Black Pearl Head Office
10 GbE UniFi Network
QUICK SURF NETWORK
Unleashing Digital Excellence
Black Pearl Head Office · SMB Deployment
Enterprise-Grade
10 GbE Office Topology
10 GbE Office Topology
A fully managed UniFi deployment serving as QSN’s own working head office — 10 GbE end-to-end fibre backbone, UDM SE gateway, 4-floor switching aggregation, Wi-Fi 7 access points across 4 zones, 8 segmented VLANs, zone-based firewall with 129 enforced policies, CyberSecure IDS/IPS with 72,102 active signatures, geo-blocking, region-routed VPN egress, encrypted DNS, and 24/7 honeypot deception across every subnet. Designed, deployed, and operated end-to-end by QSN as both reference architecture and daily-driver business network.
10 GbE Aggregation
10 GbE Wi-Fi 7 APs
10 GbE NAS
72k IDS Signatures
129 Firewall Policies
1
Gateway
UDM SE · UniFi OS 5.0.16
5
Switches
1 × AGG · 4 × ACCESS
4
Wi-Fi 7 / 6 APs
10 GbE / 2.5 GbE UPLINK
8
VLANs · 6 SSIDs
ZONE-SEGMENTED
36
Active Clients
9 WIRED · 27 WIRELESS
129
Firewall Policies
7-ZONE MATRIX
Layer 0 — WAN Edge · Gateway Core · Cloud Operations
⇲ Internet · Single WAN
WAN 1 · Fibre
Primary ISP · GbE handoff
•••.•••.•••.•••
Uptime
Continuous since deployment
100%
Peak Util.
24h Down · Up envelope
49% · 4%
BLACK PEARL HEAD OFFICE
UDM SE · UNIFI OS 5.0.16
10 GbE Edge · 7-Zone Firewall · IDS/IPS Active
☁ Cloud Operations
UniFi Cloud Access
Connected · UTC+04:00
LIVE
UniFi OS Release
5.0.16 · Official channel
UP TO DATE
Apps Managed
Network, Protect, Access, Connect…
6 APPS
Layer 1 — Zone-Based Firewall · 7 Zones · 129 Policies
7 Security Zones
Source × Destination Policy Matrix
Internal
7 networks
External
WAN + VPN egress
Gateway
UDM SE itself
VPN
Teleport WG
Hotspot
Guest VLAN 30
DMZ
Reserved
All Policies
129 active
| → Internal | → External | → Gateway | → VPN | → Hotspot | → DMZ | |
|---|---|---|---|---|---|---|
| Internal | Allow All12 | Allow All11 | Allow All7 | Allow All9 | Allow All10 | Allow All2 |
| External | Allow Return5 | Allow Return3 | Allow Return7 | Allow Return3 | Allow Return3 | Allow Return3 |
| Gateway | Allow All | Allow All | — | Allow All | Allow All | Allow All |
| VPN | Allow All | Allow All2 | Allow All | Allow All | Allow All | Allow All |
| Hotspot | Allow Return4 | Allow All7 | Allow Return12 | Allow Return4 | Block All3 | Block All2 |
| DMZ | Allow Return | Allow All2 | Allow Return | Allow Return | Block All | Block All |
Layer 2 — 8 VLAN Segmentation · Per-Subnet Isolation
8 VLAN Segments
Subnet · DHCP · Inter-VLAN ACL Enforced
Default
VLAN 1 · INFRA
/27 · Management
Infra mgmt · 8 leases
Corporate LAN
VLAN 10
/25 · 124 IPs
Primary staff · 22 leases
IoT
VLAN 20
/24 · 249 IPs
Smart devices · 28 leases
Guest
VLAN 30 · HOTSPOT
/27 · 29 IPs
Visitor isolated
VPN Egress
VLAN 40 · ROUTED
/28 · 12 IPs
PBR → outbound VPN
Alt-VPN
VLAN 50 · ROUTED
/29 · 4 IPs
Secondary VPN egress
PBX / Voice
VLAN 60 · QoS
/27 · 28 IPs
Grandstream · 4 phones
Protect
VLAN 70 · CCTV
/28 · 12 IPs
UniFi Protect cameras
Layer 3 — Wi-Fi Architecture · 6 SSIDs · Tri-Band · Wi-Fi 7
BP-CORP
5 + 6 GHz · Tri-band
Corporate · VLAN 10
8 active clients
WPA2/WPA3
BP-IOT
2.4 GHz · Isolated
IoT · VLAN 20
17 active clients
WPA2
BP-VPN-X
2.4 GHz · Egress-Routed
VPN Egress · VLAN 40
On-demand · PBR enforced
WPA2
BP-PBX
2.4 GHz · QoS prioritized
PBX · VLAN 60
2 wireless phones
WPA2
BP-GUEST
2.4 + 5 + 6 GHz
Hotspot · VLAN 30
Captive portal · bandwidth-capped
WPA2/WPA3
BP-UID
5 GHz · 802.1X
UniFi Identity · Native
Per-user certificate auth
WPA2/WPA3 ENT
Layer 4 — 10 GbE Backbone · Aggregation Core · Access Distribution
USW Aggregation · 8-Port 10 GbE Fibre Core
SFP+ aggregation switch · STP Root (priority 0)
10 GbE fibre core fanning out to USW 1 Pro XG (SFP+ uplink), USW Lite 8 PoE, and downstream access switches. Spanning Tree root anchor, IGMP querier, and inter-VLAN L3 routing handoff to UDM SE.
