Sync network redesign repo state and cutover artifacts

This commit is contained in:
Fizzlepoof
2026-05-22 20:16:21 +00:00
parent 4b1e3d4061
commit 9e6dde7695
59 changed files with 5389 additions and 244 deletions

View File

@@ -0,0 +1,608 @@
{
"captured_at": "2026-05-21T21:46:53-05:00",
"site": "default",
"networkconf": [
{
"setting_preference": "auto",
"purpose": "wan",
"external_id": "d488cbbc-05dd-4bab-9efb-4b58340df685",
"wan_type_v6": "disabled",
"routing_table_id": 201,
"ipv6_wan_delegation_type": "none",
"wan_dhcpv6_pd_size_auto": true,
"firewall_zone_id": "6963d42a1131084f054618e0",
"igmp_proxy_upstream": false,
"mac_override_enabled": false,
"wan_load_balance_type": "failover-only",
"wan_failover_priority": 2,
"wan_ipv6_dns_preference": "auto",
"wan_networkgroup": "WAN",
"wan_dslite_remote_host_auto": false,
"wan_smartq_enabled": false,
"wan_dns_preference": "auto",
"wan_vlan_enabled": false,
"wan_load_balance_weight": 99,
"site_id": "6963c5321131084f05460911",
"name": "Internet 1",
"report_wan_event": false,
"_id": "6963c5831131084f05460929",
"attr_no_delete": true,
"wan_type": "dhcp",
"attr_hidden_id": "WAN"
},
{
"setting_preference": "manual",
"purpose": "wan",
"wan_dhcp_cos": 0,
"external_id": "c10cd8c4-7f9c-4d12-a7ea-e1a34ab8ead7",
"wan_type_v6": "disabled",
"routing_table_id": 202,
"enabled": true,
"wan_dhcp_options": [],
"ipv6_wan_delegation_type": "none",
"wan_dhcpv6_pd_size_auto": true,
"firewall_zone_id": "6963d42a1131084f054618e0",
"igmp_proxy_upstream": false,
"mac_override_enabled": false,
"wan_load_balance_type": "weighted",
"wan_failover_priority": 1,
"ipv6_setting_preference": "manual",
"wan_ipv6_dns_preference": "auto",
"single_network_lan": "",
"wan_dns2": "9.9.9.9",
"wan_ipv6_dns1": "",
"wan_dns1": "10.5.1.53",
"wan_ipv6_dns2": "",
"wan_networkgroup": "WAN2",
"wan_dslite_remote_host_auto": false,
"wan_provider_capabilities": {
"upload_kilobits_per_second": 2409000,
"download_kilobits_per_second": 2120000
},
"wan_ip_aliases": [],
"wan_smartq_enabled": false,
"wan_dns_preference": "manual",
"wan_vlan_enabled": false,
"wan_load_balance_weight": 50,
"site_id": "6963c5321131084f05460911",
"name": "Internet 2",
"report_wan_event": false,
"_id": "6963c5831131084f0546092a",
"wan_type": "dhcp",
"attr_no_delete": true,
"igmp_proxy_for": "none"
},
{
"setting_preference": "manual",
"dhcpdv6_dns_auto": true,
"ipv6_pd_stop": "::7d1",
"dhcpd_gateway_enabled": false,
"ipv6_client_address_assignment": "slaac",
"network_isolation_enabled": false,
"dhcp_relay_servers": [],
"dhcpd_start": "10.5.0.100",
"dhcpd_unifi_controller": "",
"ipv6_ra_enabled": true,
"domain_name": "localdomain",
"ip_subnet": "10.5.0.1/24",
"ipv6_interface_type": "none",
"dhcpd_wins_2": "",
"dhcpdv6_stop": "::7d1",
"is_nat": true,
"dhcpd_wins_1": "",
"dhcpd_dns_enabled": false,
"internet_access_enabled": true,
"nat_outbound_ip_addresses": [],
"dhcp_relay_enabled": false,
"dhcpd_conflict_checking": true,
"dhcpd_wins_enabled": false,
"dhcpdv6_leasetime": 86400,
"site_id": "6963c5321131084f05460911",
"name": "Management",
"_id": "6963c5831131084f0546092b",
"lte_lan_enabled": true,
"purpose": "corporate",
"dhcpd_leasetime": 86400,
"dhcpguard_enabled": false,
"dhcpd_time_offset_enabled": false,
"external_id": "652279eb-41e5-440d-aad5-231ca9683890",
"ipv6_ra_preferred_lifetime": 14400,
"dhcpd_stop": "10.5.0.199",
"is_smart_subnet_detected": false,
"enabled": true,
"dhcpd_enabled": true,
"dhcpd_wpad_url": "",
"networkgroup": "LAN",
"firewall_zone_id": "6963d42a1131084f054618df",
"dhcpdv6_start": "::2",
"vlan_enabled": false,
"ipv6_setting_preference": "auto",
"ipv6_aliases": [],
"gateway_type": "default",
"ipv6_ra_priority": "high",
"dhcpd_boot_enabled": false,
"ipv6_pd_start": "::2",
"upnp_lan_enabled": false,
"dhcpd_ntp_enabled": false,
"mdns_enabled": true,
"ip_aliases": [],
"attr_no_delete": true,
"attr_hidden_id": "LAN",
"dhcpd_tftp_server": "",
"auto_scale_enabled": false
},
{
"setting_preference": "manual",
"dhcpd_gateway_enabled": false,
"network_isolation_enabled": false,
"dhcp_relay_servers": [],
"dhcpd_dns_1": "192.168.1.10",
"dhcpd_start": "10.5.1.100",
"dhcpd_unifi_controller": "",
"domain_name": "",
"ip_subnet": "10.5.1.1/24",
"dhcpd_dns_4": "",
"ipv6_interface_type": "none",
"dhcpd_dns_2": "",
"dhcpd_dns_3": "",
"dhcpd_wins_2": "",
"is_nat": true,
"dhcpd_wins_1": "",
"dhcpd_dns_enabled": false,
"internet_access_enabled": true,
"nat_outbound_ip_addresses": [],
"dhcp_relay_enabled": false,
"dhcpd_conflict_checking": true,
"dhcpd_wins_enabled": false,
"name": "Trusted",
"site_id": "6963c5321131084f05460911",
"_id": "6963cb201131084f05461635",
"lte_lan_enabled": true,
"dhcpd_leasetime": 86400,
"purpose": "corporate",
"dhcpd_time_offset_enabled": false,
"dhcpguard_enabled": false,
"external_id": "87b66e27-93a9-4fb7-93d2-3b7bca9e6414",
"enabled": true,
"dhcpd_stop": "10.5.1.199",
"dhcpd_enabled": true,
"vlan": 51,
"dhcpd_wpad_url": "",
"networkgroup": "LAN",
"firewall_zone_id": "6963d42a1131084f054618df",
"vlan_enabled": true,
"ipv6_setting_preference": "manual",
"ipv6_aliases": [],
"gateway_type": "default",
"dhcpd_boot_enabled": false,
"upnp_lan_enabled": false,
"dhcpd_ntp_enabled": false,
"mdns_enabled": true,
"ip_aliases": [],
"dhcpd_tftp_server": "",
"auto_scale_enabled": false
},
{
"setting_preference": "manual",
"dhcpd_leasetime": 86400,
"purpose": "corporate",
"dhcpd_gateway_enabled": false,
"dhcpd_time_offset_enabled": false,
"dhcpguard_enabled": false,
"network_isolation_enabled": true,
"dhcp_relay_servers": [],
"dhcpd_start": "10.5.10.6",
"dhcpd_unifi_controller": "",
"external_id": "88180bc3-2c34-4f30-9b57-aed15da2a12a",
"enabled": true,
"dhcpd_stop": "10.5.10.254",
"domain_name": "",
"dhcpd_enabled": true,
"ip_subnet": "10.5.10.1/24",
"vlan": 510,
"dhcpd_wpad_url": "",
"ipv6_interface_type": "none",
"networkgroup": "LAN",
"firewall_zone_id": "6963d5a91131084f05461a0d",
"vlan_enabled": true,
"dhcpd_wins_2": "",
"ipv6_setting_preference": "manual",
"dhcpd_wins_1": "",
"dhcpd_dns_enabled": false,
"ipv6_aliases": [],
"internet_access_enabled": true,
"gateway_type": "default",
"nat_outbound_ip_addresses": [],
"dhcpd_boot_enabled": false,
"dhcp_relay_enabled": false,
"dhcpd_conflict_checking": true,
"dhcpd_wins_enabled": false,
"dhcpd_ntp_enabled": false,
"name": "IoT",
"site_id": "6963c5321131084f05460911",
"mdns_enabled": true,
"ip_aliases": [],
"_id": "6963cb461131084f05461642",
"lte_lan_enabled": true,
"dhcpd_tftp_server": "",
"auto_scale_enabled": true
},
{
"setting_preference": "auto",
"dhcpd_leasetime": 86400,
"purpose": "guest",
"dhcpd_gateway_enabled": false,
"dhcpd_time_offset_enabled": false,
"dhcpguard_enabled": false,
"network_isolation_enabled": false,
"dhcp_relay_servers": [],
"dhcpd_start": "10.5.90.6",
"dhcpd_unifi_controller": "",
"external_id": "2986eea1-bf02-4879-a7b0-7d9f91e45c53",
"enabled": true,
"dhcpd_stop": "10.5.90.254",
"domain_name": "",
"dhcpd_enabled": true,
"ip_subnet": "10.5.90.1/24",
"vlan": 590,
"dhcpd_wpad_url": "",
"ipv6_interface_type": "none",
"networkgroup": "LAN",
"firewall_zone_id": "6963d42a1131084f054618e3",
"vlan_enabled": true,
"dhcpd_wins_2": "",
"ipv6_setting_preference": "manual",
"is_nat": true,
"dhcpd_wins_1": "",
"dhcpd_dns_enabled": false,
"ipv6_aliases": [],
"internet_access_enabled": true,
"gateway_type": "default",
"nat_outbound_ip_addresses": [],
"dhcpd_boot_enabled": false,
"dhcp_relay_enabled": false,
"dhcpd_conflict_checking": true,
"dhcpd_wins_enabled": false,
"upnp_lan_enabled": false,
"dhcpd_ntp_enabled": false,
"name": "Guest",
"site_id": "6963c5321131084f05460911",
"mdns_enabled": true,
"ip_aliases": [],
"_id": "6963cb941131084f054616af",
"lte_lan_enabled": true,
"dhcpd_tftp_server": "",
"auto_scale_enabled": true
},
{
"setting_preference": "auto",
"dhcpd_leasetime": 86400,
"purpose": "corporate",
"dhcpd_gateway_enabled": false,
"dhcpd_time_offset_enabled": false,
"dhcpguard_enabled": false,
"network_isolation_enabled": false,
"dhcp_relay_servers": [],
"dhcpd_start": "10.5.20.6",
"dhcpd_unifi_controller": "",
"external_id": "98f2aff1-b394-493d-908f-ced4c83bde99",
"enabled": true,
"dhcpd_stop": "10.5.20.254",
"domain_name": "",
"dhcpd_enabled": true,
"ip_subnet": "10.5.20.1/24",
"vlan": 520,
"dhcpd_wpad_url": "",
"ipv6_interface_type": "none",
"networkgroup": "LAN",
"firewall_zone_id": "6963d5a91131084f05461a0d",
"vlan_enabled": true,
"dhcpd_wins_2": "",
"ipv6_setting_preference": "manual",
"is_nat": true,
