Penang

Network Infrastructure Deployment
– Big Fish Restaurant

A technical breakdown of how I designed, built, and evolved the network infrastructure for our two-location restaurant over 10 years — featuring UniFi gear, VLAN segmentation, surveillance, and real-world lessons learned through outages, incidents, and hands-on problem solving.

Big Fish

Overview

Over the past 10 years, I’ve designed, built, and continuously refined the network infrastructure for our restaurant, Big Fish, spanning two physical locations: the main restaurant and a seasonal beachside ice cream/coffee shop in Skjærhalden. The network has evolved from a basic flat setup into a fully segmented, secure, and resilient system supporting all core operations — POS, surveillance, office work, guest Wi-Fi, and IoT.

Network Architecture

  • Two locations connected via Ubiquiti NanoBeam point-to-point wireless bridge (~300m LOS)
  • Fiber internet with static IP at the main site
  • UniFi Dream Machine Pro (UDM Pro) as central router, firewall, controller, and NVR
  • VLAN segmentation with strict firewall rules and port isolation
  • Logical segmentation via VLANs and ACLs
  • Physical segmentation through dedicated switch ports and cabling
  • VPN for secure remote access to internal resources

Hardware

  • Switches
    • USW-24 PoE
    • USW-8
    • USW-Flex Utility (cabinet-mounted, outdoor-rated)
    • USW-Flex Mini
  • Wireless
    • 8× UniFi APs in meshed configuration for full coverage across both sites
  • Wireless Bridge
    • Ubiquiti NanoBeam for inter-site connectivity

POS System (Restolution)

  • 1× main server (Ubuntu-based proprietary OS)
  • 4× mini PCs (same OS)
  • iPads used to remotely control the mini PCs
  • Everything is located on a dedicated POS VLAN

Network Segmentation

  • Default VLAN – Infrastructure devices (APs, switches, controller)
  • Internal VLAN – Office systems and admin PCs
  • POS VLAN – POS terminals, mini PCs, iPads
  • Surveillance VLAN – IP cameras
  • Guest VLAN – Isolated internet-only access (obscure SSID, bandwidth-limited, shared only when needed)
  • IoT VLAN – Smart devices with strict client isolation (no lateral traffic)

Segmentation is enforced via both logical controls (VLANs, ACLs, firewall rules) and physical mapping (dedicated ports, separate cabling).

Surveillance & UniFi Protect

  • UniFi Protect system with bullet, dome, and turret cameras
  • NVR hosted on the UDM Pro
  • Remote access via UniFi Protect app, secured with two-factor authentication (2FA)
  • Surveillance VLAN is fully isolated from internal and guest networks

Security & Evolution The infrastructure originally ran as a flat network. After a malware incident on a staff device impacted internal systems, I redesigned the entire architecture with a focus on isolation, least-privilege access, and layered security. Key protections include:

  • Strict VLAN and firewall rules
  • Port-based physical isolation for key systems (POS, cameras, infrastructure)
  • IoT client isolation
  • Secure remote access via VPN and 2FA

Network Administration

  • Centralized configuration and monitoring via UniFi Controller
  • Accessed locally or remotely via the UniFi Cloud Portal
  • All administrative access protected by 2FA
  • Active alerting used to monitor device availability and outages (e.g. sudden offline events from cable damage or device failure)
  • Outages are often detected via notifications before staff or systems notice — such as a recent fiber cut that was flagged to me before it impacted POS operations.
  • Updates are performed manually on a fixed schedule, with reminders set in Todoist — auto-updates are disabled after a past issue caused a full crash during service hours

Reliability & Failover

  • During a recent fiber outage, an Android phone with USB-to-Ethernet adapter was used as a temporary WAN failover, keeping POS and admin services online with minimal disruption.
  • Planning to implement a dedicated 5G router as a permanent WAN failover solution to ensure seamless continuity during future outages.

Real-World Lessons As the network has matured, so has my understanding of the risks and responsibilities that come with maintaining it. One of the consistent challenges has been managing expectations from others who want to plug in new devices without understanding the implications.

“Why can’t we just let him use the network?”
“How do I connect this device to the network?”
“Do we need all these networks?”
“Does the coffee machine really need its own VLAN?”

Yes. Yes, it does. 😆

My insistence on proper segmentation and access control has earned me a reputation for being “a bit much” 😅 when it comes to the network. But I’d rather be irritating than insecure.

What I Would Do Differently

Looking back, there are a couple of things I would definitely change:

  • Install more structured cabling during construction: Not running additional network cables through the walls early on has led to time-consuming workarounds. Having those in place would have saved significant effort later.
  • Add a UPS: Power outages are rare but disruptive. A reliable uninterruptible power supply (UPS) for the core networking equipment would improve uptime and prevent hardware shutdowns during brief interruptions.

These may seem minor, but they would have contributed greatly to resilience and maintainability.

Skills & Technologies Demonstrated

  • Secure network design (logical and physical segmentation)
  • Wireless mesh and long-range point-to-point bridging
  • VLAN architecture and firewall configuration
  • Surveillance deployment with 2FA-secured access
  • Real-time failover solution during internet outage
  • Manual firmware management and operational planning
  • End-to-end management using the Ubiquiti UniFi ecosystem: UDM Pro, USW PoE switches, APs, NanoBeam, Protect

Tags:

Leave a Reply