Harden UniFi restricted-lane gateway access
This commit is contained in:
@@ -0,0 +1,47 @@
|
||||
# UniFi Restricted-Lane DNS Cutover Result — 2026-05-23
|
||||
|
||||
Purpose: record the live DHCP DNS change for the restricted lanes and the immediate post-write verification.
|
||||
|
||||
## Live change applied
|
||||
Updated the UniFi network definitions for:
|
||||
- `IoT`
|
||||
- `Camera`
|
||||
- `Old IoT`
|
||||
|
||||
New DHCP DNS target on all three lanes:
|
||||
- `10.5.30.53`
|
||||
|
||||
NTP was intentionally left unchanged:
|
||||
- `dhcpd_ntp_enabled=false`
|
||||
|
||||
## Verified live after apply
|
||||
### IoT
|
||||
- subnet: `10.5.10.1/24`
|
||||
- `dhcpd_dns_enabled=true`
|
||||
- `dhcpd_dns_1=10.5.30.53`
|
||||
|
||||
### Camera
|
||||
- subnet: `10.5.20.1/24`
|
||||
- `dhcpd_dns_enabled=true`
|
||||
- `dhcpd_dns_1=10.5.30.53`
|
||||
|
||||
### Old IoT
|
||||
- subnet: `192.168.1.1/24`
|
||||
- `dhcpd_dns_enabled=true`
|
||||
- `dhcpd_dns_1=10.5.30.53`
|
||||
|
||||
## Why this matters
|
||||
This removes the prior default-DNS dependency on each restricted lane's gateway address and puts those devices behind John's DNS blacklist policy.
|
||||
|
||||
That makes the next firewall phase materially safer because a broader `Untrusted -> Gateway` shield no longer has to preserve gateway DNS behavior for these three lanes.
|
||||
|
||||
## Still not done yet
|
||||
This change alone does not prove the broader gateway shield is safe to apply immediately.
|
||||
|
||||
Before the next firewall wave, still verify:
|
||||
- whether any restricted devices need gateway NTP behavior
|
||||
- whether any restricted devices still need other specific gateway services besides DHCP/mDNS
|
||||
- Google/cast behavior separately from a laptop session
|
||||
|
||||
## Recommended next live step
|
||||
Stage the broader `Untrusted -> Gateway` shield carefully with only exact remaining exceptions preserved, instead of leaving the current broad gateway dependency in place.
|
||||
Reference in New Issue
Block a user