"dhcpd_wins_1": "",
"dhcpd_dns_enabled": false,
"ipv6_aliases": [],
"internet_access_enabled": true,
"gateway_type": "default",
"nat_outbound_ip_addresses": [],
"dhcpd_boot_enabled": false,
"dhcp_relay_enabled": false,
"dhcpd_conflict_checking": true,
"dhcpd_wins_enabled": false,
"upnp_lan_enabled": false,
"dhcpd_ntp_enabled": false,
"name": "Camera",
"site_id": "6963c5321131084f05460911",
"mdns_enabled": true,
"ip_aliases": [],
"_id": "6963cbbf1131084f054616c1",
"lte_lan_enabled": true,
"dhcpd_tftp_server": "",
"auto_scale_enabled": true
},
{
"setting_preference": "manual",
"dhcpd_leasetime": 86400,
"purpose": "corporate",
"dhcpd_gateway_enabled": false,
"dhcpd_time_offset_enabled": false,
"dhcpguard_enabled": false,
"network_isolation_enabled": false,
"dhcp_relay_servers": [],
"dhcpd_start": "192.168.1.100",
"dhcpd_unifi_controller": "",
"external_id": "9bd0ee41-3303-4c03-ad81-305248301921",
"enabled": true,
"dhcpd_stop": "192.168.1.199",
"domain_name": "",
"dhcpd_enabled": true,
"ip_subnet": "192.168.1.1/24",
"vlan": 2,
"dhcpd_wpad_url": "",
"ipv6_interface_type": "none",
"networkgroup": "LAN",
"firewall_zone_id": "6963d5a91131084f05461a0d",
"vlan_enabled": true,
"dhcpd_wins_2": "",
"ipv6_setting_preference": "manual",
"is_nat": true,
"dhcpd_wins_1": "",
"dhcpd_dns_enabled": false,
"ipv6_aliases": [],
"internet_access_enabled": true,
"gateway_type": "default",
"nat_outbound_ip_addresses": [],
"dhcpd_boot_enabled": false,
"dhcp_relay_enabled": false,
"dhcpd_conflict_checking": true,
"dhcpd_wins_enabled": false,
"upnp_lan_enabled": false,
"dhcpd_ntp_enabled": false,
"name": "Old IoT",
"site_id": "6963c5321131084f05460911",
"mdns_enabled": true,
"ip_aliases": [],
"_id": "6963e11c1131084f054622f1",
"lte_lan_enabled": true,
"dhcpd_tftp_server": "",
"auto_scale_enabled": false
},
{
"wireguard_client_configuration_filename": "Unifi2-US-IL-267.conf",
"purpose": "vpn-client",
"wireguard_client_mode": "file",
"external_id": "8673a0e4-4f1b-42d6-9563-e6f6440065de",
"interface_mtu_enabled": false,
"routing_table_id": 178,
"enabled": true,
"vpn_type": "wireguard-client",
"mss_clamp": "auto",
"ip_subnet": "10.2.0.2/32",
"name": "Proton Chicago",
"site_id": "6963c5321131084f05460911",
"wireguard_id": 1,
"firewall_zone_id": "6963d42a1131084f054618e0",
"wireguard_client_configuration_file": "[REDACTED: exported WireGuard client config removed from tracked baseline]",
"_id": "696411c51131084f05465f8d"
},
{
"setting_preference": "auto",
"wireguard_interface_binding_mode_ip_version": "v4",
"purpose": "remote-user-vpn",
"local_port": 51820,
"x_wireguard_private_key": "REDACTED",
"external_id": "c625964c-8663-4ef0-bf04-53a5466a168c",
"enabled": true,
"wireguard_local_wan_ip": "any",
"vpn_type": "wireguard-server",
"ip_subnet": "192.168.2.1/24",
"wireguard_interface": "wan2",
"name": "One-Click VPN",
"site_id": "6963c5321131084f05460911",
"wireguard_id": 1,
"firewall_zone_id": "6963d42a1131084f054618e2",
"_id": "69a31399822347a1daadae2e"
},
{
"setting_preference": "auto",
"wireguard_interface_binding_mode_ip_version": "v4",
"purpose": "remote-user-vpn",
"x_wireguard_private_key": "REDACTED",
"dhcpd_start": "192.168.3.2",
"interface_mtu_enabled": false,
"external_id": "2431e2ed-2d1f-48ed-9b2f-3ed5b8021504",
"enabled": true,
"dhcpd_stop": "192.168.3.254",
"vpn_type": "wireguard-server",
"ip_subnet": "192.168.3.1/24",
"wireguard_interface": "wan2",
"wireguard_id": 2,
"firewall_zone_id": "6963d42a1131084f054618e2",
"vpn_client_configuration_remote_ip_override_enabled": false,
"dhcpd_dns_enabled": false,
"local_port": 51821,
"wireguard_local_wan_ip": "any",
"mss_clamp": "auto",
"dhcpd_wins_enabled": false,
"vpn_binding_mode": "any",
"name": "Slate 7",
"site_id": "6963c5321131084f05460911",
"_id": "69dd799da02014d2f4acc4e9",
"mss_clamp_ipv6": "auto"
}
],
"portconf": [
{
"setting_preference": "auto",
"port_security_enabled": false,
"stormctrl_ucast_rate": 100,
"egress_rate_limit_kbps_enabled": false,
"stormctrl_mcast_enabled": false,
"lldpmed_notify_enabled": false,
"tagged_vlan_mgmt": "auto",
"multicast_router_networkconf_ids": [],
"stormctrl_bcast_enabled": false,
"port_keepalive_enabled": false,
"stormctrl_mcast_rate": 100,
"native_networkconf_id": "6963c5831131084f0546092b",
"qos_profile": {
"qos_profile_mode": "custom",
"qos_policies": []
},
"port_security_mac_address": [],
"dot1x_idle_timeout": 300,
"op_mode": "switch",
"poe_mode": "auto",
"forward": "all",
"stormctrl_ucast_enabled": false,
"stormctrl_bcast_rate": 100,
"isolation": false,
"voice_networkconf_id": "",
"stp_port_mode": true,
"name": "Management",
"site_id": "6963c5321131084f05460911",
"_id": "6963cdbf1131084f0546177c",
"autoneg": true,
"lldpmed_enabled": true,
"dot1x_ctrl": "force_authorized"
},
{
"setting_preference": "auto",
"port_security_enabled": false,
"stormctrl_ucast_rate": 100,
"egress_rate_limit_kbps_enabled": false,
"stormctrl_mcast_enabled": false,
"lldpmed_notify_enabled": false,
"tagged_vlan_mgmt": "auto",
"multicast_router_networkconf_ids": [],
"stormctrl_bcast_enabled": false,
"port_keepalive_enabled": false,
"excluded_networkconf_ids": [],
"stormctrl_mcast_rate": 100,
"native_networkconf_id": "6963cb201131084f05461635",
"qos_profile": {
"qos_profile_mode": "custom",
"qos_policies": []
},
"port_security_mac_address": [],
"dot1x_idle_timeout": 300,
"op_mode": "switch",
"poe_mode": "auto",
"forward": "customize",
"stormctrl_ucast_enabled": false,
"stormctrl_bcast_rate": 100,
"isolation": false,
"voice_networkconf_id": "",
"stp_port_mode": true,
"name": "Trusted",
"site_id": "6963c5321131084f05460911",
"_id": "6963cdfe1131084f0546178d",
"autoneg": true,
"lldpmed_enabled": true,
"dot1x_ctrl": "force_authorized"
},
{
"setting_preference": "auto",
"port_security_enabled": false,
"stormctrl_ucast_rate": 100,
"egress_rate_limit_kbps_enabled": false,
"stormctrl_mcast_enabled": false,
"lldpmed_notify_enabled": false,
"tagged_vlan_mgmt": "block_all",
"multicast_router_networkconf_ids": [],
"stormctrl_bcast_enabled": false,
"port_keepalive_enabled": false,
"stormctrl_mcast_rate": 100,
"native_networkconf_id": "6963cb461131084f05461642",
"qos_profile": {
"qos_profile_mode": "custom",
"qos_policies": []
},
"port_security_mac_address": [],
"dot1x_idle_timeout": 300,
"op_mode": "switch",
"poe_mode": "auto",
"forward": "native",
"stormctrl_ucast_enabled": false,
"stormctrl_bcast_rate": 100,
"isolation": false,
"voice_networkconf_id": "",
"stp_port_mode": true,
"name": "IoT",
"site_id": "6963c5321131084f05460911",
"_id": "6963ce221131084f05461791",
"autoneg": true,
"lldpmed_enabled": true,
"dot1x_ctrl": "force_authorized"
},
{
"setting_preference": "auto",
"port_security_enabled": false,
"stormctrl_ucast_rate": 100,
"egress_rate_limit_kbps_enabled": false,
"stormctrl_mcast_enabled": false,
"lldpmed_notify_enabled": false,
"tagged_vlan_mgmt": "block_all",
"multicast_router_networkconf_ids": [],
"stormctrl_bcast_enabled": false,
"port_keepalive_enabled": false,
"stormctrl_mcast_rate": 100,
"native_networkconf_id": "6963cbbf1131084f054616c1",
"qos_profile": {
"qos_profile_mode": "custom",
"qos_policies": []
},
"port_security_mac_address": [],
"dot1x_idle_timeout": 300,
"op_mode": "switch",
"poe_mode": "auto",
"forward": "native",
"stormctrl_ucast_enabled": false,
"stormctrl_bcast_rate": 100,
"isolation": false,
"voice_networkconf_id": "",
"stp_port_mode": true,
"name": "Camera",
"site_id": "6963c5321131084f05460911",
"_id": "6963ce3b1131084f05461798",
"autoneg": true,
"lldpmed_enabled": true,
"dot1x_ctrl": "force_authorized"
},
{
"setting_preference": "auto",
"port_security_enabled": false,
"stormctrl_ucast_rate": 100,
"egress_rate_limit_kbps_enabled": false,
"stormctrl_mcast_enabled": false,
"lldpmed_notify_enabled": false,
"tagged_vlan_mgmt": "block_all",
"multicast_router_networkconf_ids": [],
"stormctrl_bcast_enabled": false,
"port_keepalive_enabled": false,
"stormctrl_mcast_rate": 100,
"native_networkconf_id": "6963e11c1131084f054622f1",
"qos_profile": {
"qos_profile_mode": "custom",
"qos_policies": []
},
"port_security_mac_address": [],
"dot1x_idle_timeout": 300,
"op_mode": "switch",
"poe_mode": "auto",
"forward": "native",
"stormctrl_ucast_enabled": false,
"stormctrl_bcast_rate": 100,
"isolation": false,
"voice_networkconf_id": "",
"stp_port_mode": true,
"name": "Old IoT",
"site_id": "6963c5321131084f05460911",
"_id": "6963e3511131084f054624cf",
"autoneg": true,
"lldpmed_enabled": true,
"dot1x_ctrl": "force_authorized"
}
]
}

