Internet Connectivity Options

Executive Summary

Requirements Loaded

Source: Compound requirements document knowledge/integration/security-infrastructure.md (last-updated: 2026-04-01) — POPULATED.

Key constraints extracted:

Phase 1 Budget: ~$3,000 (cable run + installation + plan)

Status of budget envelope: The hardware for the cable run (200m OS2 fibre, SFP, media converter, LC-SC adapters) is already purchased and therefore already sunk. The Lightwire plan at $139/month is contracted. The primary remaining cost items within the $3,000 envelope are:

• Labour for the Easter 2026 cable run (conduit, penetrations, termination)
• Alkathene conduit (not yet purchased)
• Any backup connectivity hardware (if Phase 1)
• Lightwire installation/activation fee (if any — see Open Questions)

The $3,000 envelope is therefore largely consumed by the cable run labour + conduit + ongoing Lightwire plan costs. Backup connectivity should be treated as a Phase 1 stretch or Phase 2 item depending on the option chosen.

Cable Run to Shed

Already decided and partially executed. Materials on hand:

OS2 single-mode is the correct choice for this run. OS1/OS2 single-mode has no distance or attenuation concerns at 200m. Multimode would have been adequate at this distance but OS2 future-proofs the run.

Cable run installation considerations (Easter 2026):

The fibre is pre-terminated LC-LC. The MC210CS at the house end requires SC, which the Dynamix LC-SC patch lead handles. No field splicing is required — this is a plug-and-play run once conduit is in.

Conduit requirement:

• Route from house/main building to shed: ~200m estimated
• Underground burial recommended for the majority of the run (protects fibre from UV degradation, physical damage, and stock)
• Fibre is fragile relative to copper — do not pull it through conduit with sharp bends; minimum bend radius for OS2 is typically 30mm (check drum label)
• Alkathene conduit (polyethylene water pipe, 20mm or 25mm ID) is the standard NZ rural approach for underground cable protection and is available at rural merchants

Alkathene conduit NZ pricing (as at early 2026):

Alkathene is sold in rolls at Farmlands, RD1, and Placemakers. Approximate pricing for 25mm OD alkathene (suitable for single fibre cable):

Recommendation: Purchase one 100m roll of 25mm blue alkathene and one 100m roll of 20mm sub-duct, or two 100m rolls of 25mm — total ~$250–$320 NZD. If the trench is being dug anyway, pull a spare draw-wire through a second conduit for future cabling.

Penetration points:

• Use a 25mm gland or conduit entry fitting at both the house wall penetration and the shed wall penetration
• Seal penetrations with expanding foam (fire-rated if passing through a fire-rated wall) and/or silicone
• Label both ends of the fibre at installation time

Trench depth: Minimum 300mm cover under paddock/lawn. 450mm under any vehicle track.

Estimated labour cost: A half-day digger hire (mini-excavator) plus two people for a 200m trench run and reinstatement: approximately $600–$1,200 depending on ground conditions and whether Ed/Connor can assist. Fibre termination is plug-and-play (pre-terminated cable) — no specialist splicing labour required.

Total cable run cost estimate (conduit + labour, hardware already purchased):

Lightwire Plan Validation Against Requirements

Plan: Lightwire Fixed Wireless Unlimited, $139/month, 24-month contract.

Claimed speeds: 20–70 Mbps download typical; 10 Mbps guaranteed peak download; ~5 Mbps upload typical.

Requirement: 5 Mbps sustained upload, 10 Mbps download minimum.

Assessment:

Key risk: Upload speed is listed as "typical" (~5 Mbps), not guaranteed. During peak evening hours (3pm–10pm), rural fixed wireless towers can experience congestion. The compound requirements mandate a real-load upload speed test at peak hours before confirming the plan meets the H.265 streaming requirement. This is flagged as Open Question 1 in the compound requirements and remains unresolved.

