Extending & Future Upgrades

Purpose
This runbook captures the correct architecture, terminology, decision points, and upgrade paths for extending RockLAN networking to outbuildings (shop, sheds, barns) using wireless bridges, VLAN isolation, and roaming Wi‑Fi, without trenching or legacy technical debt.

---

1. Core Principles (Non‑Negotiable)

• No buried copper between buildings
• Wireless bridge replaces underground conduit
• Isolation is enforced centrally (OPNsense + VLANs)
• Backhaul ≠ Wi‑Fi mesh
• AP roaming ≠ mesh backhaul
• 10/100 gear is scaffolding only, never infrastructure

If any design violates these principles, stop and reassess.

---

2. Correct Terminology (Canonical Definitions)

Wireless Bridge (PtP / PtMP)

• A Layer‑2 Ethernet replacement over RF
• Transparent to VLANs and protocols
• Example: Ubiquiti airMAX NanoStation / LiteBeam

Backhaul

• The link between buildings
• In RockLAN: wireless bridge = wired backhaul equivalent

Wi‑Fi Roaming (What users usually mean by “mesh”)

• Multiple APs
• Same SSID / security
• Client devices roam automatically
• Preferred with wired (or bridged) backhaul

Mesh Backhaul (Not Recommended Here)

• APs relay traffic wirelessly between themselves
• Each hop reduces throughput
• Higher latency and instability

VLAN Trunk

• Multiple tagged networks carried over one physical/bridge link
• Required for central isolation

---

3. Architecture Overview

3.1 Current State (Baseline / Transitional)

Goal: Extend connectivity quickly with zero trenching and minimal spend while avoiding technical debt.

• Core routing, DHCP, DNS handled by OPNsense at the house
• Temporary or legacy switches/APs allowed only at the edge
• 10/100 gear permitted only for non‑critical devices
• No permanent reliance on consumer mesh backhaul

House/Core ──(existing LAN)── Temporary switch/AP ── Devices

This state is acceptable only as a stopgap.

---

3.2 Future State (Target / Locked‑In Design)

Goal: Treat every outbuilding as if it were connected by a short Ethernet cable, with full VLAN support and centralized security.

Core / House

• OPNsense router
• VLANs + firewall rules
• Central DHCP + DNS (Pi‑hole VIP)

Inter‑Building Backhaul

• Ubiquiti airMAX NanoStation M5 (or AC equivalent)
• Configured as transparent Layer‑2 bridge (WDS)
• One Point‑to‑Point (PtP) link per building (preferred)

Outbuilding Edge

• 1 GbE switch (managed preferred)
• AP(s) in AP / bridge mode
• No routing, no NAT, no DHCP

House/Core ── NanoStation ))))) NanoStation ── GbE Switch ── AP / Cameras / PCs

---

4. VLAN & Isolation Model (Authoritative)

VLANs Live Here

• OPNsense ONLY

VLAN Table (Example / Reference)

VLAN ID	Name	Purpose	DHCP	Internet	LAN Access
10	LAN	Trusted clients, admins, servers	Yes	Yes	Yes
20	IoT	Cameras, hubs, appliances	Yes	Yes	No
30	Guest	Guests, contractors	Yes	Yes	No
40	Shop	Work PCs, tools, shop equipment	Yes	Yes	Limited

Firewall Rule Matrix (Simplified)

Source VLAN	Destination	Action	Notes
LAN (10)	IoT (20)	Allow	Management access
IoT (20)	LAN (10)	Deny	Isolation
Guest (30)	LAN (10)	Deny	Isolation
Any	DNS (Pi‑hole VIP)	Allow	Central DNS
Any	Internet	Allow	As policy dictates

Bridge Behavior

• NanoStations pass tagged VLAN frames transparently
• Treat every PtP link as an Ethernet cable

---

5. Wi‑Fi Design (Roaming, Not Mesh)

Configuration Rules

• Same SSID across APs (per VLAN if needed)
• Same security + passphrase
• Different channels (avoid overlap)

Optional Enhancements

• Enable 802.11k / 802.11v
• Use 802.11r only if clients tolerate it

Result

• Seamless roaming across house + shop + sheds
• No throughput halving
• No wireless relay hops

---

6. Hardware Recommendations (By Tier)

Backhaul (Primary Recommendation)

• Ubiquiti airMAX NanoStation M5
• Ubiquiti LiteBeam 5AC / NanoBeam AC (more headroom)

Avoid

• No‑name Amazon bridge kits (inflated specs)
• Consumer mesh systems for inter‑building links

Extreme Upgrade (Only if Needed)

• 60 GHz bridges (airMAX / UniFi Building Bridge)
• Use only if sustained >500 Mbps is required

---

7. Wired vs Wireless: When to Use Each

Wireless Bridge (Default)

Use when:

• Buildings have line of sight
• Separate power systems exist
• Lightning risk is a concern
• You want zero trenching

Trench Fiber (Rare)

Only when:

• You are already trenching for utilities
• You require multi‑gig sustained throughput
• You want 20‑year infrastructure

Never trench copper Ethernet. Ever.

