Deployment

The core network is self-contained in an outdoor IP-rated cabinet — it does not depend on a tent being erected first. Once the cabinet is up and powered, locations can be brought online independently as the site builds around it.

Phase 1 — Outdoor cabinet

Network connectivity

Port assignments marked TBC should be updated in data/connections.yaml once confirmed.

graph LR subgraph wan[WAN Uplinks] starlink(["Starlink"]) cte_handoff(["CTE handoff"]) cellular_dongle(["Cellular dongle"]) end subgraph cabinet[Outdoor IP Cabinet] fw_01["fw-01\nNetgate pfSense"] core_sw_01["core-sw-01\nCore / Distribution Switch"] end starlink -->|"TBC"| fw_01 cte_handoff -->|"TBC"| fw_01 cellular_dongle -->|"USB"| fw_01 fw_01 -->|"TBC → TBC"| core_sw_01 classDef wan fill:#d65d0e,stroke:#fe8019,color:#ebdbb2 classDef cabinet fill:#458588,stroke:#83a598,color:#ebdbb2 class starlink wan class cte_handoff wan class cellular_dongle wan class fw_01,core_sw_01 cabinet

Power connectivity

graph TD subgraph pwr[UPS / Battery backup] ups([UPS]) end subgraph cabinet[Outdoor IP Cabinet] fw_01(["fw-01"]) core_sw_01(["core-sw-01"]) end subgraph wan[WAN Equipment] starlink(["Starlink"]) end ups -->|"TBC"| fw_01 ups -->|"TBC"| core_sw_01 ups -->|"TBC"| starlink classDef ups fill:#504945,stroke:#665c54,color:#ebdbb2 classDef cabinet fill:#458588,stroke:#83a598,color:#ebdbb2 classDef wan fill:#d65d0e,stroke:#fe8019,color:#ebdbb2 class ups ups class fw_01 cabinet class core_sw_01 cabinet class starlink wan

Physical setup

  • Position outdoor cabinet — confirm it is level, secure, and weatherproof
  • Run and connect WAN uplinks into cabinet:
    • Starlink feed
    • CTE handoff
    • 4G/5G dongle (USB into firewall)
  • Connect UPS/battery backup — confirm it is charged before powering network equipment
  • Power on fw-01 and core-sw-01 from UPS
  • Connect firewall LAN port to core switch uplink port (see diagram above)
  • Mount and aim ePMP sector AP (epmp-ap-01) — confirm line of sight to location positions
  • Connect ePMP sector AP to core switch

Firewall (fw-01)

  • Boot pfSense — confirm console access (see Firewalls)
  • Assign WAN interfaces (see WAN interfaces):
    • Starlink: DHCP
    • CTE: as provided by handoff sheet
    • 4G/5G dongle: DHCP
  • Configure LAN/VLAN interfaces and DHCP pools (see VLANs & DHCP)
  • Configure multi-WAN failover / policy routing (see Multi-WAN failover)
  • Confirm internet access from firewall management interface

Core switch (core-sw-01)

  • Configure management IP and management VLAN (see Switches)
  • Configure all site VLANs
  • Configure trunk to firewall
  • Configure downlink ports to locations as trunks (one port per location)
  • Confirm reachability to firewall management IP

Cabinet validation

  • Inter-VLAN routing working (ping between VLANs from firewall)
  • DHCP pools handing out addresses on each VLAN
  • All three WAN uplinks showing in pfSense dashboard
  • Failover test: unplug Starlink — confirm failover to CTE

Phase 2 — Locations

All locations are independent once the core switch is up. Deploy them in parallel or sequentially as the site builds. See Locations for per-location device details.

Repeat the following for each location:

  • If using physical uplink: confirm cable run to core switch is live
  • If using ePMP backhaul: mount and aim subscriber module, connect to location switch uplink port, confirm link to sector AP before proceeding
  • Power on location switch
  • Configure management IP and management VLAN
  • Configure all site VLANs on trunk uplink
  • Configure access ports
  • Power on AP — it is PoE from the location switch, no separate PSU
  • AP joins controller / broadcasts SSIDs (see Wi-Fi)
  • Confirm wireless client can get DHCP and reach internet from inside the location

Phase 3 — End-user services

Once locations are up:

  • Connect and configure printers (see Printers)
  • Power on video matrix unit (see Video Matrix)
  • Connect source inputs and display outputs to matrix
  • Configure routing presets and test all screen/source combinations
  • Confirm briefing screens are reachable on the briefing VLAN

Phase 4 — Full validation

Run the health check against all devices:

uv run riat health-check

Or via Ansible:

ansible-playbook ansible/playbooks/health-check.yml

Check off:

  • All switches reachable over SSH
  • All APs reachable
  • Firewall reachable
  • Internet reachable from each VLAN
  • No unexpected devices on management VLAN