Conclusion: The Lightwire plan is locked in and cannot be changed. It meets requirements under typical conditions. The upload margin is thin — 3.5 Mbps worst-case demand against ~5 Mbps typical upload. Confirm with a speed test; if peak-hour upload drops to 3 Mbps or below the camera sub-stream will be degraded. The mitigation is to ensure H.265 is configured on the NVR (not H.264) and remote live-view is limited to one sub-stream at a time.

Connectivity Plan Options

Primary Plan (locked in — not subject to selection)

Lightwire Fixed Wireless Unlimited

• Provider: Lightwire Business/Rural
• Speed: 20–70 Mbps download / ~5 Mbps upload typical
• Monthly cost: $139/month (24-month contract)
• Hardware: Lightwire CPE unit at house (already installed/contracted)
• Fibre backhaul to shed: via OS2 single-mode cable run (hardware purchased)

This plan is not optional. The following options address backup/failover connectivity only.

Option A: Starlink Residential Standard (backup — not yet committed)

What it provides:

Satellite broadband. Connects to the ER706W second WAN port. Used only when Lightwire is down. Cold standby: Starlink dish powers up and remains connected; ER706W fails over automatically.

Current NZ pricing (early 2026):

Note: Starlink hardware pricing in NZ has fluctuated. Check starlink.com/nz for current pricing before purchase. The $599 hardware cost is approximate as at early 2026.

Upload performance:

Starlink Residential Standard delivers 5–25 Mbps upload typical in NZ. This is sufficient for H.265 remote live-view (0.5–1 Mbps) and alarm/access management traffic during a Lightwire outage. Latency is 20–60ms — adequate for remote management; not ideal for real-time video but acceptable for backup use.

Self-install complexity:

Low. Starlink Standard kit is designed for self-install: position dish with clear sky view, run cable to router, connect to ER706W WAN2 port via ethernet. The ER706W supports load balancing and failover on WAN2 — configure as failover-only (not load balancing) to avoid routing camera traffic over both links simultaneously.

ER706W WAN failover compatibility:

The TP-Link ER706W Omada router has two WAN ports and supports automatic failover. Starlink connects to WAN2 via ethernet (Starlink router in bridge/bypass mode, or using the ER706W directly — note: Starlink's standard dish uses its own router; bridge mode is available on Gen 3 hardware but may require disabling Starlink's NAT). Confirm Starlink generation before configuring.

What falls back to Starlink during a Lightwire outage:

• Remote camera live-view (Hik-Connect P2P) — available again via Starlink within ~30–60 seconds of failover
• Alarm communicator IP path (DSC TL280E) — maintained; cellular fallback on alarm panel is not triggered if Starlink WAN2 is up
• Remote management of access control and router

What does NOT use Starlink (alarm panel independent path):

The DSC TL280E alarm communicator has its own cellular SIM for alarm signalling. Alarm notifications to a monitoring station or DSC Connect app will route via cellular regardless of whether Starlink is in use. Starlink backup does not affect alarm cellular independence — the cellular path is always available whether Starlink is on or off.

Pros:

• High and consistent upload speeds — better backup quality than rural 4G
• No tower congestion at this location (satellite)
• Self-install; no site visit required by technician
• Provides genuine redundancy against Lightwire tower failure, power failure to tower, or fibre backhaul cuts
• ER706W failover is automatic and transparent to all connected systems

Cons:

• $159/month ongoing for a backup link that may be needed rarely (Lightwire reliability is 99.9%+ claimed)
• $599 upfront hardware cost
• Requires unobstructed sky view from shed or adjacent mounting point — obstruction check required (trees, shed roof geometry)
• Starlink residential terms prohibit commercial use at some tiers — verify business vs residential plan terms; for a security monitoring application this is a grey area. Starlink Business plan (~$229/month) provides SLA and commercial use rights if this is a concern.
• Adds ~$1,908/year in ongoing cost for a link that is rarely used

Option B: 4G/5G Mobile Backup Router

What it provides:

A cellular modem/router (USB stick in ER706W WAN2 USB port, or a standalone 4G router on WAN2 ethernet) providing mobile broadband backup when Lightwire is down.