---

8. Legacy 10/100 Gear Policy

Allowed Uses

• Temporary bootstrap
• Cameras
• Controllers
• Non‑critical IoT

Forbidden Uses

• Backhaul
• NAS access
• Proxmox nodes
• Permanent installs

Rule

If it matters later, start at gig now.

---

9. Bill of Materials (BOM) – Per Outbuilding

Required (Per Building)

Item	Qty	Notes
Ubiquiti airMAX NanoStation M5	2	One at house, one at outbuilding
PoE Injectors (included)	2	Indoor power
Outdoor‑rated Cat6 patch cables	2	Short runs only
Gigabit Ethernet switch	1	Managed preferred
Wi‑Fi Access Point	1–2	AP/bridge mode
Mounting hardware	1 set	Eave / pole / fascia

Optional / Nice‑to‑Have

• Managed switch (VLAN breakout)
• UPS (small) for bridge + switch
• Surge protection (indoor side)

Estimated cost per outbuilding: ~$200–250

---

10. Validation Checklist

• Bridge latency < 3 ms
• Stable RSSI (~‑50 to ‑60 dBm)
• Shop speed ≈ house speed
• VLAN isolation confirmed
• No double NAT
• No buried copper

---

11. Rollback & Upgrade Paths

Speed Upgrade

• Replace NanoStation with NanoBeam AC / LiteBeam 5AC

Bandwidth Upgrade

• Replace 5 GHz PtP with 60 GHz bridge (short range, clear LOS)

Ultimate Upgrade

• Trench fiber only (leave bridges in place until fiber is proven)

---

12. Site‑Specific Topology Diagram (House → Shop → Sheds)

Speed Upgrade

• Replace NanoStation with NanoBeam / LiteBeam

Bandwidth Upgrade

• Replace 5 GHz with 60 GHz bridge

Ultimate Upgrade

• Trench fiber only (leave bridges intact until proven)

---

11. Site-Specific Topology Diagram (House → Shop → Sheds)

Topology goal: Treat every outbuilding as if it were connected by a short Ethernet cable, while keeping routing, security, and policy centralized at the house (OPNsense).

                              ┌─────────────────────────┐
                              │        INTERNET         │
                              └─────────────┬───────────┘
                                            │
                                   ISP Modem / ONT
                                            │
                              ┌─────────────▼───────────┐
                              │        OPNsense          │
                              │  VLANs + Firewall + DNS │
                              │  (Pi-hole VIP .7)       │
                              └─────────────┬───────────┘
                                            │
                                   Core LAN / Trunk
                                            │
                         ┌──────────────────┴──────────────────┐
                         │                                     │
                NanoStation (PtP)                       NanoStation (PtP)
                  House Side                              House Side
                         ))))))))))))))))))))))))))))))))))))))))))
                         ))))))))))))))))))))))))))))))))))))))))))
                NanoStation (PtP)                       NanoStation (PtP)
                 Shop Side                               Shed Side
                         │                                     │
                 ┌───────▼────────┐                   ┌───────▼────────┐
                 │  GbE Switch     │                   │  GbE Switch     │
                 │ (Managed pref) │                   │ (Managed pref) │
                 └───────┬────────┘                   └───────┬────────┘
                         │                                     │
               ┌─────────┴─────────┐               ┌─────────┴─────────┐
               │                   │               │                   │
            AP (SSID/VLANs)     Cameras          AP (SSID/VLANs)     Cameras
               │                                   │
         PCs / Tools / IoT                  IoT / Sensors / Tools

Key Notes

• Each PtP link is independent (preferred): failure or congestion in one outbuilding does not affect others.
• NanoStations act as Layer-2 bridges: VLAN tags pass transparently.
• Routing, DHCP, DNS, and isolation live ONLY at OPNsense.
• Outbuildings never route or NAT by default.

---

12. Topology Variants (When Needed)

Hub-and-Spoke (Acceptable)

Use only if buildings are close and radio count must be minimized.

House (Hub)
   ├── PtP → Shop
   ├── PtP → Shed A
   └── PtP → Shed B

Tradeoff: shared airtime at the hub.

Daisy-Chain / Relay (Avoid)

House → Shop → Shed

• Increases latency
• Reduces throughput
• Harder to troubleshoot

Only use if line-of-sight makes direct links impossible.

---

13. Final Guidance (Lock-In)

(Lock‑In)

Wireless bridges are infrastructure, not a compromise.
Roaming is solved with APs, not mesh backhaul.
Isolation belongs at OPNsense, not at the edge.

This design eliminates technical debt, trenching, lightning risk, and legacy hardware — while remaining fully upgradeable.

---

Document intended for Obsidian vault and WordPress publishing. Headings are stable anchors.