• STP Root
8 × SFP+ 10G
IGMP Querier
RSTP
UDM SE Gateway
10 GbE
UniFi Dream Machine Special Edition · UniFi OS 5.0.16
All-in-one routing, firewall, IDS/IPS, threat intelligence, VPN termination (Teleport/WireGuard, OpenVPN client), and 7-zone policy engine. SFP+ to aggregation core.
Edge · Routing · Security
USW Aggregation
10 GbE
8-port 10G SFP+ aggregation switch
L3 fibre core handing off to USW 1 Pro XG and direct-attached 10G hosts. STP root anchor for the entire LAN. IGMP querier for multicast services.
Core Aggregation
USW 1 Pro XG
10 GbE
10-port managed multigig L2/L3 switch
Primary access switch — aggregates two Wi-Fi 7 APs, IT cabinet camera, NAS (10G), aggregation uplink, plus distribution to room-level switches. Multigig 2.5/10G ports.
Distribution + Access
USW Flex 2.5G 8 PoE
10 GbE
8-port 2.5G PoE access switch · 10G uplink
Workstation and smart-device PoE distribution. 2.5G to desktops, PoE+ for cameras and IoT bridges, 10G fibre uplink to USW 1 Pro XG.
Workstation Access
USW Flex XG
10 GbE
5-port 10G all-fibre access switch
High-throughput room/workstation switch serving the development zone. All 10G ports support full-line-rate sustained transfer to local NAS and across zones.
High-Throughput Zone
USW Lite 8 PoE
GbE
8-port managed PoE access switch
Auxiliary PoE distribution for media room: smart TV, PlayStation, room AP. GbE uplink to USW 1 Pro XG, PoE+ budget for additional APs/cameras.
Media Zone Access
AP Zone A
10 GbE
UniFi U7 Pro XG · Wi-Fi 7 tri-band
Flagship Wi-Fi 7 AP — 2.4 / 5 / 6 GHz radios, 320 MHz 6 GHz channel width, multi-link operation (MLO) capable, 10 GbE uplink for true Wi-Fi 7 line rate.
Primary Coverage
AP Zone B
10 GbE
UniFi U7 Pro XG · Wi-Fi 7 tri-band
Second flagship Wi-Fi 7 AP covering meeting/work area with overlapping seamless-roaming cell to AP Zone A. 10 GbE uplink, MLO-capable.
Secondary Coverage
AP Zone C
2.5 GbE
UniFi U7 Long-Range · Wi-Fi 7 dual-band
Long-range Wi-Fi 7 AP serving the far-end of the office footprint. 2.5 GbE multigig uplink, optimized for distance coverage rather than peak throughput.
Extended Coverage
AP Zone D
10 GbE
USW Flex XG attached AP · Wi-Fi 6
Dedicated AP block serving the dev zone. Mounted on USW Flex XG for full 10G-class capacity to LAN. Roaming-paired with Zone A/B for client handoff.
Development Zone
IT Cabinet Camera
FE
UniFi G5 Flex PTZ
Physical security camera attached to the rack itself — rack-cabinet surveillance, motion-triggered recording on UniFi Protect (VLAN 70), included as part of zero-trust physical posture.
Physical Security
DS-Class NAS
10 GbE
5-bay Synology NAS · 10G NIC
Centralized storage and Plex media server for the office. Connected at full 10 GbE to USW 1 Pro XG. Port-forwarded for remote-only Plex access (no SMB exposure to WAN).
Storage · Media
Layer 5 — Layered VPN Architecture · Inbound & Outbound
Multi-Tier VPN Strategy
Inbound Remote Access · Outbound Region Routing · Alt Egress
Primary Outbound VPN
↑ Egress · OpenVPN
Selected source devices on VLAN 40 are policy-routed outbound through a commercial OpenVPN endpoint in the US region. Used for region-locked services and privacy isolation while the rest of LAN egresses normally over WAN1.
Inbound Remote Access
↓ Ingress · WireGuard (Teleport)
UniFi Teleport / WireGuard hosted on the UDM SE for secure remote staff access. Invite-only via short-lived URL tokens with full invitation audit history. No always-open inbound ports.
Alt Egress Channel
↑ Egress · Reserved VPN
Secondary outbound VPN egress on VLAN 50 as policy-based-routing fallback or for clients needing a distinct egress identity from the primary VPN. All-traffic policy when in use.