View File

@@ -0,0 +1,109 @@
{
"captured_at": "2026-05-22",
"device_id": "698776451131084f059d572b",
"device_mac": "8c:30:66:d0:9f:48",
"device_name": "USW Pro HD 24",
"port_overrides": [
{
"name": "U7 Pro (Upstairs)",
"port_idx": 1,
"portconf_id": "6963cdbf1131084f0546177c",
"setting_preference": "manual"
},
{
"autoneg": false,
"egress_rate_limit_kbps_enabled": false,
"excluded_networkconf_ids": [],
"forward": "customize",
"full_duplex": true,
"isolation": false,
"lldpmed_enabled": true,
"multicast_router_mode": "NONE",
"name": "Port 2",
"native_networkconf_id": "6963cb201131084f05461635",
"port_idx": 2,
"port_keepalive_enabled": false,
"port_security_enabled": false,
"port_security_mac_address": [],
"setting_preference": "manual",
"speed": 2500,
"stp_port_mode": true,
"tagged_vlan_mgmt": "auto",
"voice_networkconf_id": ""
},
{
"name": "FlyingDutchman",
"port_idx": 3,
"portconf_id": "6963cdfe1131084f0546178d",
"setting_preference": "manual"
},
{
"name": "Port 4",
"port_idx": 4,
"portconf_id": "6963cdbf1131084f0546177c",
"setting_preference": "manual"
},
{
"autoneg": false,
"egress_rate_limit_kbps_enabled": false,
"excluded_networkconf_ids": [],
"forward": "customize",
"full_duplex": true,
"isolation": false,
"lldpmed_enabled": true,
"multicast_router_mode": "NONE",
"name": "Port 6",
"native_networkconf_id": "6963cb201131084f05461635",
"port_idx": 6,
"port_keepalive_enabled": false,
"port_security_enabled": false,
"port_security_mac_address": [],
"setting_preference": "manual",
"speed": 2500,
"stp_port_mode": true,
"tagged_vlan_mgmt": "auto",
"voice_networkconf_id": ""
},
{
"autoneg": true,
"egress_rate_limit_kbps_enabled": false,
"forward": "disabled",
"isolation": false,
"lldpmed_enabled": true,
"name": "Port 14",
"native_networkconf_id": "",
"port_idx": 14,
"port_keepalive_enabled": false,
"port_security_enabled": true,
"port_security_mac_address": [],
"setting_preference": "auto",
"stp_port_mode": true,
"tagged_vlan_mgmt": "block_all",
"voice_networkconf_id": ""
},
{
"name": "Port 22",
"port_idx": 22,
"portconf_id": "6963cdfe1131084f0546178d",
"setting_preference": "manual"
},
{
"name": "Docker Server",
"port_idx": 23,
"portconf_id": "6963cdfe1131084f0546178d",
"setting_preference": "manual"
},
{
"name": "Serenity 10G (1)",
"port_idx": 24,
"portconf_id": "6963cdfe1131084f0546178d",
"setting_preference": "manual"
},
{
"name": "Port 27",
"port_idx": 27,
"portconf_id": "6963cdbf1131084f0546177c",
"setting_preference": "manual"
}
]
}

View File

@@ -0,0 +1,151 @@
# Legacy CIA Via Device Triage Worksheet
> For Doris: this worksheet exists so tomorrow does not devolve into vibes and guessing. Every device on Legacy CIA gets one label: migrate, quarantine, or kill.
Goal: classify every remaining device on the legacy CIA Via VLAN/SSID so we can make deliberate decisions during and after the cutover.
Rules:
- No new devices join Legacy CIA.
- If a device has a clean future home, move it.
- If a device is still useful but cannot be re-homed cleanly, quarantine it.
- If nobody knows what it is or nobody misses it, kill it.
---
## 1. Decision Criteria
### Migrate
Use `migrate` when all or most are true:
- device still matters
- app/admin control still exists
- owner is known
- function is understood
- a target VLAN/SSID is obvious
- there is a reasonable validation method after moving
### Quarantine
Use `quarantine` when all or most are true:
- device still provides value
- current owner/function is known enough
- moving it is risky, annoying, or impossible right now
- app/pairing/discovery state is fragile
- acceptable to leave it internet-only or nearly so
### Kill
Use `kill` when all or most are true:
- nobody knows what it is
- nobody can still administer it
- nobody notices when it is offline
- it duplicates something better
- it exists only because history happened
## 2. Recommended First-Pass Classification
### Migrate tomorrow if practical
- Main-Floor ecobee -> IoT VLAN 40
- Upstairs ecobee -> IoT VLAN 40
- MyQ -> IoT VLAN 40
- Samsung FamilyHub -> IoT VLAN 40
- LG dryer -> IoT VLAN 40
- doorbell -> Cameras VLAN 60
- Protect chimes -> Cameras VLAN 60
### Migrate later / careful handling
- Google Home Mini -> IoT VLAN 40 after discovery testing
- Chromecast-class devices -> IoT VLAN 40 after discovery testing
- any Google cast/speaker/display weirdness -> probably last batch
### Quarantine on Legacy CIA
- old bulbs still doing useful work
- old plugs still doing useful work
- retained mystery devices with known household function but bad migration prospects
- any device that still works but has no sane re-pair workflow tonight
### Likely kill candidates
- unknown stale MACs
- orphaned historical smart-home junk
- dead bulbs/plugs nobody notices
- duplicate or long-gone clients still mentally treated as active
## 3. Live Worksheet Table
Fill one row per client discovered on Legacy CIA.
| Device name | MAC | IP | Vendor | Physical location | What it does | Owner | Current control path | Target lane | Disposition | Why | Test after move/block | Result |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Main-Floor ecobee | | | ecobee | main floor | thermostat | household | ecobee app | IoT 40 | migrate | important + controllable | thermostat still controllable | |
| Upstairs ecobee | | | ecobee | upstairs | thermostat | household | ecobee app | IoT 40 | migrate | important + controllable | thermostat still controllable | |
| MyQ | | | Chamberlain/LiftMaster | garage | garage door | household | MyQ app | IoT 40 | migrate | meaningful device | app works after move | |
| Samsung FamilyHub | | | Samsung | kitchen | fridge/display | household | Samsung app/local | IoT 40 | migrate | meaningful appliance | app works after move | |
| LG dryer | | | LG | laundry | dryer telemetry/control | household | LG app | IoT 40 | migrate | low-risk appliance | app works after move | |
| Google Home Mini | | | Google | | voice/cast | household | Google Home app | IoT 40 | migrate later / quarantine | discovery pain | cast/discovery tested | |
| Chromecast / Cast device | | | Google | | casting | household | Google Home/app casting | IoT 40 | migrate later / quarantine | discovery pain | cast still works | |
| Legacy bulb A | | | | | light | | unknown/old app | Legacy CIA | quarantine or kill | depends if anyone misses it | light still works or nobody complains | |
| Legacy plug A | | | | | smart plug | | unknown/old app | Legacy CIA | quarantine or kill | depends if still useful | plug use validated or not | |
| Unknown client 1 | | | | | unknown | unknown | none | none | kill candidate | unidentified | nobody notices after block | |
## 4. Fast Triage Questions During The Window
Ask these for each questionable device:
1. What is it?
2. Who cares if it breaks?
3. Can we still control it?
4. Does it need local LAN access or just internet?
5. Is its correct long-term home obvious?
6. Can we test success in under 2 minutes?
If answers are bad, it does not earn migration tomorrow.
## 5. Specific Handling Guidance
### ecobees
- Move if app/control confidence is decent.
- Validate both thermostats immediately after move.
- If one gets weird, revert that one only.
### MyQ / fridge / dryer
- These are good early IoT wins.
- Minimal emotional attachment, clear owner, clear expected validation.
### Google / Chromecast ecosystem
- Treat as suspicious until proven civilized.
- Do not write broad allow rules just because casting sulks.
- Prefer leaving these in quarantine over contaminating clean policy.
### Protect chimes / doorbell
- These are not Legacy CIA end-state residents.
- Move to Cameras/Security as early cleanup.
### old bulbs / old plugs
- If still useful but irrecoverable, quarantine.
- If their purpose is forgotten, block first, then kill if nobody notices.
## 6. Quarantine Policy Reminder
Legacy CIA devices that remain should get:
- DHCP
- DNS
- NTP
- internet outbound if needed
- no Management access
- no Trusted access
- no Servers access by default
- no Cameras access
- no new joins
## 7. Post-Window Cleanup Queue
After tomorrow, every leftover Legacy CIA row should get one next action:
- retry migration
- collect pairing/reset docs
- physically inspect location
- disable/block and observe
- remove permanently
## 8. Success Condition
The Legacy CIA sheet is successful when:
- every device has a named disposition
- no unknown active clients are left unclassified
- only genuinely hard leftovers remain in quarantine
- you can explain why each remaining device is still there

View File

@@ -0,0 +1,108 @@
# Network Cutover Live Change Log Template
Use this during the live window.
Rule:
- every meaningful change gets a row
- if something breaks, the last row is your first suspect
- do not trust memory
---
## Session header
Date:
Operator:
Primary control box: Rocinante
Fallback admin path:
Start time:
Stop time:
In scope tonight:
- Google: yes, but narrow/reversible only
- U6 LR: only if needed
- FlyingDutchman: stay Trusted unless explicitly reclassified
- Server batch: Nomad + Serenity + PD
Out of scope / defer if ugly:
-
-
-
---
## Live log
| Time | Change ID | Area | Exact change made | Expected result | Validation performed | Result | Rollback needed? | Notes |
|---|---|---|---|---|---|---|---|---|
| | 001 | baseline | captured screenshots/exports | rollback baseline exists | exports saved | pass/fail | n | |
| | 002 | management | | | | | y/n | |
| | 003 | camera/security | | | | | y/n | |
| | 004 | server-batch | move Nomad to Servers | Nomad on correct subnet and reachable | IP + service check | pass/fail | y/n | |
| | 005 | server-batch | move Serenity to Servers | Serenity on correct subnet and reachable | IP + service check | pass/fail | y/n | |
| | 006 | server-batch | move PD to Servers | PD on correct subnet and reachable | IP + service check | pass/fail | y/n | |
| | 007 | iot | | | | | y/n | |
| | 008 | google-test | | | | | y/n | |
| | 009 | guest/ssid | | | | | y/n | |
---
## Batch validation block: Nomad + Serenity + PD
After the three-host move wave, record this before touching anything else:
- Nomad subnet/gateway correct: yes/no
- Serenity subnet/gateway correct: yes/no
- PD subnet/gateway correct: yes/no
- Rocinante can still reach PD: yes/no
- NFS/share relationships recovered: yes/no
- Critical service checks passed: yes/no
- Need immediate rollback: yes/no
If no to any critical line above:
- stop
- revert last moved host first
- unwind in reverse order
---
## Temporary exceptions added
| Time | Rule / exception | Why it was added | Narrow enough? | Remove before end? |
|---|---|---|---|---|
| | | | yes/no | yes/no |
---
## Devices intentionally deferred
| Device | Why deferred | Safe current lane | Follow-up needed |
|---|---|---|---|
| | | | |
---
## End-of-window summary
Minimum success criteria:
- Management materially cleaner: yes/no
- Camera/Security lane sane: yes/no
- Nomad/Serenity/PD batch completed or deliberately rolled back: yes/no
- Easy IoT wins done: yes/no
- Legacy CIA explicitly quarantine/sunset: yes/no
- No broad panic rules added: yes/no
What changed successfully:
-
-
-
What was reverted:
-
-
-
What remains for later:
-
-
-

