
VLANs Live Here
- OPNsense ONLY
VLAN Table (Example / Reference)
| VLAN ID | Name | Purpose | DHCP | Internet | LAN Access |
|---|---|---|---|---|---|
| 10 | LAN | Trusted clients, admins, servers | Yes | Yes | Yes |
| 20 | IoT | Cameras, hubs, appliances | Yes | Yes | No |
| 30 | Guest | Guests, contractors | Yes | Yes | No |
| 40 | Shop | Work PCs, tools, shop equipment | Yes | Yes | Limited |
Firewall Rule Matrix (Simplified)
| Source VLAN | Destination | Action | Notes |
|---|---|---|---|
| LAN (10) | IoT (20) | Allow | Management access |
| IoT (20) | LAN (10) | Deny | Isolation |
| Guest (30) | LAN (10) | Deny | Isolation |
| Any | DNS (Pi‑hole VIP) | Allow | Central DNS |
| Any | Internet | Allow | As policy dictates |
Bridge Behavior
- NanoStations pass tagged VLAN frames transparently
- Treat every PtP link as an Ethernet cable
5. Wi‑Fi Design (Roaming, Not Mesh)
Configuration Rules
- Same SSID across APs (per VLAN if needed)
- Same security + passphrase
- Different channels (avoid overlap)
Optional Enhancements
- Enable 802.11k / 802.11v
- Use 802.11r only if clients tolerate it
Result
- Seamless roaming across house + shop + sheds
- No throughput halving
- No wireless relay hops
6. Hardware Recommendations (By Tier)
Backhaul (Primary Recommendation)
- Ubiquiti airMAX NanoStation M5
- Ubiquiti LiteBeam 5AC / NanoBeam AC (more headroom)
Avoid
- No‑name Amazon bridge kits (inflated specs)
- Consumer mesh systems for inter‑building links
Extreme Upgrade (Only if Needed)
- 60 GHz bridges (airMAX / UniFi Building Bridge)
- Use only if sustained >500 Mbps is required
7. Wired vs Wireless: When to Use Each
Wireless Bridge (Default)
Use when:
- Buildings have line of sight
- Separate power systems exist
- Lightning risk is a concern
- You want zero trenching
Trench Fiber (Rare)
Only when:
- You are already trenching for utilities
- You require multi‑gig sustained throughput
- You want 20‑year infrastructure
Never trench copper Ethernet. Ever.
8. Legacy 10/100 Gear Policy
Allowed Uses
- Temporary bootstrap
- Cameras
- Controllers
- Non‑critical IoT
Forbidden Uses
- Backhaul
- NAS access
- Proxmox nodes
- Permanent installs
Rule
If it matters later, start at gig now.
9. Bill of Materials (BOM) – Per Outbuilding
Required (Per Building)
| Item | Qty | Notes |
|---|---|---|
| Ubiquiti airMAX NanoStation M5 | 2 | One at house, one at outbuilding |
| PoE Injectors (included) | 2 | Indoor power |
| Outdoor‑rated Cat6 patch cables | 2 | Short runs only |
| Gigabit Ethernet switch | 1 | Managed preferred |
| Wi‑Fi Access Point | 1–2 | AP/bridge mode |
| Mounting hardware | 1 set | Eave / pole / fascia |
Optional / Nice‑to‑Have
- Managed switch (VLAN breakout)
- UPS (small) for bridge + switch
- Surge protection (indoor side)
Estimated cost per outbuilding: ~$200–250
10. Validation Checklist
- Bridge latency < 3 ms
- Stable RSSI (~‑50 to ‑60 dBm)
- Shop speed ≈ house speed
- VLAN isolation confirmed
- No double NAT
- No buried copper
11. Rollback & Upgrade Paths
Speed Upgrade
- Replace NanoStation with NanoBeam AC / LiteBeam 5AC
Bandwidth Upgrade
- Replace 5 GHz PtP with 60 GHz bridge (short range, clear LOS)
Ultimate Upgrade
- Trench fiber only (leave bridges in place until fiber is proven)
12. Site‑Specific Topology Diagram (House → Shop → Sheds)
Speed Upgrade
- Replace NanoStation with NanoBeam / LiteBeam
Bandwidth Upgrade
- Replace 5 GHz with 60 GHz bridge
Ultimate Upgrade
- Trench fiber only (leave bridges intact until proven)
11. Site-Specific Topology Diagram (House → Shop → Sheds)
Topology goal: Treat every outbuilding as if it were connected by a short Ethernet cable, while keeping routing, security, and policy centralized at the house (OPNsense).
┌─────────────────────────┐
│ INTERNET │
└─────────────┬───────────┘
│
ISP Modem / ONT
│
┌─────────────▼───────────┐
│ OPNsense │
│ VLANs + Firewall + DNS │
│ (Pi-hole VIP .7) │
└─────────────┬───────────┘
│
Core LAN / Trunk
│
┌──────────────────┴──────────────────┐
│ │
NanoStation (PtP) NanoStation (PtP)
House Side House Side
))))))))))))))))))))))))))))))))))))))))))
))))))))))))))))))))))))))))))))))))))))))
NanoStation (PtP) NanoStation (PtP)
Shop Side Shed Side
│ │
┌───────▼────────┐ ┌───────▼────────┐
│ GbE Switch │ │ GbE Switch │
│ (Managed pref) │ │ (Managed pref) │
└───────┬────────┘ └───────┬────────┘
│ │
┌─────────┴─────────┐ ┌─────────┴─────────┐
│ │ │ │
AP (SSID/VLANs) Cameras AP (SSID/VLANs) Cameras
│ │
PCs / Tools / IoT IoT / Sensors / ToolsKey Notes
- Each PtP link is independent (preferred): failure or congestion in one outbuilding does not affect others.
- NanoStations act as Layer-2 bridges: VLAN tags pass transparently.
- Routing, DHCP, DNS, and isolation live ONLY at OPNsense.
- Outbuildings never route or NAT by default.
12. Topology Variants (When Needed)
Hub-and-Spoke (Acceptable)
Use only if buildings are close and radio count must be minimized.
House (Hub)
├── PtP → Shop
├── PtP → Shed A
└── PtP → Shed BTradeoff: shared airtime at the hub.
Daisy-Chain / Relay (Avoid)
House → Shop → Shed- Increases latency
- Reduces throughput
- Harder to troubleshoot
Only use if line-of-sight makes direct links impossible.
13. Final Guidance (Lock-In)
(Lock‑In)
Wireless bridges are infrastructure, not a compromise.
Roaming is solved with APs, not mesh backhaul.
Isolation belongs at OPNsense, not at the edge.
This design eliminates technical debt, trenching, lightning risk, and legacy hardware — while remaining fully upgradeable.
Document intended for Obsidian vault and WordPress publishing. Headings are stable anchors.
Leave a Reply