Coverage at Hamurana, Rotorua:

Hamurana is a rural locality on the northwest shore of Lake Rotorua, approximately 15km northwest of Rotorua city centre. 4G coverage in this area:

• Spark: Provides 4G coverage to most of the Rotorua lakeside areas including Hamurana according to Spark's published rural coverage maps. Signal at Te Waerenga Road specifically requires on-site confirmation — the area is at the edge of rural coverage.
• Vodafone (One NZ): Similar coverage footprint to Spark in the Rotorua rural zone. Hamurana is likely marginal.
• 2degrees: More limited rural coverage in this region; likely less reliable at Hamurana than Spark or One NZ.

Coverage verification is essential before committing to this option. The compound requirements flag this as Open Question 2 — a coverage map check and ideally an on-site mobile signal test are required. Without confirmed 4G signal at the shed, this option cannot be guaranteed to work.

Suitable hardware options:

Recommended hardware: TP-Link MR6400 or MR6500v — matches existing TP-Link/Omada ecosystem, straightforward setup, readily available in NZ (PB Tech, Noel Leeming, Spark Business).

SIM and plan options:

The backup link carries very low data: alarm heartbeats (~0.1 Mbps when active), brief remote management sessions, and alert notifications. This is a low-data backup application.

A Spark Business IoT SIM or One NZ equivalent is the most appropriate product for a device that sits connected 24/7 but uses little data. These avoid the "inactive SIM" risk that prepay SIMs can have (prepay SIMs may deactivate after 90 days without top-up if no data is used).

Upload speed on rural 4G:

Rural 4G at the edge of coverage typically delivers 5–20 Mbps download, 2–10 Mbps upload. Upload will be sufficient for alarm heartbeats and brief remote management. H.265 live-view remote access (0.5–1 Mbps sub-stream) will work if signal is at least 2 bars. Coverage must be verified on-site.

What falls back to 4G:

Same as Starlink Option A: Hik-Connect remote view, alarm IP path (reducing cellular alarm traffic), remote management.

What does NOT use 4G (independent cellular alarm path):

The DSC TL280E has its own dedicated cellular SIM. The 4G backup router SIM and the alarm panel SIM are separate and independent. The alarm panel cellular path is unaffected by whether the 4G backup router is functioning.

Pros:

• Very low monthly cost ($15–$25/month vs $159/month for Starlink)
• No upfront hardware cost beyond the router ($180–$250)
• No sky-view obstruction concerns
• TP-Link hardware matches existing ecosystem
• Sufficient for the actual backup traffic load (alarm heartbeats, brief remote access)
• No commercial use concerns — a plain data SIM has no use restrictions

Cons:

• Coverage at Hamurana is unconfirmed — this option fails entirely if 4G signal is inadequate at the shed
• Upload speeds variable and lower than Starlink — remote live-view quality during an outage will be lower
• Rural 4G can itself be congested during peak hours
• Requires coverage confirmation before commitment (site test or coverage map check)

Option C: No Backup — Phase 1 Risk Acceptance

What this means:

Accept that Lightwire is the sole internet path in Phase 1. If Lightwire is down, remote visibility is lost until it recovers. No backup hardware is purchased or configured.

Lightwire reliability context:

Lightwire claims 99.9%–99.99% uptime. For a rural fixed wireless tower serving a small area, 99.9% uptime equates to approximately 8.7 hours of unplanned outage per year. Lightwire's towers have backup power generation, reducing the risk of extended outages from local power cuts. Most outages are planned maintenance windows or weather-related path degradation — typically minutes to low hours.

Operational impact during a Lightwire outage:

Risk assessment for Phase 1:

The security-critical functions (alarm signalling, gate access, NVR recording) all continue independently during an internet outage. The only operational loss is remote visibility — Ed and Tom cannot view cameras or change access codes while the internet is down. For a low-traffic facility in Phase 1 with a small number of known customers, this is a manageable risk.