View File

@@ -0,0 +1,358 @@
# Network Cutover Master Operator Sheet
> For Doris: this is the one-page live operator sheet for tomorrow. Use this instead of bouncing between five docs while tired.
Goal: execute the UniFi network redesign with minimal improvisation, explicit stop/go gates, per-port actions, per-device dispositions, and fast rollback discipline.
Architecture:
- Keep the target lanes clear: Management, Trusted, Servers, IoT, Guest, Cameras.
- Keep Legacy CIA alive only as a quarantine/sunset lane.
- Move true service hosts out of Trusted while keeping human endpoints where they belong.
- Move easy named IoT wins now; quarantine ambiguous junk; Google is in scope, but only through narrow, reversible tests.
Primary references if deeper detail is needed:
- `network-redesign-implementation-runbook.md`
- `network-firewall-rule-order.md`
- `legacy-cia-triage-worksheet.md`
- `unifi-readonly-recon-2026-05-22.md`
- `usw-pro-hd-24-cutover-port-sheet.md`
- `old-iot-tomorrow-disposition-list.md`
---
## 1. Live State Snapshot Already Confirmed
Networks currently present:
- Management -> `10.5.0.1/24`
- Trusted -> VLAN 51 -> `10.5.1.1/24`
- Old IoT -> VLAN 2 -> `192.168.1.1/24`
- IoT -> VLAN 510 -> `10.5.10.1/24`
- Camera -> VLAN 520 -> `10.5.20.1/24`
- Guest -> VLAN 590 -> `10.5.90.1/24`
SSIDs currently present:
- `CIA Via` -> Old IoT
- `UNEF's Playhouse` -> Camera
- `Whiskey Neat Fuck Ice` -> Trusted
- `Yer a Wifi Harry` -> Trusted
Current client counts:
- Management: 2
- Old IoT: 14
- Camera: 1
- Trusted: 14
Current hazards:
- two unnamed `espressif` devices are on Management via `UniFi Wireless` on the U7 Pro
- almost all WiFi clients are on the U7 Pro
- there are no custom firewall rules/groups yet, so tomorrows segmentation policy is basically greenfield
## 2. Tomorrows Must-Win Outcomes
By the time we stop, these should be true:
- Management is materially cleaned up
- Cameras lane exists and is not polluted by junk placement mistakes
- Servers lane exists and core hosts are moved or deliberately staged with validation
- IoT lane exists and easy-value devices are moved
- Legacy CIA is explicitly a quarantine/sunset lane
- no broad panic rules were added to compensate for fatigue
In-scope if conditions support it:
- Google/cast migration work, but only through narrow, reversible tests
- U6 LR only if needed to stabilize client behavior or complete the design cleanly
Nice-to-have only if smooth:
- SSID simplification
## 3. Absolute Rules
- Keep one stable admin path alive the whole time.
- Rocinante is the live operator station, so do not move it until the rest of the server batch is done or an alternate admin path is proven.
- Change one meaningful thing, then validate.
- Do not bulk-edit live server ports blindly.
- Nomad, Serenity, and PD can be moved as one controlled batch only because their NFS/shared-service coupling is real; pre-stage everything first, then validate the batch immediately.
- Do not try to empty Legacy CIA completely if the window gets noisy.
- Do not move unknown junk into Management, Trusted, or Servers.
- Do not let Google/cast problems bait you into broad allow rules.
- If management reachability degrades, rollback first, think second.
## 4. Minute-by-Minute Execution Spine
### T-30 to T-15: prep
- [ ] open this file
- [ ] open UniFi admin
- [ ] open Doris visual artifacts if helpful
- [ ] confirm Rocinante is the live control box
- [ ] confirm fallback route into UniFi in case Rocinante loses the lane mid-change
- [ ] decide whether U6 LR is in scope or explicitly out of scope
### Minute 0-10: baseline capture
- [ ] screenshot/export networks
- [ ] screenshot/export SSIDs
- [ ] screenshot/export firewall/rule state
- [ ] screenshot/export port profiles
- [ ] screenshot/export switch port assignments
- [ ] screenshot/export AP mappings
- [ ] snapshot Management client list
- [ ] snapshot Old IoT client list
Stop/go gate:
- [ ] do not proceed until rollback baseline exists
### Minute 10-20: create/normalize objects only
- [ ] create/confirm Servers network object
- [ ] create/confirm any missing profiles
- [ ] create/confirm staged SSIDs if needed
- [ ] create/confirm staged firewall objects/rules
Stop/go gate:
- [ ] no clients should have moved yet
- [ ] Trusted admin path still fine
### Minute 20-35: management cleanup first
- [ ] identify/address the 2 Management `espressif` devices
- [ ] ensure infra devices remain on Management intent
- [ ] remove obvious non-infra junk from Management
Stop/go gate:
- [ ] UniFi still sees gateway/switch/APs
- [ ] admin client still reaches controller
### Minute 35-50: security cleanup
- [ ] validate Camera lane
- [ ] move Protect chimes if ready
- [ ] confirm doorbell remains healthy
### Minute 50-85: core server move wave
- [ ] leave Rocinante in place as the operator station until the main server batch is done
- [ ] keep FlyingDutchman on Trusted unless a later decision explicitly reclassifies it
- [ ] pre-stage the exact three-port sequence: Nomad, Serenity, PD
- [ ] move Nomad, Serenity, and PD in one controlled wave because of NFS/shared-service coupling
- [ ] validate the batch immediately before touching anything else
### Minute 85-110: easy IoT wins
- [ ] MyQ
- [ ] LG dryer
- [ ] Samsung FamilyHub
- [ ] Main-Floor ecobee
- [ ] Upstairs ecobee
### Minute 110-125: Legacy CIA quarantine pass
- [ ] mark leftovers as quarantine/defer
- [ ] do not force migration of unknowns
- [ ] apply harsh quarantine posture
### Minute 125-140: Google test if the window is still stable
- [ ] test one Google/cast device first
- [ ] if ugly, stop and defer
### Minute 140-155: guest/SSID cleanup
- [ ] validate Guest
- [ ] disable only stale SSIDs that are truly no longer needed
### Minute 155-180: final validation and stop
- [ ] Trusted ok
- [ ] server services ok
- [ ] moved IoT devices ok
- [ ] security ok
- [ ] Management materially cleaner
- [ ] Legacy CIA now explicitly quarantine
## 5. Management Offender Sheet
These two devices are currently on Management and need identification or removal from that lane:
1. `espressif`
- IP: `10.5.0.123`
- AP: `U7 Pro`
- SSID: `UniFi Wireless`
- Default call: identify first; if it is smart-junk, move/quarantine off Management
2. `espressif`
- IP: `10.5.0.189`
- AP: `U7 Pro`
- SSID: `UniFi Wireless`
- Default call: identify first; if it is smart-junk, move/quarantine off Management
Operator note:
- these are almost certainly exactly the sort of device that should not live on your infrastructure lane
## 6. Exact Core Port Move Sheet
### Leave Alone Unless Positively Necessary
- USW Pro HD 24 port 1 -> `U7 Pro (Upstairs)` -> profile `Management`
- USW Pro HD 24 port 27 -> likely infra/uplink -> profile `Management`
- USW-24-PoE port 24 -> link up on `Management`, inspect before touching
### Port Move Order
1. USW Pro HD 24 port 2
- Live host: `Rocinante`
- Current profile visibility from API: ambiguous
- Action: inspect in UI first, then move to `Servers` if confirmed
- Validate:
- correct subnet/gateway
- reachable from Trusted
- intended services still work
2. USW Pro HD 24 port 3
- Live host: `FlyingDutchman`
- Current profile: `Trusted`
- Action: keep on `Trusted` tomorrow unless a later decision explicitly reclassifies it; this is John and Manndra's gaming PC, not a homelab service host by default
- Validate:
- host still reachable
- services behave as expected
- Safe default: leave it in Trusted
3. USW Pro HD 24 port 22
- Live host: `Nomad`
- Current profile: `Trusted`
- Action: move as part of the controlled three-host server batch
- Validate:
- expected address
- services reachable from Trusted
4. USW Pro HD 24 port 24
- Live host: `Serenity`
- Current profile: `Trusted`
- Action: move as part of the controlled three-host server batch
- Validate:
- expected address
- intended services reachable
5. USW Pro HD 24 port 23
- Live host: `PlausibleDeniability`
- Current profile: `Trusted`
- Action: move as part of the controlled three-host server batch after Nomad and Serenity are ready
- Validate:
- expected address
- SSH/admin path still works
- critical homelab services still work
- Warning:
- because Nomad, Serenity, and PD are coupled by active shares/services, treat them as one planned wave rather than three unrelated experiments
- Rocinante should stay as the control box until that wave is complete
## 7. Old IoT Device Disposition Sheet
### Migrate Now
1. `MyQ-29B` -> `192.168.1.130` -> target `IoT`
2. `LG_Smart_Dryer2_open` -> `192.168.1.186` -> target `IoT`
3. `Samsung-FamilyHub` -> `192.168.1.149` -> target `IoT`
4. `Main-Floor` ecobee -> `192.168.1.102` -> target `IoT`
5. `Upstairs` ecobee -> `192.168.1.131` -> target `IoT`
Validation for each:
- app still works
- device online
- no broad helper rule was needed
### Migrate Later Only If Calm
6. `Google-Home-Mini` -> `192.168.1.185`
7. `3c:8d:20:f3:92:36` -> Google device -> `192.168.1.192`
8. `90:ca:fa:b6:7f:6e` -> Google device -> `192.168.1.129`
Rule:
- Google is in scope tomorrow, but start with one Google-class device only unless everything is smooth
- if it demands broad discovery hacks, stop and defer
### Quarantine Tomorrow
9. `5c:61:99:41:73:40` -> unknown Cloud Network device
10. `60:74:f4:54:fd:ec` -> Private/randomized
11. `60:74:f4:7b:6a:11` -> Private/randomized
12. `c0:f5:35:20:5d:94` -> AMPAK device
13. `d4:ad:fc:60:90:6a` -> Intellirocks
14. `d4:ad:fc:ea:7f:65` -> Intellirocks
Rule:
- these do not earn clean-IoT membership by being merely online
- leave them on Legacy CIA quarantine until identified better
## 8. Camera/Security Reality Check
Already true:
- `front-doorbell` is already on Camera at `10.5.20.217`
Tomorrows security work is therefore mainly:
- move/clean up chimes
- tighten policy
- preserve the doorbells healthy state
## 9. Firewall Build Priorities
Build these first:
- established/related allow
- invalid drop
- management shield
- Trusted admin -> Management allow
- Trusted -> Servers allow
- Guest -> internet only
- IoT -> DNS/NTP/internet + specific helpers only
- Camera -> DNS/NTP/internet/Protect only
- Legacy CIA -> DNS/NTP/internet only + explicit one-offs only
- broad internal denies for Guest/IoT/Camera/Legacy CIA
Do not do tomorrow unless proven necessary:
- broad mDNS/cast trust exceptions
- loose `IoT -> Servers any`
- loose `Legacy CIA -> Trusted any`
## 10. Validation Gates
After each meaningful change, check the smallest thing that proves success.
### After management changes
- [ ] UniFi admin still reachable
- [ ] gateway/switch/AP still visible
- [ ] no surprise loss of wireless control
### After each server port move
- [ ] host gets correct subnet/gateway
- [ ] reachable from Trusted
- [ ] expected service path works
### After the Nomad/Serenity/PD batch
- [ ] NFS/shared-service relationships recover cleanly
- [ ] PD remains reachable from Rocinante/admin path
- [ ] no cross-server dependency is hanging half-broken
### After each IoT move
- [ ] device rejoins expected SSID/VLAN
- [ ] app/control works
- [ ] no broad workaround rule added
### After security changes
- [ ] doorbell/chime online
- [ ] expected app/admin behavior works
### After quarantine posture changes
- [ ] Legacy CIA devices still have minimum acceptable functionality
- [ ] they do not have new local trust
## 11. Fast Rollback Strip
If anything goes sideways:
1. revert the last moved device/port first
2. revert the last SSID/VLAN assignment second
3. revert the last firewall rule/order change third
4. restore management-plane reachability before doing anything clever
5. do not stack fresh changes on top of confusion
Immediate rollback triggers:
- loss of UniFi management-plane access
- AP/switch disappears unexpectedly
- moved server loses reachability and root cause is not obvious quickly
- critical household function breaks and cannot be explained fast
- Google weirdness starts baiting sloppy panic rules
## 12. Explicit Stop Condition
Stop when:
- Management is materially cleaner
- Cameras lane is sane
- core server moves are done or deliberately deferred with reasons
- easy-value IoT moves are done
- Legacy CIA is explicitly a quarantine/sunset lane
- the next remaining work item smells like “heroics” instead of “mechanical completion”
That is success.
Not every leftover wart has to die tomorrow.

