Case Study: Full Wi-Fi Coverage and Network Segregation for a Multi-Tenant Community Centre

The Client

A busy community centre in Hampshire, operating across a converted Victorian building and a modern extension comprising approximately 2,800 square metres of floor space. The centre is home to a managing charity that administers the building, along with four tenant organisations — including a health and wellbeing organisation, a youth service, a small accountancy practice, and a community café open to the public.

The building hosts events, classes, and public visitors throughout the week, with average daily footfall of over 150 people during term time.

The Challenges

When Complianta were approached, the existing setup had grown organically over several years and was causing significant problems:

Single shared Wi-Fi network: All users — staff from every tenant organisation, public visitors in the café, and event attendees — were connecting to a single wireless network with one shared password.

No network isolation: The accountancy practice's computers and the health organisation's client data systems shared the same broadcast domain as café visitors. A guest device could, in principle, see and probe other devices on the network.

Dead zones and unreliable coverage: The Victorian building section had thick stone walls and was largely without usable wireless signal. The main hall — frequently used for events — had no coverage at the far end.

Unmanaged consumer equipment: Three consumer-grade routers had been placed around the building at various points, each creating its own separate network. Devices didn't roam between them, causing constant disconnections as people moved around.

No content filtering: Public visitors had unrestricted internet access with no protection against malicious sites or inappropriate content.

No bandwidth management: A single user could saturate the shared connection, affecting everyone else in the building.

The Objectives

Following our initial site survey and a series of conversations with the centre manager and representatives from each tenant organisation, we established clear objectives:

Full building coverage — every room, corridor, hall, and outdoor area to have reliable wireless signal.

Complete network segregation — each tenant organisation on their own isolated network, with no visibility between them.

Secure guest/public access — a separate guest network for café visitors and event attendees, with DNS content filtering and bandwidth limits.

Seamless roaming — devices should maintain connectivity without interruption as users move around the building.

Centralised management — all access points managed from a single dashboard, with alerting and remote access.

Minimal disruption to the building's aesthetic — cable runs to be as discreet as possible in a listed building context.

The Solution

Survey and Design

We began with a detailed RF (radio frequency) survey of the building using professional wireless planning software. This allowed us to model signal propagation through the thick stone walls, identify dead zones, and determine the optimal placement for each access point before any hardware was purchased or installed.

The survey identified nine access point locations that would provide full coverage — including the main hall, the café, both floors of the Victorian wing, the modern extension, and the entrance foyer.

Hardware

We specified Ubiquiti UniFi access points throughout, managed by a UniFi Network Server running on a local appliance — a UniFi Cloud Gateway Ultra — in the building's comms room. UniFi was chosen for its robust multi-SSID and VLAN support, proven roaming performance, and cost-effective total price of ownership.

All nine access points were connected back to a 24-port managed PoE switch via Cat6 cable, eliminating the need for separate power supplies and creating a clean, reliable star topology.

VLAN Architecture

We created six VLANs, each mapped to a dedicated SSID and firewall zone:

Guest Network and Captive Portal

The café and event guest network (VLAN 50) was configured with a custom captive portal presenting the community centre's branding. Visitors connecting to the 'CentreGuest' SSID are directed to a splash page where they accept terms of use before accessing the internet.

Client isolation was enabled on the guest SSID — meaning guest devices cannot see or communicate with each other, not just other VLANs. All guest DNS queries route through Cloudflare Gateway with content filtering active, blocking malicious sites, phishing domains, and adult content categories.

Bandwidth management was applied at the SSID level, capping individual devices at 20 Mbps download and 10 Mbps upload — sufficient for comfortable browsing and video calls without any single user impacting others.

Roaming Configuration

All nine UniFi access points were configured with band steering and the 802.11r (fast BSS transition), 802.11k (neighbour reporting), and 802.11v (BSS transition management) protocols enabled. These work together to ensure devices automatically connect to the optimal access point and transition cleanly as users move around the building.

During post-installation testing, we verified seamless handover by walking the building with a connected device on a continuous ping — achieving zero dropped packets across every access point transition.

Monitoring and Alerting

The UniFi controller was configured to send email alerts to Complianta's monitoring platform in the event of any access point going offline. Every access point is visible in the management dashboard with uptime, connected client count, channel utilisation, and any error conditions. The centre manager was provided with a read-only dashboard view.

The Outcome

The installation was completed over three days — two days of structured cabling and access point mounting, and one day for configuration, testing, and handover. The centre remained operational throughout, with disruption limited to brief periods in individual rooms during the cable installation.

Feedback from the tenant organisations following the installation

The health and wellbeing organisation confirmed they were now comfortable that their systems were isolated from other tenants and would be proceeding with their Cyber Essentials Plus certification.

The accountancy practice noted that connectivity had improved significantly in their office — previously one of the worst dead zones in the building.

The café reported that guests complimented the new portal and that the connectivity during events was noticeably more reliable than before.

The managing charity noted that they could now see all connected devices and had visibility of network usage for the first time.

The new wireless infrastructure replaced a collection of consumer-grade equipment with a single, unified, managed platform — with comprehensive security controls, full building coverage, and complete network segregation between all users.

Key Technical Summary

9 x Ubiquiti UniFi access points (indoor and outdoor models)

UniFi Cloud Gateway Ultra controller appliance

24-port managed PoE switch (Cat6 star topology)

6 VLANs with discrete firewall policies

Captive portal with terms of use and bandwidth management on guest SSID

Cloudflare Gateway DNS filtering across all SSIDs

802.11r/k/v roaming across all bands

Remote monitoring and alerting via Complianta managed services

---