Pros:

• Zero additional cost
• Simplest possible network configuration
• All security-critical functions remain operational during outages
• Appropriate for Phase 1 where customer volume is low and customers are known contacts

Cons:

• Remote visibility lost during outages (no camera view, no remote pin management)
• If Lightwire goes down during an incident or security event, Ed/Tom cannot review footage remotely until it recovers
• NVR local footage is available but requires physical access to review during an outage
• Phase 2 upgrade to add backup will require re-visiting router configuration at that time (minor)

Recommended Setup

Phase 1 Recommendation: Option C (no backup) with Option B procurement research

Primary recommendation for Phase 1: Accept no backup connectivity at launch.

Rationale:

1. The $3,000 Phase 1 internet budget is largely consumed by the cable run (conduit + labour ~$1,000) and will be further committed to Lightwire's 24-month contract (effectively a sunk monthly cost). There is no strong justification for adding $159/month (Starlink) or $180–250 hardware + $20/month (4G) to a backup link that protects only remote visibility — not any safety-critical function.

1. All three safety-critical systems (alarm, gate access, NVR recording) are already designed to operate independently of internet connectivity. The compound requirements explicitly state that remote visibility loss during an outage is acceptable.

1. Lightwire's claimed 99.9% uptime means less than 9 hours of unplanned outage per year at a facility with a small Phase 1 customer base. This is an acceptable risk.

1. The ER706W has a second WAN port and USB port ready for backup connectivity to be added at any time in Phase 2 without hardware replacement.

Phase 2 recommendation: Option B (4G mobile backup)

Before Phase 2, carry out the following (see Open Questions):

• Confirm 4G signal at the shed with a mobile phone (Spark and One NZ)
• If signal is adequate (3+ bars in the shed or with an external antenna), deploy TP-Link MR6400 or similar on WAN2 with a Spark Business IoT SIM or One NZ equivalent
• Total ongoing cost: Lightwire $139/month + 4G SIM $20/month = $159/month combined

This gives full redundancy for remote visibility at a fraction of Starlink's monthly cost, and is the right balance for a rural self-storage facility of this scale.

Starlink (Option A) is not recommended unless 4G coverage at the site proves inadequate. Starlink's $159/month ongoing cost is equal to the entire Lightwire primary plan cost, and is difficult to justify for a backup link that protects only remote visibility on a low-traffic Phase 1 site. Re-evaluate if the facility scales to Phase 3 with higher customer density and 24/7 remote management requirements.

Total monthly cost summary:

Network Configuration Recommendations

ER706W VLAN and Firewall Configuration

The compound requirements specify the following VLAN topology and this is appropriate for the hardware on hand:

VLAN 10 — Camera network

• Members: NVR + all IP cameras (connected to TL-SG116P PoE+ ports assigned to VLAN 10)
• Allowed outbound: Hik-Connect relay servers (TCP 80, 443, and Hik-Connect-specific ports — typically 8000, 8200, 554 for RTSP). Hikvision publishes their Hik-Connect server IP ranges; configure as destination address group.
• Deny inbound from VLAN 20 (management)
• Deny lateral movement: cameras should not be able to initiate connections to each other or to the NVR management interface from the camera VLAN (NVR has two NICs if applicable, or NVR management access is via VLAN 20 only)
• No port forwarding to any camera or NVR — Hik-Connect P2P relay eliminates this requirement

VLAN 20 — Management network

• Members: DSC TL280E alarm communicator, access control system, operator devices (Ed/Connor laptops when on-site)
• Allowed outbound: DSC Connect cloud servers, access control cloud service (if applicable), general internet for management
• Deny inbound from VLAN 10

Router hardening checklist:

• Change default admin password on ER706W before deployment
• Change default passwords on TL-SG116P switch
• Change default passwords on all cameras and NVR
• Disable UPnP on ER706W (Omada controller setting or web UI)
• Disable remote management on ER706W unless VPN is configured
• Enable logging on ER706W firewall rules (assists with incident investigation)

WAN failover configuration (when Phase 2 backup is added):