View File

@@ -0,0 +1,261 @@
# Home Network Redesign Minute-by-Minute Cutover Checklist
> For Doris: this is the live change-window script. Use it like a pilot checklist, not a brainstorming prompt.
Goal: execute the redesign tomorrow with deliberate pauses, validation after every block of changes, and clean rollback points.
Assumptions:
- You have UniFi admin access.
- One stable Trusted admin client remains connected the entire time.
- You are not trying to empty Legacy CIA completely in one heroic swing.
---
## T-30 to T-15 minutes: staging and sanity
- [ ] Open the runbook:
- `/home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/docs/network-redesign-implementation-runbook.md`
- [ ] Open firewall rule order:
- `/home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/docs/network-firewall-rule-order.md`
- [ ] Open Legacy CIA worksheet:
- `/home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/docs/legacy-cia-triage-worksheet.md`
- [ ] Open visual artifacts:
- `http://10.5.30.7:8787/network-redesign.html`
- `http://10.5.30.7:8787/network-web.html`
- [ ] Confirm Rocinante is the live control box.
- [ ] Confirm fallback route to UniFi exists in case Rocinante loses the lane mid-change.
- [ ] Decide whether U6 LR is in or out for tomorrow.
- [ ] Do not start until you know where rollback begins.
## Minute 0-10: baseline capture
- [ ] Screenshot/export current networks.
- [ ] Screenshot/export current SSIDs.
- [ ] Screenshot/export firewall rules and order.
- [ ] Screenshot/export port profiles.
- [ ] Screenshot/export current switch port assignments.
- [ ] Screenshot/export AP config/broadcast mappings.
- [ ] Record current IP/MAC for:
- PD
- Serenity
- Nomad
- Rocinante
- doorbell
- Protect chimes
- ecobees
- MyQ
- Samsung FamilyHub
- LG dryer
- known Google/cast devices
- [ ] Snapshot which clients are on Management now.
- [ ] Snapshot which clients are on Legacy CIA now.
Stop/go check:
- [ ] If baseline capture is incomplete, stop.
## Minute 10-20: create/normalize objects only
- [ ] Create or confirm target networks:
- Mgmt 10
- Trusted 20
- Servers 30
- IoT 40
- Guest 50
- Cameras 60
- Legacy CIA retained
- [ ] Create or confirm port profiles.
- [ ] Create or confirm SSIDs:
- Trusted
- Trusted-Compat if needed
- IoT
- Guest
- Security
- CIA Via only if still needed as temporary quarantine SSID
- [ ] Create/stage rule objects/groups.
- [ ] Enter staged firewall rules in proper order if not already present.
Stop/go check:
- [ ] Nothing should have moved yet.
- [ ] Trusted admin client must still be fine.
## Minute 20-35: management cleanup first
- [ ] Confirm UDM, switches, and APs are mapped to Management intent.
- [ ] Remove obvious non-infrastructure devices from Management.
- [ ] Identify any stragglers remaining in Management and list them.
- [ ] If Security lane is ready, prepare to move chimes immediately.
Validation:
- [ ] UniFi still sees gateway, switches, APs.
- [ ] Trusted admin client can still reach controller.
- [ ] No surprise disconnects.
Rollback trigger:
- [ ] If management reachability degrades, revert the last infra change immediately.
## Minute 35-50: stand up Cameras / Security lane
- [ ] Activate/validate Cameras VLAN 60.
- [ ] Activate Security SSID if needed.
- [ ] Move Protect chimes.
- [ ] Move doorbell if ready.
- [ ] Confirm no security devices remain polluting Management.
Validation:
- [ ] device rejoins expected lane
- [ ] app/admin/Protect behavior still works
- [ ] no broad emergency rules added yet
Rollback trigger:
- [ ] If doorbell/chimes become unrecoverable fast, revert that device only.
## Minute 50-75: move core servers to Servers VLAN 30
Order recommendation for this window:
1. keep Rocinante in place as the live operator station
2. move Nomad
3. move Serenity
4. move PD
5. move Rocinante only after the main batch is validated, or defer it
6. leave FlyingDutchman on Trusted unless you explicitly decide to reclassify it later
For the Nomad/Serenity/PD batch:
- [ ] pre-stage the exact three-host move order before the first change
- [ ] move Nomad to Servers VLAN/profile
- [ ] move Serenity to Servers VLAN/profile
- [ ] move PD to Servers VLAN/profile
- [ ] verify IP/gateway/subnet for all three
- [ ] verify from Rocinante
- [ ] verify NFS/shared-service paths recover cleanly
- [ ] note any reservation/DNS fix needed before continuing
Validation after the batch:
- [ ] each host responds as expected
- [ ] shared services still work
- [ ] PD is still reachable from Rocinante
- [ ] no accidental management loss
Rollback trigger:
- [ ] If the batch breaks and root cause is not obvious quickly, revert the last moved host first and unwind in reverse order.
## Minute 75-100: easy-value IoT migration
Move in this general order:
1. MyQ
2. Samsung FamilyHub
3. LG dryer
4. ecobees if confidence remains high
For each device/class:
- [ ] move to IoT VLAN 40 / IoT SSID
- [ ] wait for reassociation
- [ ] verify cloud/app control
- [ ] verify no stupid broad helper rule was needed
Validation:
- [ ] app works
- [ ] device online
- [ ] no Management exposure
Rollback trigger:
- [ ] If household-critical behavior breaks, revert only that device and continue with safer devices.
## Minute 100-115: Legacy CIA triage pass
- [ ] Open the triage worksheet.
- [ ] For every remaining Legacy CIA client, mark:
- migrate later
- quarantine
- kill candidate
- [ ] Keep useful-but-fragile leftovers on Legacy CIA.
- [ ] Apply quarantine firewall posture.
- [ ] Ensure no new devices are intentionally assigned there.
Validation:
- [ ] Legacy CIA is now explicitly a quarantine lane, not fake production IoT.
- [ ] Remaining devices are explainable.
## Minute 115-130: Google / discovery problem children only if time remains
- [ ] Pick one Google/cast device only.
- [ ] Try moving it to IoT.
- [ ] Test casting/discovery from Trusted.
- [ ] If it needs exceptions, create only host-specific narrow ones.
- [ ] If it gets ugly, stop and revert that one device.
Success condition:
- [ ] either one working pattern discovered
- [ ] or explicit deferral decided without poisoning policy
## Minute 130-140: Guest and SSID cleanup
- [ ] Verify Guest SSID -> VLAN 50.
- [ ] Test internet-only behavior.
- [ ] Disable stale SSIDs that are no longer needed.
- [ ] Keep Trusted-Compat only if it solved a real problem.
- [ ] Keep CIA Via only if remaining quarantined devices still require it.
## Minute 140-150: final validation sweep
From Trusted:
- [ ] internet works
- [ ] UniFi admin works
- [ ] PD/Serenity/Nomad/Rocinante reachable as intended
From Guest:
- [ ] internet works
- [ ] local IPs blocked
From IoT moved devices:
- [ ] app control works
From Cameras/Security:
- [ ] doorbell/chimes online as expected
From Management perspective:
- [ ] infra only, or any temporary exception is explicitly documented
From Legacy CIA perspective:
- [ ] only leftovers remain
- [ ] quarantine posture is active
## Minute 150-165: document what survived the window
- [ ] Record exact devices moved successfully.
- [ ] Record exact devices reverted.
- [ ] Record temporary exceptions added.
- [ ] Record which devices remain on Legacy CIA and why.
- [ ] Record whether U6 LR remains out of scope or becomes next task.
## Minute 165-180: stop, do not improvise
If minimum success criteria are met, stop.
Minimum success criteria:
- [ ] Management cleaned up materially
- [ ] Cameras lane exists
- [ ] Servers lane exists and core hosts are moved or clearly staged
- [ ] IoT lane exists and easy-value devices moved
- [ ] Legacy CIA converted into explicit quarantine/sunset lane
- [ ] no broad insecure panic rules were added
If not met:
- [ ] roll back only the broken last-mile changes
- [ ] do not keep piling on work while tired
## Emergency rollback strip
If something goes sideways:
1. revert the last moved client/device
2. revert the last SSID/VLAN assignment change
3. revert the last firewall rule change/order change
4. restore management-plane reachability first
5. only continue after stability is back
## Out of scope unless everything is shockingly smooth
- full emptying of Legacy CIA
- perfect cast/mDNS handling for every Google thing
- RF fine-tuning
- U6 LR optimization work
- cleanup of every stale historical object in UniFi

View File

@@ -0,0 +1,103 @@
# Network Cutover Red Team Card
Use this during the live window when your brain gets dumb.
Goal:
- make one clean change
- validate it
- either continue or revert
If you feel rushed, stop.
---
## DO
- Keep one known-good Trusted admin client online the entire time.
- Keep Rocinante alive as the live control box until the main server batch is done or a fallback admin path is proven.
- Keep UniFi open.
- Keep the master operator sheet open.
- Change one thing at a time.
- Validate after every host, SSID, profile, or firewall change.
- Revert the last change fast if the break is not obvious.
- Write down temporary exceptions immediately.
- Treat Legacy CIA as quarantine, not a place to hide problems.
## DO NOT
- Do not move unrelated core hosts casually.
- Do not move Rocinante early if you are actively driving the migration from it.
- Do not touch port 27 casually.
- Do not touch port 1 unless intentionally normalizing infra.
- Do not "clean up" Google/cast weirdness early.
- Do not add broad allow-any-any panic rules.
- Do not keep pushing forward while tired or annoyed.
- Do not trust memory when the docs already exist.
---
## FIRST IF BROKEN
1. Ask: what was the very last change?
2. Revert that exact change first.
3. Restore management reachability before anything else.
4. Confirm UniFi gateway, switch, and AP visibility.
5. Confirm the Trusted admin client still reaches the controller.
6. Only then decide whether to retry.
If management breaks:
- revert the last infra/profile/VLAN change immediately
- stop until control-plane access is stable
If the Nomad/Serenity/PD batch breaks:
- revert the last moved host first and unwind in reverse order
- do not start debugging Google nonsense in the middle of a storage/service outage
If a server breaks:
- revert only that server/port/profile
- do not move the next server yet
If an IoT device breaks:
- revert only that device
- keep the rest of the window moving
If Google/cast gets weird:
- defer it
- do not poison policy for the whole network
---
## SAFE ORDER
1. Baseline capture
2. Create/confirm objects only
3. Management cleanup
4. Security/chimes/camera lane
5. Server ports one by one
6. Easy IoT wins
7. Legacy CIA quarantine pass
8. Google weirdness only if time and confidence remain
9. Guest/SSID cleanup
10. Final validation
11. Stop
---
## SUCCESS LOOKS LIKE
- Management materially cleaner
- Camera/Security lane exists
- Servers lane exists and core hosts are moved or clearly staged
- Easy-value IoT devices are moved
- Legacy CIA is now an explicit quarantine/sunset lane
- No broad insecure emergency rules were added
## HARD STOP
Stop if:
- you lose clear management reachability
- you are stacking unresolved breakage
- you are guessing instead of validating
- you catch yourself saying "itll probably be fine"
That sentence means stop.

