Harden UniFi restricted-lane gateway access
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled

This commit is contained in:
Fizzlepoof
2026-05-23 02:48:49 +00:00
parent 462b39e572
commit 080ba83989
6 changed files with 442 additions and 19 deletions

View File

@@ -0,0 +1,47 @@
# UniFi Restricted-Lane DNS Cutover Result — 2026-05-23
Purpose: record the live DHCP DNS change for the restricted lanes and the immediate post-write verification.
## Live change applied
Updated the UniFi network definitions for:
- `IoT`
- `Camera`
- `Old IoT`
New DHCP DNS target on all three lanes:
- `10.5.30.53`
NTP was intentionally left unchanged:
- `dhcpd_ntp_enabled=false`
## Verified live after apply
### IoT
- subnet: `10.5.10.1/24`
- `dhcpd_dns_enabled=true`
- `dhcpd_dns_1=10.5.30.53`
### Camera
- subnet: `10.5.20.1/24`
- `dhcpd_dns_enabled=true`
- `dhcpd_dns_1=10.5.30.53`
### Old IoT
- subnet: `192.168.1.1/24`
- `dhcpd_dns_enabled=true`
- `dhcpd_dns_1=10.5.30.53`
## Why this matters
This removes the prior default-DNS dependency on each restricted lane's gateway address and puts those devices behind John's DNS blacklist policy.
That makes the next firewall phase materially safer because a broader `Untrusted -> Gateway` shield no longer has to preserve gateway DNS behavior for these three lanes.
## Still not done yet
This change alone does not prove the broader gateway shield is safe to apply immediately.
Before the next firewall wave, still verify:
- whether any restricted devices need gateway NTP behavior
- whether any restricted devices still need other specific gateway services besides DHCP/mDNS
- Google/cast behavior separately from a laptop session
## Recommended next live step
Stage the broader `Untrusted -> Gateway` shield carefully with only exact remaining exceptions preserved, instead of leaving the current broad gateway dependency in place.