• WAN1: Lightwire (via OS2 fibre → MC210CS → ER706W WAN1 SFP or ethernet port — confirm ER706W WAN port type)
• WAN2: 4G router (ethernet from 4G router LAN port to ER706W WAN2)
• Failover mode: NOT load balancing — configure as WAN1 primary, WAN2 failover only
• Health check: configure ER706W to ping 8.8.8.8 and 1.1.1.1 on both WAN links; failover triggers when WAN1 health check fails

Easter 2026 Fibre Cable Run — Practical Notes

• The OS2 fibre is pre-terminated LC-LC. Do not cut or strip the cable — it is plug-and-play.
• Pull the fibre through conduit using a draw-wire with a fish-tape or rope attachment. Use a cable sock or pulling grip on the drum end, not taped to the connector. Do not exceed the rated pulling tension (typically 100–200N for single-mode fibre cable).
• Minimum bend radius: OS2 single-mode typically 30mm installed, 15mm short-term during installation. Do not allow sharp bends at conduit entry points — use swept elbows or conduit bends, not sharp 90-degree elbow fittings.
• Terminate at the house end: MC210CS media converter → SC port (via Dynamix LC-SC patch lead) → plugs into Lightwire router LAN port via ethernet (confirm which port on the Lightwire CPE — see Open Question 3).
• Terminate at the shed end: OS2 LC directly into StarTech SFPGLCLHSMST SFP module seated in ER706W WAN or LAN SFP port.
• Label both ends of the fibre at installation with permanent marker or cable labels: "OS2 FIBRE — HOUSE ↔ SHED — DO NOT BEND SHARPLY".
• After installation, test with a simple ping from the shed router to the Lightwire CPE before burying/closing conduit penetrations.

Open Questions

The following items are unresolved and require action before or shortly after the Easter 2026 cable run:

1. Lightwire peak-hour upload speed — Run a speed test (speedtest.net or fast.com) from the Lightwire connection at the house during peak hours (3pm–10pm on a weekday) to confirm upload is consistently at or above 3.5 Mbps under load. If upload drops below 3 Mbps at peak hours, discuss with Lightwire whether a plan upgrade or tower priority adjustment is available. This is the single most important pre-launch technical check.

1. 4G/5G coverage at the shed — Spark and One NZ — Walk to the shed location with a Spark SIM and a One NZ SIM (or use coverage map tools at spark.co.nz/coveragemap and one.nz/coveragemap) and confirm signal strength. If 3+ bars of 4G are available inside or adjacent to the shed, Option B (4G backup) is viable for Phase 2 at low cost. Record the result and update this document.

1. Lightwire CPE router model and LAN port — Confirm the model of the Lightwire CPE (customer premises equipment) router installed at the house. The MC210CS media converter connects to a LAN port on the Lightwire CPE via ethernet to extend the connection to the shed via fibre. Confirm which port should be used and whether the CPE supports gigabit ethernet on its LAN ports (the MC210CS is gigabit capable).

1. Starlink commercial use terms — If Option A (Starlink) is revisited in Phase 2 or 3, verify whether the Residential Standard plan permits use at a commercial storage facility. If not, the Starlink Business plan (~$229/month NZD) would be required, further increasing the cost differential vs 4G backup.

1. ER706W SFP port type for shed fibre termination — Confirm the ER706W has an SFP slot (it does — the ER706W includes 1x SFP WAN port) and that the StarTech SFPGLCLHSMST module is seated in that port, not in a copper LAN port. The OS2 LC fibre from the drum should connect directly to this SFP at the shed end.

1. Lightwire fair use / peak-hour throttling policy — At plan activation, ask Lightwire to confirm in writing whether the Unlimited plan has any fair use policy, congestion management, or peak-hour speed shaping. This protects against unexpected upload throttling during evening hours when camera remote-view demand is highest.

1. Alkathene conduit procurement — Purchase before Easter 2026. Farmlands Rotorua (Te Ngae Road) or RD1 Rotorua are the closest rural merchants. Phone ahead to confirm stock of 25mm x 100m rolls (two rolls needed for 200m run with a spare draw conduit).