View File

@@ -0,0 +1,411 @@
# Home Network Redesign Firewall Rule Order
> For Doris: this is the intended UniFi firewall ordering for the redesign. Use groups/comments so every rule is explainable at 2 AM.
Goal: enforce clean segmentation between Management, Trusted, Servers, IoT, Guest, Cameras, and Legacy CIA quarantine without using broad lazy exceptions.
Assumptions:
- Final networks:
- VLAN 10 Management -> `10.5.10.0/24`
- VLAN 20 Trusted -> `10.5.20.0/24`
- VLAN 30 Servers -> `10.5.30.0/24`
- VLAN 40 IoT -> `10.5.40.0/24`
- VLAN 50 Guest -> `10.5.50.0/24`
- VLAN 60 Cameras -> `10.5.60.0/24`
- Legacy CIA quarantine -> existing legacy subnet/VLAN retained temporarily
- Use address/object groups where UniFi allows them.
- Apply stateful best practice first: established/related before policy rules.
- Specific allows always go above broad denies.
---
## 1. Object / Group Inventory To Create First
Create these objects before writing rules:
### Network groups
- `NET-MGMT`
- `NET-TRUSTED`
- `NET-SERVERS`
- `NET-IOT`
- `NET-GUEST`
- `NET-CAMERAS`
- `NET-LEGACY-CIA`
- `NET-RFC1918-ALL` = all internal subnets above plus any other local internal ranges
### Device / host groups
- `HOST-ADMIN-TRUSTED`
- your main laptop
- your phone/tablet if you really need admin from it
- `HOST-CORE-SERVICES`
- PD
- Serenity
- Nomad
- Rocinante
- any controller/helper hosts
- `HOST-PROTECT-SERVICES`
- NVR / Protect endpoints if separate from above
- `HOST-DNS`
- whichever DNS resolvers clients should use
- `HOST-NTP`
- if you use local NTP, otherwise this can be omitted
- `HOST-IOT-HELPERS`
- only services IoT devices are explicitly allowed to hit
- `HOST-CAMERA-HELPERS`
- only services Cameras are explicitly allowed to hit
- `HOST-LEGACY-EXCEPTIONS`
- only for ugly one-off CIA quarantine exceptions
### Port groups
- `PORT-DNS` = 53 TCP/UDP
- `PORT-DHCP` = 67-68 UDP
- `PORT-NTP` = 123 UDP
- `PORT-WEB-ADMIN` = 80,443,8443,9443 or whatever you actually use
- `PORT-SSH` = 22
- `PORT-PROTECT` = exact ports only if needed
- `PORT-MDNS` = 5353 UDP
- `PORT-CAST` = exact discovery/control ports if later proven necessary
## 2. Rule Philosophy
- Trusted is the only lane that gets routine admin rights.
- Management is infrastructure-only and should accept traffic only from explicit admin initiators.
- Servers accept specific human/service traffic from Trusted and tightly scoped helper traffic from IoT/Cameras.
- IoT, Cameras, and Legacy CIA are default-deny internally.
- Guest is internet-only.
- Legacy CIA is hospice, not production.
## 3. Recommended Rule Order
This is ordered top to bottom.
### Section A: Core state handling
1. `ALLOW Established/Related`
- Action: Allow
- States: Established, Related
- Source: Any
- Destination: Any
- Comment: `baseline stateful return traffic`
2. `DROP Invalid`
- Action: Drop
- States: Invalid
- Source: Any
- Destination: Any
- Comment: `drop broken/invalid sessions early`
### Section B: Management protection
3. `ALLOW Trusted Admin -> Management Admin Surfaces`
- Action: Allow
- Source: `HOST-ADMIN-TRUSTED`
- Destination: `NET-MGMT`
- Ports: `PORT-WEB-ADMIN`, `PORT-SSH` and anything truly required
- Comment: `explicit admin to management`
4. `ALLOW Trusted Admin -> Gateway Infra Utilities`
- Action: Allow
- Source: `HOST-ADMIN-TRUSTED`
- Destination: `NET-MGMT`
- Ports: ICMP plus other explicitly needed management utilities
- Comment: `ping/test/manage infra`
5. `DROP IoT -> Management`
- Action: Drop
- Source: `NET-IOT`
- Destination: `NET-MGMT`
- Comment: `iot never initiates to management`
6. `DROP Cameras -> Management`
- Action: Drop
- Source: `NET-CAMERAS`
- Destination: `NET-MGMT`
- Comment: `camera lane never initiates to management`
7. `DROP Guest -> Management`
- Action: Drop
- Source: `NET-GUEST`
- Destination: `NET-MGMT`
- Comment: `guest blocked from management`
8. `DROP Legacy CIA -> Management`
- Action: Drop
- Source: `NET-LEGACY-CIA`
- Destination: `NET-MGMT`
- Comment: `legacy quarantine blocked from management`
9. `DROP Any Internal -> Management`
- Action: Drop
- Source: `NET-RFC1918-ALL`
- Destination: `NET-MGMT`
- Comment: `default management shield after explicit allows`
### Section C: Trusted human lane
10. `ALLOW Trusted -> Servers Approved Access`
- Action: Allow
- Source: `NET-TRUSTED`
- Destination: `NET-SERVERS`
- Ports: Any or explicit service groups depending on how tight you want day one
- Comment: `trusted human lane to servers`
11. `ALLOW Trusted -> Cameras Admin/Viewer Access`
- Action: Allow
- Source: `NET-TRUSTED`
- Destination: `NET-CAMERAS`
- Ports: exact ports if known, otherwise temporary broader allow during migration
- Comment: `trusted operator to camera lane`
12. `ALLOW Trusted -> IoT Control Exceptions`
- Action: Allow
- Source: `NET-TRUSTED`
- Destination: `NET-IOT`
- Ports: only what control/discovery really needs
- Comment: `trusted control to iot where required`
### Section D: Server helper traffic
13. `ALLOW Servers -> IoT Approved Helpers`
- Action: Allow
- Source: `HOST-IOT-HELPERS` or `NET-SERVERS` narrowed to real helper hosts
- Destination: `NET-IOT`
- Ports: exact service ports only
- Comment: `ha/mqtt/etc only if actually used`
14. `ALLOW Cameras -> Protect Services`
- Action: Allow
- Source: `NET-CAMERAS`
- Destination: `HOST-PROTECT-SERVICES`
- Ports: exact Protect/NVR ports
- Comment: `camera lane to protect only`
15. `ALLOW IoT -> Approved Server Helpers`
- Action: Allow
- Source: `NET-IOT`
- Destination: `HOST-IOT-HELPERS`
- Ports: exact ports only
- Comment: `iot can only hit specific helper services`
16. `ALLOW Legacy CIA -> Approved One-Off Exception`
- Action: Allow
- Source: specific host(s) in `NET-LEGACY-CIA`
- Destination: specific host(s)
- Ports: exact ports only
- Disabled by default unless proven needed
- Comment: `ugly but narrow quarantine exception`
### Section E: DNS / NTP baseline for restricted lanes
17. `ALLOW IoT -> DNS`
- Action: Allow
- Source: `NET-IOT`
- Destination: `HOST-DNS`
- Ports: `PORT-DNS`
- Comment: `iot dns`
18. `ALLOW Cameras -> DNS`
- Action: Allow
- Source: `NET-CAMERAS`
- Destination: `HOST-DNS`
- Ports: `PORT-DNS`
- Comment: `camera dns`
19. `ALLOW Legacy CIA -> DNS`
- Action: Allow
- Source: `NET-LEGACY-CIA`
- Destination: `HOST-DNS`
- Ports: `PORT-DNS`
- Comment: `legacy dns`
20. `ALLOW IoT -> NTP`
- Action: Allow
- Source: `NET-IOT`
- Destination: `HOST-NTP` or Any if using public NTP
- Ports: `PORT-NTP`
- Comment: `iot ntp`
21. `ALLOW Cameras -> NTP`
- Action: Allow
- Source: `NET-CAMERAS`
- Destination: `HOST-NTP` or Any if using public NTP
- Ports: `PORT-NTP`
- Comment: `camera ntp`
22. `ALLOW Legacy CIA -> NTP`
- Action: Allow
- Source: `NET-LEGACY-CIA`
- Destination: `HOST-NTP` or Any if using public NTP
- Ports: `PORT-NTP`
- Comment: `legacy ntp`
### Section F: Internet access for constrained lanes
23. `ALLOW Guest -> Internet`
- Action: Allow
- Source: `NET-GUEST`
- Destination: Internet / Not RFC1918
- Comment: `guest internet only`
24. `ALLOW IoT -> Internet`
- Action: Allow
- Source: `NET-IOT`
- Destination: Internet / Not RFC1918
- Comment: `iot outbound internet`
25. `ALLOW Cameras -> Internet Updates`
- Action: Allow
- Source: `NET-CAMERAS`
- Destination: Internet / Not RFC1918
- Comment: `camera updates/cloud only if needed`
26. `ALLOW Legacy CIA -> Internet`
- Action: Allow
- Source: `NET-LEGACY-CIA`
- Destination: Internet / Not RFC1918
- Comment: `legacy quarantine outbound only`
### Section G: Broad internal denies for restricted lanes
27. `DROP Guest -> RFC1918/Internal`
- Action: Drop
- Source: `NET-GUEST`
- Destination: `NET-RFC1918-ALL`
- Comment: `guest blocked from local networks`
28. `DROP IoT -> Trusted`
- Action: Drop
- Source: `NET-IOT`
- Destination: `NET-TRUSTED`
- Comment: `iot blocked from human lane`
29. `DROP IoT -> Servers`
- Action: Drop
- Source: `NET-IOT`
- Destination: `NET-SERVERS`
- Comment: `iot blocked from servers after helper exceptions`
30. `DROP IoT -> Cameras`
- Action: Drop
- Source: `NET-IOT`
- Destination: `NET-CAMERAS`
- Comment: `iot blocked from camera lane`
31. `DROP Cameras -> Trusted`
- Action: Drop
- Source: `NET-CAMERAS`
- Destination: `NET-TRUSTED`
- Comment: `cameras blocked from human lane`
32. `DROP Cameras -> Servers`
- Action: Drop
- Source: `NET-CAMERAS`
- Destination: `NET-SERVERS`
- Comment: `cameras blocked from servers except protect`
33. `DROP Cameras -> IoT`
- Action: Drop
- Source: `NET-CAMERAS`
- Destination: `NET-IOT`
- Comment: `camera lane blocked from iot`
34. `DROP Legacy CIA -> Trusted`
- Action: Drop
- Source: `NET-LEGACY-CIA`
- Destination: `NET-TRUSTED`
- Comment: `legacy blocked from human lane`
35. `DROP Legacy CIA -> Servers`
- Action: Drop
- Source: `NET-LEGACY-CIA`
- Destination: `NET-SERVERS`
- Comment: `legacy blocked from servers after one-offs`
36. `DROP Legacy CIA -> Cameras`
- Action: Drop
- Source: `NET-LEGACY-CIA`
- Destination: `NET-CAMERAS`
- Comment: `legacy blocked from security lane`
37. `DROP Legacy CIA -> IoT`
- Action: Drop
- Source: `NET-LEGACY-CIA`
- Destination: `NET-IOT`
- Comment: `legacy does not mingle with clean iot`
### Section H: Optional discovery exceptions
38. `ALLOW Trusted -> mDNS Reflector / Discovery Helper`
- Only if real testing proves needed
- Prefer reflector/helper architecture over broad subnet trust
39. `ALLOW Specific Google/Cast Device -> Specific Helper`
- Host-specific only
- Ports exact only
- Comment with device name and why it exists
40. `DROP Any Temporary Discovery Exception Cleanup Marker`
- Not a real rule type, just a process note
- Every temporary discovery rule gets a unique comment and review date
## 4. Rule Notes By Lane
Management:
- Most-protected lane.
- Admin access only from known trusted admin devices.
Trusted:
- Primary operator lane.
- Allowed to talk where humans need to talk, but still not a dumping ground.
Servers:
- Prefer exact service-based exposure later.
- For tomorrow, a broader Trusted -> Servers allow is acceptable if you document it and tighten later.
IoT:
- Default deny inward and outward to internal LANs except helper carve-outs.
Cameras:
- Same philosophy as IoT, but even stricter.
- If Protect is local, keep camera-to-protect flow exact.
Legacy CIA:
- Outbound internet, DNS, NTP, nothing more unless explicitly justified.
- Every exception should feel embarrassing.
## 5. What To Stage Tomorrow Versus Later
Stage tomorrow:
- established/related
- invalid drop
- management shield
- guest internet-only pattern
- IoT/Cameras/Legacy broad internal denies
- Trusted admin to Management
- Trusted to Servers
- DNS/NTP for restricted lanes
- Legacy CIA quarantine posture
Defer if not needed immediately:
- mDNS/cast helper rules
- fancy service-specific microsegmentation between Trusted and Servers
- any discovery exceptions not proven by real failure testing
## 6. Validation Checklist After Rule Deployment
- Trusted admin client can still reach UniFi/gateway/switch/AP admin surfaces
- Trusted can reach core server services
- Guest gets internet and cannot reach local IPs
- IoT device can resolve DNS, keep time, and reach vendor cloud if expected
- Camera/security device remains online and can reach Protect if required
- Legacy CIA device still works only at minimum acceptable level
- No restricted lane can initiate into Management
## 7. Red Flags
Do not do these:
- allow `IoT -> Servers any`
- allow `Legacy CIA -> Trusted any`
- allow `Guest -> RFC1918 any`
- put discovery/broadcast panic rules above security structure without device-specific justification
- leave unnamed temporary rules in place after testing
## 8. First Tightening Pass After Tomorrow
After the cutover stabilizes:
- narrow Trusted -> Servers from broad allow to explicit service sets if useful
- delete any temporary discovery exceptions that proved unnecessary
- audit whether Cameras even need outbound internet
- audit whether Legacy CIA can lose individual devices or the whole SSID

