Skip to content

DEPLOYMENT.md

Latest commit

 

History

History
758 lines (572 loc) · 14.2 KB

DEPLOYMENT.md

File metadata and controls

758 lines (572 loc) · 14.2 KB

Deployment Guide

Complete step-by-step deployment guide for the three-network Ubiquiti configuration.

Pre-Deployment Checklist

  • Backup current router configuration
  • Document current network setup
  • Schedule maintenance window
  • Notify users of potential downtime
  • Prepare rollback plan
  • Test in lab environment (if possible)
  • Review all configuration files
  • Change default passwords in WiFi config

Deployment Timeline

Estimated Time: 2-4 hours (depending on complexity)

Phase Duration Description
Preparation 30 min Backup, documentation, review
Physical Setup 30 min Cable connections, switch config
Router Config 45 min VLAN, DHCP, firewall setup
WiFi Setup 30 min SSID creation and testing
Testing 45 min Validation and troubleshooting
Documentation 30 min Update records

Phase 1: Preparation

1.1 Backup Current Configuration

UniFi Network

  1. Open UniFi Controller
  2. Navigate to Settings → System → Backup
  3. Click Download Backup
  4. Save file with timestamp: unifi-backup-20260109.unf

EdgeRouter

# SSH to router
ssh admin@192.168.1.1

# Create backup
show configuration commands > /tmp/backup-$(date +%Y%m%d-%H%M).txt

# Download backup
exit
scp admin@192.168.1.1:/tmp/backup-*.txt ./

1.2 Document Current Setup

Record the following:

Current Network Ranges:
- Main: ___________________
- Guest: __________________
- IoT: ____________________

Current Gateway: ___________________
DNS Servers: ___________________
DHCP Ranges: ___________________

Connected Devices (Critical):
1. ___________________
2. ___________________
3. ___________________

1.3 Update Configuration Files

CRITICAL: Edit config/wifi/wireless-networks.json:

{
  "password": "YOUR_STRONG_PASSWORD_HERE"  // Change all three!
}

Recommended password requirements:

  • Minimum 12 characters
  • Mix of uppercase, lowercase, numbers, symbols
  • Different for each network
  • Not dictionary words

Phase 2: Physical Setup

2.1 Network Topology Planning

Internet → Modem → Router → Managed Switch → Access Points
                       ↓
                    Direct Clients

2.2 Cable Connections

  1. Router to Switch

    • Use high-quality Cat6 cable
    • Connect to router LAN port (eth1)
    • Connect to switch trunk port

  2. Switch to Access Points

    • One cable per AP
    • Use PoE if available
    • Label cables clearly

  3. Switch Port Configuration

    Port 1: Trunk (All VLANs) → Router
Port 2-4: Trunk (All VLANs) → Access Points
Port 5-24: Access (Assign VLAN as needed) → Wired clients

2.3 Managed Switch Setup

UniFi Switch

  1. Adopt switch in UniFi Controller
  2. Configure port profiles:

Trunk Profile (for APs):

Name: AP-Trunk
Native VLAN: 1
Tagged VLANs: 10, 20, 30

Access Profiles:

Private-Access: VLAN 10
Guest-Access: VLAN 20
IoT-Access: VLAN 30
  1. Apply profiles to ports

Non-UniFi Managed Switch

Configure via switch CLI or web interface:

# Example for generic managed switch
vlan 10 name Private
vlan 20 name Guest
vlan 30 name IoT

interface gigabitethernet 1/0/1
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30

interface gigabitethernet 1/0/2-4
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30

Phase 3: Router Configuration

Option A: UniFi Network Application

3.1 Create Networks

  1. Navigate to Settings → Networks
  2. Click Create New Network

Private Network:

Name: Private
Router: USG/UDM/UDM Pro
VLAN ID: 10
Gateway/Subnet: 192.168.10.1/24
DHCP Mode: DHCP Server
DHCP Range: 192.168.10.10 - 192.168.10.250
DHCP DNS: Auto
Domain Name: private.local
IGMP Snooping: Enable

