Sync network redesign repo state and cutover artifacts
This commit is contained in:
@@ -0,0 +1,117 @@
|
||||
# UniFi Live Preflight Snapshot
|
||||
|
||||
Date: 2026-05-22
|
||||
Mode: read-only live pull from PD using the Doris UniFi operator account
|
||||
Controller: `https://10.5.0.1`
|
||||
Site: `default`
|
||||
|
||||
## Why this exists
|
||||
|
||||
This is a fresh, low-risk preflight snapshot taken after the earlier recon so tomorrow does not start from stale assumptions.
|
||||
|
||||
## Networks
|
||||
|
||||
- Internet 1 -> purpose=`wan` vlan=`untagged` subnet=`n/a`
|
||||
- Internet 2 -> purpose=`wan` vlan=`untagged` subnet=`n/a`
|
||||
- One-Click VPN -> purpose=`remote-user-vpn` vlan=`untagged` subnet=`192.168.2.1/24`
|
||||
- Proton Chicago -> purpose=`vpn-client` vlan=`untagged` subnet=`10.2.0.2/32`
|
||||
- Slate 7 -> purpose=`remote-user-vpn` vlan=`untagged` subnet=`192.168.3.1/24`
|
||||
- Old IoT -> purpose=`corporate` vlan=`2` subnet=`192.168.1.1/24`
|
||||
- Trusted -> purpose=`corporate` vlan=`51` subnet=`10.5.1.1/24`
|
||||
- IoT -> purpose=`corporate` vlan=`510` subnet=`10.5.10.1/24`
|
||||
- Camera -> purpose=`corporate` vlan=`520` subnet=`10.5.20.1/24`
|
||||
- Guest -> purpose=`guest` vlan=`590` subnet=`10.5.90.1/24`
|
||||
- Management -> purpose=`corporate` vlan=`untagged` subnet=`10.5.0.1/24`
|
||||
|
||||
## SSIDs currently enabled
|
||||
|
||||
- `CIA Via`
|
||||
- `UNEF's Playhouse`
|
||||
- `Whiskey Neat Fuck Ice`
|
||||
- `Yer a Wifi Harry`
|
||||
|
||||
## Port profiles currently present
|
||||
|
||||
- `Camera`
|
||||
- `IoT`
|
||||
- `Management`
|
||||
- `Old IoT`
|
||||
- `Trusted`
|
||||
|
||||
Operator implication:
|
||||
- `Servers` still does not exist as a live port profile/object visible in this pull.
|
||||
- Tomorrow must not begin server moves until `Servers` is created/confirmed.
|
||||
|
||||
## UniFi device state
|
||||
|
||||
- `U6 LR` -> type=`uap` ip=`10.5.0.20` state=`0` version=`6.7.41.15623`
|
||||
- `U7 Pro` -> type=`uap` ip=`10.5.0.21` state=`1` version=`8.5.21.18681`
|
||||
- `UDM Pro - Old` -> type=`udm` ip=`69.166.182.157` state=`1` version=`5.1.11.33023`
|
||||
- `USW Pro HD 24` -> type=`usw` ip=`10.5.0.135` state=`1` version=`7.4.1.16850`
|
||||
- `USW-24-PoE` -> type=`usw` ip=`10.5.0.10` state=`1` version=`7.4.1.16850`
|
||||
|
||||
Interpretation:
|
||||
- U6 LR still appears disconnected/offline in the current API view.
|
||||
- The active wireless load is still effectively on the U7 Pro.
|
||||
|
||||
## Current client counts by network
|
||||
|
||||
- Camera: 1
|
||||
- Management: 2
|
||||
- Old IoT: 14
|
||||
- Trusted: 14
|
||||
|
||||
## Critical named clients for tomorrow
|
||||
|
||||
- `PlausibleDeniability` -> Trusted -> `10.5.1.6`
|
||||
- `Serenity` -> Trusted -> `10.5.1.5`
|
||||
- `Nomad` -> Trusted -> `10.5.1.16`
|
||||
- `Rocinante` -> Trusted -> `10.5.1.112`
|
||||
- `FlyingDutchman` -> Trusted -> `10.5.1.111`
|
||||
- `MyQ-29B` -> Old IoT -> `192.168.1.130`
|
||||
- `Samsung-FamilyHub` -> Old IoT -> `192.168.1.149`
|
||||
- `LG_Smart_Dryer2_open` -> Old IoT -> `192.168.1.186`
|
||||
- `LG_Smart_Laundry2_open` -> Trusted -> `10.5.1.184`
|
||||
- `Main-Floor` -> Old IoT -> `192.168.1.102`
|
||||
- `Upstairs` -> Old IoT -> `192.168.1.131`
|
||||
- `Google-Home-Mini` -> Old IoT -> `192.168.1.185`
|
||||
- `front-doorbell` -> Camera -> `10.5.20.217`
|
||||
|
||||
## Management offenders still present
|
||||
|
||||
- `58:d6:1f:54:e5:6d` -> `10.5.0.123`
|
||||
- `58:d6:1f:54:e5:af` -> `10.5.0.189`
|
||||
|
||||
These are still the two management-lane ESP-class offenders to identify or evict.
|
||||
|
||||
## Fresh anomalies vs the earlier planning assumptions
|
||||
|
||||
1. `LG_Smart_Laundry2_open` is currently on `Trusted` at `10.5.1.184`.
|
||||
- This was not part of the original Old IoT-first migration set.
|
||||
- Decide tomorrow whether it belongs on IoT or whether it is a separate harmless laundry app endpoint you intentionally trust.
|
||||
|
||||
2. `U6 LR` still shows state `0`.
|
||||
- Treat it as optional only if needed, not as assumed active infrastructure.
|
||||
|
||||
3. The controller still shows zero custom firewall groups/rules/routing objects from the earlier read-only recon.
|
||||
- Firewall staging is still basically greenfield.
|
||||
|
||||
## Safe prep work completed tonight
|
||||
|
||||
- verified UniFi read access still works from PD
|
||||
- refreshed live device/client counts
|
||||
- confirmed named host placement for the server batch and Old IoT migration set
|
||||
- confirmed management offenders remain present
|
||||
- confirmed U6 LR still appears offline/disconnected
|
||||
- captured a raw pre-write baseline of `networkconf` and `portconf` at `/home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/docs/baselines/unifi-object-baseline-2026-05-22-024653.json`
|
||||
- authored an idempotent staging helper at `/home/fizzlepoof/repos/truenas-stacks/automation/bin/unifi_stage_low_risk_objects.py`
|
||||
- copied that helper to PD at `/mnt/docker-ssd/docker/compose/automation/bin/unifi_stage_low_risk_objects.py`
|
||||
- confirmed the current Doris UniFi account is still read-only for writes: `POST /rest/networkconf` returns `403 Forbidden`
|
||||
|
||||
## Recommended no-surprise start conditions for tomorrow
|
||||
|
||||
- create/confirm `Servers` object/profile before any server port move
|
||||
- keep Rocinante on Trusted as the live control box until the Nomad/Serenity/PD wave is complete
|
||||
- leave FlyingDutchman on Trusted
|
||||
- treat Google as in-scope only through narrow reversible tests
|
||||
- do not assume U6 LR is usable unless you explicitly verify it in the UI
|
||||
Reference in New Issue
Block a user