View File

@@ -0,0 +1,419 @@
# Home Network Redesign Implementation Runbook
> For Doris: use this during the live UniFi change window. Goal is a controlled cutover with explicit validation and rollback at each boundary.
Goal: deploy the target VLAN/SSID/firewall design with minimum drama, keep legacy CIA Via as a quarantine lane for devices that cannot yet be migrated, and finish the window with an understandable, supportable network.
Architecture summary:
- Final target lanes remain VLAN 10 Management, VLAN 20 Trusted, VLAN 30 Servers, VLAN 40 IoT, VLAN 50 Guest, VLAN 60 Cameras/Security.
- Legacy CIA Via remains temporarily alive as a quarantine/sunset VLAN for unmanageable legacy devices.
- No non-infrastructure devices stay on Management when the window closes.
- No broad trust exceptions are added just to make migration feel easier.
Tech stack / control surfaces:
- UniFi Network controller on UDM Pro
- UDM Pro gateway/firewall
- USW Pro HD 24 and other UniFi switching
- U7 Pro and optional U6 LR APs
- Doris artifacts for reference:
- `/home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/public/network-redesign.html`
- `/home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/public/network-web.html`
- `/home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/docs/network-redesign-plan.md`
---
## 1. Required Access
Required to implement directly:
- UniFi OS / Network write access on the UDM Pro site at `https://10.5.0.1`
- Ability to create/edit:
- VLANs / networks
- Wi-Fi SSIDs
- firewall rules
- port profiles
- switch port assignments
- device settings for APs/switches
- Ability to see client inventory with MAC/IP/vendor names
Required for safe validation after each move:
- Existing SSH access to PD via `pd` (`truenas_admin@10.5.30.6`)
- Reachability to NOMAD-hosted Doris web artifacts at `10.5.30.7:8787`
- A Trusted client on-site on WiFi for live user validation
- At least one device on each of these categories available for test:
- Trusted client
- server service
- IoT device/app pair
- guest client
- camera/security device if moved tomorrow
Optional but strongly preferred:
- Temporary full admin role in UniFi instead of pair-driving through read-only
- Access to export or screenshot current config before changes
- Ability to check AP/switch port LEDs/physical labels if anything is ambiguous
Fallback if you do not want to grant write access:
- Pair-drive the entire window with you at the keyboard in UniFi while I call every exact change in order
- This is slower but workable
## 2. What Can Be Finished Before Tomorrow
Pre-work Doris can finish now without write access:
- Final runbook and sequence document
- Final object naming convention
- Final firewall intent matrix
- Validation checklist per VLAN
- Rollback checklist per phase
- Device triage sheet for Legacy CIA Via:
- migrate
- quarantine
- kill
Pre-work requiring only read access / screenshots / exports from you:
- Confirm exact current UniFi object names
- Confirm whether VLAN IDs 10/20/30/40/50/60 already exist or must be created
- Confirm current SSID names and which APs broadcast each one
- Confirm current port-profile names and which switch ports use them
- Confirm which clients are currently on Management and CIA Via
- Confirm whether U6 LR is physically installed and link-ready or still shelved
Pre-work requiring write access, if granted tonight:
- Create missing target networks/VLAN objects without moving clients yet
- Create disabled/staged SSIDs without enabling them yet
- Create new port profiles without assigning them yet
- Create firewall rules in disabled or low-priority staged form
- Label/comment rules and profiles for tomorrows change window
## 3. Hard Rules For The Change Window
- One operator console on Trusted stays connected the whole time.
- One fallback path into UniFi must remain alive before any management change.
- Do not move multiple unknown devices at once.
- Do not delete Legacy CIA Via tomorrow unless it is truly empty, which is unlikely.
- Do not move legacy/unmanageable junk into Management, Trusted, or Servers to “just get done.”
- After every change group, stop and validate before continuing.
- If management-plane reachability is degraded, roll back immediately before chasing anything else.
## 4. Target Objects
### Networks / VLANs
- `NET-MGMT` -> VLAN 10 -> `10.5.10.0/24`
- `NET-TRUSTED` -> VLAN 20 -> `10.5.20.0/24`
- `NET-SERVERS` -> VLAN 30 -> `10.5.30.0/24`
- `NET-IOT` -> VLAN 40 -> `10.5.40.0/24`
- `NET-GUEST` -> VLAN 50 -> `10.5.50.0/24`
- `NET-CAMERAS` -> VLAN 60 -> `10.5.60.0/24`
- `NET-LEGACY-CIA` -> existing legacy VLAN/subnet retained temporarily as quarantine lane
### WiFi SSIDs
- `Trusted` -> VLAN 20
- `Trusted-Compat` -> VLAN 20, optional temporary only
- `IoT` -> VLAN 40
- `Guest` -> VLAN 50
- `Security` -> VLAN 60
- `CIA Via` -> legacy VLAN, temporary only, no new joins
### Port profiles
- `PP-TRUNK-UPLINK`
- `PP-ACCESS-MGMT`
- `PP-ACCESS-TRUSTED`
- `PP-ACCESS-SERVERS`
- `PP-ACCESS-IOT`
- `PP-ACCESS-GUEST`
- `PP-ACCESS-CAMERAS`
- `PP-ACCESS-LEGACY-CIA`
## 5. Firewall Policy Intent
Trusted:
- allow to Management for admin devices only
- allow to Servers for normal human/service use
- allow to Cameras for operator/admin use
- allow limited control flows to IoT if required
Servers:
- allow explicit services outward as needed
- no sloppy east-west broad allow
- allow NVR/Protect-related flows to Cameras only if required
IoT:
- allow DHCP/DNS/NTP/internet
- deny Management
- deny Trusted by default
- deny Servers except specific helper/service destinations
- explicit discovery exceptions only when proven necessary
Guest:
- internet only
- deny all local RFC1918/internal subnets
- client isolation on WiFi
Cameras/Security:
- allow DHCP/DNS/NTP/internet/update paths as needed
- deny broad lateral movement
- allow only Protect/NVR/admin destinations
Legacy CIA quarantine lane:
- allow DHCP/DNS/NTP/internet
- deny Management
- deny Trusted
- deny Cameras
- deny Servers by default
- add only device-specific exceptions if absolutely required
- no new devices assigned here intentionally
## 6. Baseline Capture Before First Change
Capture all of this before changing anything:
- Screenshot/export all existing networks
- Screenshot/export all SSIDs
- Screenshot/export firewall rules in current order
- Screenshot/export port profiles
- Screenshot/export AP settings
- Screenshot/export switch port assignments
- Record current IP/gateway/subnet for:
- PD
- Serenity
- Nomad
- Rocinante
- UDM Pro
- U7 Pro
- U6 LR if present
- Record current MAC/IP list for important Old IoT devices:
- Google Home Mini / cast devices
- both ecobees
- MyQ
- Samsung Family Hub
- LG dryer
- known legacy bulbs/plugs
- doorbell
- Protect chimes
- Confirm current DHCP reservations/static mappings that may break when VLANs move
## 7. Validation Tests To Run Repeatedly
Trusted validation:
- Trusted WiFi client gets correct subnet/gateway
- internet works
- can reach UniFi admin
- can reach PD/NOMAD/Serenity services expected from user lane
Management validation:
- UDM, switches, APs remain visible/manageable in UniFi
- no unexpected client endpoints remain in Management
Servers validation:
- PD/Serenity/Nomad/Rocinante get correct subnet/gateway after move
- critical services respond from Trusted
- outbound internet works if required
IoT validation:
- device rejoins expected SSID/VLAN
- vendor app control still works
- local control still works only if intentionally allowed
Guest validation:
- guest device gets internet
- cannot reach local subnets
Security validation:
- doorbell/chimes/camera devices stay online
- admin/Protect access works if expected
- no reachability into unrelated lanes
Legacy CIA validation:
- quarantined devices still work at the minimum acceptable level
- no new devices are added there
## 8. Change Sequence For Tomorrow
### Phase A: Safety setup
1. Confirm one wired or strongly stable Trusted admin client is connected.
2. Open UniFi in one session and keep Doris artifacts open in another.
3. Capture all baseline screenshots/exports.
4. Confirm rollback path into UniFi if WiFi changes go bad.
5. Confirm whether U6 LR participates tomorrow or stays out of scope.
Exit criteria:
- baseline captured
- management reachability stable
- rollback path confirmed
### Phase B: Create or normalize objects without moving clients
1. Create any missing target networks.
2. Create any missing port profiles.
3. Create/stage SSIDs:
- Trusted
- Trusted-Compat if needed
- IoT
- Guest
- Security
4. Create/stage Legacy CIA quarantine policy object naming.
5. Create staged firewall rules with comments.
Exit criteria:
- all objects exist
- nothing has moved yet
- no current connectivity loss
### Phase C: Management cleanup first
1. Ensure UDM, switches, and AP management surfaces are on VLAN 10 intent.
2. Remove obvious non-infrastructure devices from Management.
3. Move Protect chimes out of Management as top cleanup item if Security lane is ready.
4. Re-validate UniFi visibility of gateway, switches, APs.
Rollback if:
- UniFi loses management of gateway/switch/APs
- admin client can no longer reach management plane
Exit criteria:
- Management is infrastructure-only or very close to it
- no human endpoints or smart accessories remain there except known temporary exceptions tracked in writing
### Phase D: Build/activate Cameras lane
1. Activate/validate `NET-CAMERAS`.
2. Activate `Security` SSID if used.
3. Move doorbell and Protect chimes to Cameras/Security.
4. Validate app/admin behavior.
Rollback if:
- security devices fall offline and cannot be recovered quickly
Exit criteria:
- doorbell/chimes are no longer polluting Management
- Camera lane exists for future growth
### Phase E: Move core servers to Servers VLAN 30
1. Move one least-scary server first.
2. Validate from Trusted.
3. Update any reservation/DNS/profile dependency if needed.
4. Move remaining core hosts one by one:
- PD
- Serenity
- Nomad
- Rocinante
5. After each move, validate service reachability and outbound needs.
Rollback if:
- critical service path breaks and root cause is not obvious within a few minutes
Exit criteria:
- core hosts reside in Servers lane
- Trusted still reaches intended services
### Phase F: Move easy IoT first
1. Activate/validate `IoT` SSID and VLAN 40.
2. Move easiest/least-fragile devices first:
- MyQ
- Samsung Family Hub
- LG dryer
- ecobees if confidence is high
3. Validate each class before moving the next.
4. Leave Google/cast pain until the end of IoT work.
Rollback if:
- essential household function breaks and app recovery is not immediate
Exit criteria:
- easy-value devices are out of Legacy CIA
- no unnecessary broad allow rules were added
### Phase G: Legacy CIA quarantine handling
1. Rename/reclassify CIA Via mentally and operationally as quarantine, not production IoT.
2. Leave orphaned bulbs/plugs/mystery devices there.
3. Apply strict quarantine firewall posture.
4. Build a written list of remaining MACs/devices with disposition:
- migrate later
- quarantine indefinitely for now
- kill/remove when safe
Exit criteria:
- Legacy CIA contains only leftovers and quarantined junk
- its policy is harsh and explicit
### Phase H: Google / discovery problem children
1. Move one Google/cast-class device only if time and energy remain.
2. Test discovery/casting behavior from Trusted.
3. Add only narrow exceptions if evidence proves a need.
4. If messy, stop. Leave the rest in Legacy CIA quarantine for a later targeted session.
Exit criteria:
- either one known-good pattern exists, or the problem is intentionally deferred
### Phase I: Guest and SSID cleanup
1. Validate Guest SSID maps to VLAN 50.
2. Confirm internet-only behavior.
3. Disable/retire any stale SSIDs not still needed for migration.
4. Keep `Trusted-Compat` only if it earns its keep.
5. Keep `CIA Via` only as temporary quarantine SSID if required for remaining devices.
Exit criteria:
- SSIDs reflect policy, not history
- only necessary temporary migration SSIDs remain
## 9. Explicit Device Triage
Move tomorrow if practical:
- Protect chimes
- doorbell
- PD
- Serenity
- Nomad
- Rocinante
- MyQ
- Samsung Family Hub
- LG dryer
- both ecobees if low risk
Probably defer or treat carefully:
- Google Home / cast ecosystem
- any device requiring odd mDNS/broadcast behavior
Quarantine in Legacy CIA:
- legacy lights
- legacy plugs
- mystery old smart devices
- anything no longer controllable but still physically present
Kill candidates after observation:
- unknown inactive MACs
- devices nobody misses after blocking
- duplicate/orphaned historical entries
## 10. Rollback Rules
Immediate rollback triggers:
- loss of UniFi management-plane access
- APs/switches vanish or go isolated unexpectedly
- Trusted admin client cannot reach controller/gateway
- critical household function breaks with no quick diagnosis
Rollback scope:
- revert last moved device first
- revert last SSID mapping change second
- revert last firewall rule addition/position third
- revert network object only if the object itself is wrong
- never stack more changes onto a broken state
## 11. Definition Of Done For Tomorrow
Minimum successful tomorrow outcome:
- Management is cleaned up
- Cameras/Security lane exists
- Servers lane exists and at least core hosts are moved or staged with confidence
- IoT lane exists and at least easy-value devices are moved
- Legacy CIA is converted into explicit quarantine/sunset lane
- no broad insecure exceptions were added out of fatigue
Nice-to-have, not mandatory tomorrow:
- U6 LR restored and tuned
- Google/cast fully migrated
- Legacy CIA emptied completely
- perfect final SSID simplification
## 12. Follow-up Work After Tomorrow
- Build exact firewall rule matrix page/artifact
- Commit/push dashboard docs and artifacts into repo properly
- Review remaining Legacy CIA devices one by one
- Decide whether U6 LR returns based on actual coverage evidence
- Remove stale SSIDs, port profiles, and rules once migration dust settles