Guest Network:

Name: Guest
Router: USG/UDM/UDM Pro
VLAN ID: 20
Gateway/Subnet: 192.168.20.1/24
DHCP Mode: DHCP Server
DHCP Range: 192.168.20.10 - 192.168.20.250
DHCP DNS: 1.1.1.1, 8.8.8.8
Domain Name: guest.local
Guest Policy: Enable
    Client Device Isolation: Enable
    Bandwidth Limit Download: 50000 kbps
    Bandwidth Limit Upload: 10000 kbps

IoT Network:

Name: IoT
Router: USG/UDM/UDM Pro
VLAN ID: 30
Gateway/Subnet: 192.168.30.1/24
DHCP Mode: DHCP Server
DHCP Range: 192.168.30.10 - 192.168.30.250
DHCP DNS: Auto
Domain Name: iot.local
IGMP Snooping: Enable
  1. Click Add Network for each

3.2 Configure Firewall Rules

Navigate to Settings → Firewall & Security → Create Entry

Rule 1: Block IoT to Private

Type: LAN In
Description: Block IoT to Private
Rule Applied: Before Predefined Rules
Action: Drop
IPv4 Protocol: All

Source:
  Source Type: Network
  Network: IoT
  Network Type: IPv4

Destination:
  Destination Type: Network
  Network: Private
  Network Type: IPv4

Advanced:
  Logging: Enable
  States: New

Rule 2: Block IoT to Guest

Type: LAN In
Description: Block IoT to Guest
Action: Drop
Source: IoT (192.168.30.0/24)
Destination: Guest (192.168.20.0/24)

Rule 3: Block Guest to Private

Type: LAN In
Description: Block Guest to Private
Action: Drop
Source: Guest (192.168.20.0/24)
Destination: Private (192.168.10.0/24)
Logging: Enable

Rule 4: Block Guest to IoT

Type: LAN In
Description: Block Guest to IoT
Action: Drop
Source: Guest (192.168.20.0/24)
Destination: IoT (192.168.30.0/24)

Rule 5: Allow Established/Related

Type: LAN In
Description: Allow Established/Related
Action: Accept
States: Established, Related

3.3 Verify Configuration

  1. Check Settings → Networks - All three networks listed
  2. Check Settings → Firewall & Security - All rules present and enabled
  3. Review rule order (block rules before allow rules)

Option B: EdgeRouter

3.1 Transfer and Run Setup Script

# Copy script to router
scp config/edgerouter/setup.sh admin@192.168.1.1:/tmp/

# SSH to router
ssh admin@192.168.1.1

# Make executable
chmod +x /tmp/setup.sh

# Review script first
cat /tmp/setup.sh

# Run setup (will enter configure mode)
sudo /tmp/setup.sh

3.2 Manual Configuration (Alternative)

If you prefer manual configuration:

ssh admin@192.168.1.1
configure

# Follow commands in config/edgerouter/setup.sh
# Copy/paste section by section

# When done:
commit
save
exit

3.3 Verify Configuration

# Check interfaces
show interfaces

# Check DHCP
show dhcp server

# Check firewall
show firewall

# Check NAT
show nat rules

Phase 4: WiFi Configuration

4.1 Create Wireless Networks (UniFi)

Navigate to Settings → WiFi → Create New WiFi Network

Private WiFi:

Name/SSID: MyHome (or your preferred name)
Enabled: Yes
Password: [Your strong password]
Network: Private (VLAN 10)
WiFi Band: 2.4 GHz & 5 GHz
Security Protocol: WPA3 Only (or WPA2/WPA3)
Advanced:
  Fast Roaming: Enable
  Multicast Enhancement: Enable
  BSS Transition: Enable

Guest WiFi:

Name/SSID: MyHome-Guest
Enabled: Yes
Password: [Your strong password]
Network: Guest (VLAN 20)
WiFi Band: 2.4 GHz & 5 GHz
Security Protocol: WPA2/WPA3
Advanced:
  Fast Roaming: Disable
  Multicast Enhancement: Disable
  Guest Policy: Inherit from network

IoT WiFi:

Name/SSID: MyHome-IoT
Enabled: Yes
Password: [Your strong password]
Network: IoT (VLAN 30)
WiFi Band: 2.4 GHz & 5 GHz
Security Protocol: WPA2
Hide SSID: Yes (optional)
Advanced:
  Fast Roaming: Disable
  Multicast Enhancement: Enable (for smart home)
  BSS Transition: Disable

4.2 Apply to Access Points

  1. Navigate to UniFi Devices → [Access Point]
  2. Click Settings → WiFi
  3. Ensure all three SSIDs are enabled
  4. Set appropriate transmit power

4.3 Configure Radio Settings (Optional)

2.4 GHz:

Channel Width: 20 MHz (HT20)
Channel: Auto (or 1, 6, 11 to avoid overlap)
Transmit Power: Auto

5 GHz:

Channel Width: 40 MHz or 80 MHz
Channel: Auto (or DFS channels if supported)
Transmit Power: Auto

Phase 5: Testing & Validation

5.1 Basic Connectivity Tests

Test Device Assignment

Connect a test device to each network and verify:

Private Network:

# Expected IP: 192.168.10.x
ip addr show
# or on Windows: ipconfig

# Test gateway
ping 192.168.10.1

# Test internet
ping 8.8.8.8
ping google.com

Guest Network:

# Expected IP: 192.168.20.x
ip addr show

# Test gateway
ping 192.168.20.1

# Test internet
ping 8.8.8.8

IoT Network:

# Expected IP: 192.168.30.x
ip addr show

# Test gateway
ping 192.168.30.1

# Test internet
ping 8.8.8.8

5.2 Network Isolation Tests

From Guest Device (192.168.20.x)

# Should FAIL - blocked by firewall
ping 192.168.10.1      # Private gateway
ping 192.168.10.100    # Private device
ping 192.168.30.1      # IoT gateway
ping 192.168.30.100    # IoT device

# Guest client isolation - should FAIL
ping 192.168.20.100    # Another guest device

# Should SUCCEED
ping 8.8.8.8          # Internet
curl https://google.com

From IoT Device (192.168.30.x)

# Should FAIL - blocked by firewall
ping 192.168.10.1      # Private gateway
ping 192.168.10.100    # Private device
ping 192.168.20.1      # Guest gateway

# Should SUCCEED
ping 8.8.8.8          # Internet
ping 192.168.30.1      # Own gateway

From Private Device (192.168.10.x)

# Should ALL SUCCEED - Private has full access
ping 192.168.10.1      # Own gateway
ping 192.168.20.1      # Guest gateway
ping 192.168.30.1      # IoT gateway
ping 192.168.30.100    # IoT device (management)
ping 8.8.8.8          # Internet

5.3 Run Automated Validation

cd /path/to/nick-demo
chmod +x scripts/validate-config.sh
./scripts/validate-config.sh

Review output and fix any failures.

5.4 Performance Testing

Test bandwidth on each network:

# Guest network should be limited to 50Mbps down / 10Mbps up
# Use speedtest.net or:
speedtest-cli

Phase 6: Device Migration

6.1 Create Migration Plan

List all devices and their target networks:

Devices for Private Network (VLAN 10):
- [ ] Personal computers
- [ ] Phones
- [ ] Tablets
- [ ] Work laptops
- [ ] _________________

Devices for IoT Network (VLAN 30):
- [ ] Smart home hub
- [ ] Smart lights
- [ ] Thermostats
- [ ] Security cameras
- [ ] Smart TVs
- [ ] _________________

Guest Network (VLAN 20):
- Visitors only (no pre-migration needed)

6.2 Migrate Devices

WiFi Devices:

  1. Forget old network on device
  2. Connect to new SSID
  3. Enter password
  4. Verify connectivity

Wired Devices:

  1. Assign switch port to appropriate VLAN
  2. Device should receive new IP via DHCP
  3. Reboot device if necessary

6.3 IoT Device Special Considerations

Some IoT devices may require:

  • Factory reset to change networks
  • Mobile app reconfiguration
  • Static IP assignment

For devices requiring static IPs:

UniFi: Settings → Networks → IoT → DHCP → Static
Add MAC address and desired IP

Phase 7: Documentation & Cleanup

7.1 Update Network Documentation

Document the following:

Network Configuration:
Date Deployed: _________________
Deployed By: _________________

Networks:
- Private: 192.168.10.0/24 (VLAN 10)
- Guest: 192.168.20.0/24 (VLAN 20)
- IoT: 192.168.30.0/24 (VLAN 30)

WiFi SSIDs:
- MyHome → VLAN 10
- MyHome-Guest → VLAN 20
- MyHome-IoT → VLAN 30

Switch Ports:
Port 1: Trunk to Router
Port 2-4: Trunk to APs
Port 5-10: Private (VLAN 10)
Port 11-15: IoT (VLAN 30)
Port 16-20: Available

Static IP Assignments:
192.168.30.50: Security Camera 1
192.168.30.51: Security Camera 2
[etc...]

7.2 Create Quick Reference Guide

Print or save for quick access:

===================================
Network Quick Reference
===================================

WiFi Networks:
MyHome: [password stored securely]
MyHome-Guest: [password for guests]
MyHome-IoT: [password stored securely]

Admin Access:
Router: https://192.168.10.1
Username: admin
Password: [stored securely]

Support Contact: _________________
Emergency Rollback: Restore backup from [date]
===================================

7.3 Secure Password Storage

Store passwords securely:

  • Use password manager (1Password, Bitwarden, etc.)
  • Share with authorized users only
  • Do not write on paper or plain text files

7.4 Schedule Follow-up

Set reminders for:

  • 1 week: Check for any issues
  • 1 month: Review security logs
  • 3 months: Update firmware
  • 6 months: Change WiFi passwords

Rollback Procedure

If issues arise, you can rollback:

UniFi Rollback

  1. Navigate to Settings → System → Backup
  2. Click Restore Backup
  3. Select backup file from Phase 1
  4. Click Restore
  5. Wait for reboot

EdgeRouter Rollback

ssh admin@192.168.1.1
configure

# Load backup
load /tmp/backup-[date].txt

# Review
compare

# Apply
commit
save

Post-Deployment Monitoring

Week 1 Checklist

  • Monitor DHCP pool usage
  • Review firewall logs daily
  • Test from all networks
  • Verify no unexpected blocks
  • Check device connectivity
  • Monitor bandwidth usage

Month 1 Checklist

  • Review security logs
  • Update firmware if available
  • Audit connected devices
  • Test disaster recovery
  • Update documentation

Common Deployment Issues

Issue: Devices can't connect to WiFi

Solution:

  • Verify SSID is broadcasting
  • Check password is correct
  • Ensure AP has adopted configuration
  • Verify network is not at DHCP limit

Issue: No internet access

Solution:

  • Check WAN connection
  • Verify NAT rules
  • Test DNS resolution
  • Check default route

Issue: Firewall blocking too much

Solution:

  • Review firewall logs
  • Check rule order
  • Verify source/destination addresses
  • Add exception rules if needed

Success Criteria

Deployment is successful when:

  • [✓] All three networks operational
  • [✓] DHCP working on all networks
  • [✓] Internet access from all networks
  • [✓] Network isolation verified
  • [✓] Guest client isolation working
  • [✓] All devices migrated successfully
  • [✓] No unexpected connectivity issues
  • [✓] Documentation complete
  • [✓] Backup created and verified

Congratulations! Your three-network configuration is deployed and operational.