Layer 6 — Defense in Depth · IDS/IPS · Geo-Block · Honeypot Deception
CyberSecure Enhanced · Proofpoint + Cloudflare Threat Intelligence
Active · 23,807 events / 24h
72,102
Active IDS Signatures
All 7 categories enabled
23,807
Blocked Events / 24h
96% LOW · 3.9% SUSPICIOUS
129
Firewall Policies
ZONE MATRIX ENFORCED
8 / 8
Honeypot Subnets
DECEPTION ON EVERY VLAN
Threat Intelligence · IDS/IPS · Category Coverage
✓Botnets and Threat Intelligence
5 / 5✓Viruses, Malware and Spyware
4 / 4✓Hacking and Exploits
5 / 5✓Peer to Peer and Dark Web
3 / 3✓Attacks and Reconnaissance
7 / 7✓Protocol Vulnerabilities
12 / 12✓CINS Army Reputation List
CURATED✓DShield Block List
CURATEDNetwork & Geographic Hardening
✓Region Block · High-Risk Geography
BLOCKED BOTH✓Encrypted DNS · Cloudflare + Google
AUTO✓Honeypot Deception (per-VLAN)
8 SUBNETS✓UniFi SSL Identity Certificate
DISTRIBUTED✓Memory-Optimized Detection
ENABLED✓Detection Mode
NOTIFY + BLOCKL3 Network Lists · Inter-VLAN ACL Object Groups
RFCRFC1918 Private Ranges (3 CIDRs)
IPv4GIoT-to-Gateway Block (2 entries)
IPv4GCorp-to-Gateway Block (2 entries)
IPv4GGuest-to-Gateway Block (2 entries)
IPv4PManagement Ports (HTTP/HTTPS/SSH)
PORTPPrinter Object & Service Pins
IPv4Layer 7 — Application Visibility · Flow Telemetry · Region Insights
Application & Region Insights · 24h Window
Flow telemetry · Top affected entities
Top Triggered Policies
Inter-VLAN Block (Primary)11,255
Inter-VLAN Block (Secondary)11,186
CINS Army Reputation List725
DShield Block List220
Simple-App Block (Epic Games)193
Top Affected Regions
🇺🇸 United States193
🇦🇪 United Arab Emirates (local)29
🇮🇷 High-Risk Region (blocked)—
Total Flow Records / 24h10,000+
Flow Summary96% LOW
Operational Excellence · SMB Reference Deployment
100%
WAN Uptime
FAILOVER MODE · SINGLE WAN
10 GbE
Backbone Speed
END-TO-END FIBRE
36
Concurrent Clients
9 WIRED · 27 WIRELESS
23.8k
Threats Blocked / 24h
96% LOW · 0 BREACH
The Black Pearl Head Office is one of QSN’s SMB managed deployments — designed as the reference architecture that QSN brings to every commercial client engagement. The full UniFi stack runs on a 10 GbE end-to-end fibre backbone with Wi-Fi 7 wireless edge, eight segmented VLANs governed by a 7-zone firewall enforcing 129 active policies, IDS/IPS with 72,102 signatures across all 7 threat categories, region blocking, encrypted DNS, layered VPN (inbound Teleport + outbound region-routed egress), and honeypot deception on every subnet. Over the last 24 hours alone the network blocked 23,807 threat events with zero successful breaches and zero unplanned downtime — the same operational posture QSN delivers to every managed SMB and commercial site.
Network as Mythology · The Black Pearl
AI · Generated Visualization
⊕
Edge Gateway · Steampunk Visualization
The Black Pearl, Reimagined as Legend.
An AI-generated artistic interpretation of the Black Pearl Head Office network stack — the 10 GbE backbone, UDM SE gateway, 7-zone firewall and segmented VLANs reimagined as a steampunk data-coffer aboard a pirate vessel. Each element of the visualization maps to a real component of the live infrastructure: the brass gear assembly stands in for the UDM SE core, the rope-tied patch cabling traces the 10 GbE backbone, the jellyfish-lit glass tubes represent illuminated VLAN segmentation, and the locked treasure chest at the centre is the encrypted-DNS · honeypot-defended subnet vault.
This visualization is not a literal rack diagram — it’s a brand-aligned reimagining that captures the spirit of the deployment: layered defense, structured aggregation, and the kind of operational reliability that makes a network worth naming after a flagship.
Brass Gear Assembly
→ UDM SE Core
Rope-Tied Patching
→ 10 GbE Backbone
Lit Glass Tubes
→ VLAN Segments
Locked Treasure Vault
→ Honeypot + DNS
AI-Generated Artistic Interpretation · Not a Literal Diagram · The Real Topology is Documented in Layers 0–7 Above
The Black Pearl · Reimagined as Legend · AI-Generated
Deep Purple · 10 GbE Identity
UDM SE · Edge Gateway
Aggregation Core
Outbound VPN
Access / Wi-Fi 7
PBX / Voice
IoT VLAN
Protect / CCTV
Alt VPN Egress
Designed · Deployed · Operated by QSN
quicksurfnetwork.com · +971 4 288 2335 · Port Saeed, Deira, Dubai · info@quicksurfnetwork.com