View File

@@ -0,0 +1,214 @@
# Home Network Redesign Plan
> For Doris: this is the target architecture and migration plan that the interactive site visualizes.
Goal: redesign John's home network and homelab into a simpler, future-proof VLAN model that supports camera growth, cleaner firewall policy, better Wi-Fi placement, and easier operations.
Architecture summary:
- Collapse historical clutter into six intentional VLANs.
- Separate user devices, servers, infrastructure, IoT, guests, and cameras/security.
- Move all non-infrastructure devices off Management.
- Retire Old IoT after staged migration.
- Add the downstairs U6 LR back into service if coverage or roaming needs it.
## Target VLANs
1. Infrastructure / Management
- VLAN 10
- Subnet: 10.5.10.0/24
- Contains: UDM, switches, APs, management IPs, controller-facing infra, OOB/admin surfaces
- Policy: only Trusted admin devices and designated server tooling may initiate into this VLAN
2. Trusted Clients
- VLAN 20
- Subnet: 10.5.20.0/24
- Contains: phones, tablets, laptops, handhelds, Steam Deck, personal endpoints
- Policy: can reach Servers and selected admin surfaces; not a dumping ground for random smart devices
3. Servers / Core Services
- VLAN 30
- Subnet: 10.5.30.0/24
- Contains: PlausibleDeniability, Serenity, Nomad, Rocinante, FlyingDutchman if it is a real service host
- Policy: tightly controlled east-west; explicit service exposure to IoT/Camera where needed
4. IoT / Smart Home
- VLAN 40
- Subnet: 10.5.40.0/24
- Contains: ecobees, appliances, MyQ, Google Home-class devices, legacy smart junk worth keeping
- Policy: default deny to internal networks except DNS, NTP, specific server services, and carefully allowed discovery flows
5. Guest
- VLAN 50
- Subnet: 10.5.50.0/24
- Contains: visitor and untrusted BYOD devices
- Policy: internet only, client isolation on Wi-Fi
6. Cameras / Security
- VLAN 60
- Subnet: 10.5.60.0/24
- Contains: doorbell, Protect chimes, future cameras, NVR-adjacent accessories, security-specific Wi-Fi endpoints
- Policy: no broad access to LAN; only specific flows to Protect/NVR services and operator/admin clients
## SSID Plan
Preferred steady-state SSIDs:
- Trusted: one main trusted SSID
- Trusted-Compat: optional temporary fallback for stubborn devices only
- IoT: one dedicated smart-home SSID
- Guest: one guest SSID
- Security: one dedicated SSID for Wi-Fi doorbells/chimes/cameras if needed
Mapping recommendation:
- Trusted SSID -> VLAN 20
- Trusted-Compat SSID -> VLAN 20 (temporary or policy-reduced fallback)
- IoT SSID -> VLAN 40
- Guest SSID -> VLAN 50
- Security SSID -> VLAN 60
Current-name migration suggestion:
- Yer a Wifi Harry -> Trusted
- Whiskey Neat Fuck Ice -> temporary Trusted-Compat or retire later
- CIA Via -> repoint to IoT during migration, then decide whether to keep or rename
- UNEF's Playhouse -> Security / Cameras
## Device Placement Recommendations
Infrastructure / Management:
- UDM Pro
- USW Pro HD 24
- USW-24-PoE
- U7 Pro
- U6 LR
- other management-only appliance interfaces
Servers / Core Services:
- PlausibleDeniability
- Serenity
- Nomad
- Rocinante
- FlyingDutchman if used as a real service host
Trusted Clients:
- phones
- tablets
- handhelds
- laptops/desktops
- Steam Deck
IoT / Smart Home:
- Main-Floor ecobee
- Upstairs ecobee
- MyQ
- Samsung FamilyHub
- LG dryer
- Google Home Mini
- Google / Chromecast-class devices
- retained legacy smart devices
Cameras / Security:
- front-doorbell
- Protect chimes
- future wired/PoE cameras
- future Wi-Fi security accessories
## Wi-Fi and AP Placement
Primary AP design:
- U7 Pro remains active as the main upstairs AP.
- Reinstall the U6 LR downstairs if downstairs coverage, roaming, or camera/IoT RSSI is weak.
- Prefer wired backhaul for both APs.
Operational stance:
- Do not overcomplicate RF tuning on day one.
- First restore dual-AP coverage, then evaluate channels, transmit power, and minimum RSSI with real client behavior.
- For growing cameras/security footprint, bias toward wired PoE cameras on the Cameras VLAN when practical.
## Firewall Intent
Trusted -> Management
- allow only designated admin devices/services
Trusted -> Servers
- allow
Trusted -> IoT
- limited allow for control/discovery as needed
Trusted -> Cameras
- allow operator/admin access
Servers -> IoT
- allow only explicitly needed services
Servers -> Cameras
- allow Protect/NVR-related flows only
IoT -> internal networks
- default deny
- explicit allow to DNS, NTP, specific server services, and required discovery helpers only
Cameras -> internal networks
- default deny
- explicit allow to Protect/NVR, time, DNS, and update paths only
Guest -> internal networks
- deny
Management -> internet
- only what infrastructure actually needs
## Migration Order
Phase 0: groundwork
- create target VLANs and port profiles
- stage firewall rules
- stage target SSIDs
- document rollback points
Phase 1: infrastructure cleanup
- move all infra to Management VLAN 10
- remove non-infra clients from management
- verify switch/AP/gateway management reachability
Phase 2: servers
- move core hosts to Servers VLAN 30
- confirm service reachability from Trusted
- update DNS/static mappings/firewall rules
Phase 3: cameras/security
- move doorbell and chimes to VLAN 60
- prepare room for future camera growth
Phase 4: IoT migration
- move active smart-home devices from Old IoT into VLAN 40 in batches
- start with easiest cloud-managed devices, then thermostats, then Google ecosystem devices
Phase 5: SSID simplification
- retire Old IoT SSID after validation
- collapse or retire temporary Trusted-Compat if not needed
Phase 6: cleanup
- remove Old IoT VLAN 2
- remove stale port profiles
- remove stale firewall rules and historical exceptions
## Port Profile Set
Maintain only intentional profiles:
- trunk-uplink
- access-management
- access-trusted
- access-servers
- access-iot
- access-guest
- access-cameras
## Success Criteria
- Management contains infrastructure only
- Old IoT is retired
- Cameras/Security has room to grow now, not later
- VLAN purpose is obvious at a glance
- Wi-Fi SSIDs reflect policy, not historical accidents
- Firewall rules match intent and are explainable
- A tired operator can still understand the network at 2 AM

View File

@@ -0,0 +1,226 @@
# Old IoT Tomorrow Disposition List
> For Doris: this is the concrete disposition call for every current live Old IoT client seen during read-only recon. This is the list to use tomorrow unless live validation proves otherwise.
Source basis:
- live UniFi read-only recon on 2026-05-22
- all devices listed were active on SSID `CIA Via` through the `U7 Pro`
- /home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/docs/unifi-readonly-recon-2026-05-22.md
- /home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/docs/legacy-cia-triage-worksheet.md
Disposition labels:
- `migrate-now`
- `migrate-later`
- `quarantine`
- `kill-candidate`
---
## 1. Move tomorrow if practical (`migrate-now`)
### MyQ-29B
- IP: `192.168.1.130`
- Vendor: The Chamberlain Group, Inc
- Tomorrow disposition: `migrate-now`
- Target: `IoT`
- Why:
- known device
- clear owner/function
- easy-value migration win
- Validation:
- MyQ app still works
- garage status/control behaves normally
### Main-Floor
- IP: `192.168.1.102`
- Vendor: ecobee inc
- Tomorrow disposition: `migrate-now`
- Target: `IoT`
- Why:
- known thermostat
- clear function
- deserves proper IoT placement
- Validation:
- thermostat visible in app
- control/update works
### Upstairs
- IP: `192.168.1.131`
- Vendor: ecobee inc
- Tomorrow disposition: `migrate-now`
- Target: `IoT`
- Why:
- same reasoning as Main-Floor
- Validation:
- thermostat visible in app
- control/update works
### LG_Smart_Dryer2_open
- IP: `192.168.1.186`
- Vendor: LG Innotek
- Tomorrow disposition: `migrate-now`
- Target: `IoT`
- Why:
- named appliance
- low emotional/operational complexity
- good early migration candidate
- Validation:
- LG app/device connectivity still works
### Samsung-FamilyHub
- IP: `192.168.1.149`
- Vendor: Samsung Electronics Co., Ltd
- Tomorrow disposition: `migrate-now`
- Target: `IoT`
- Why:
- known appliance
- obvious long-term home
- Validation:
- Samsung app/features still work at the acceptable level
## 2. Move only if time/energy remains, otherwise defer (`migrate-later`)
### Google-Home-Mini
- IP: `192.168.1.185`
- Vendor: Google, Inc.
- Tomorrow disposition: `migrate-later`
- Target: `IoT`
- Why:
- discovery/cast pain risk
- likely to provoke panic-rule temptation
- Tomorrow handling:
- move only if the rest of the window is already stable
- if ugly, revert or leave on Legacy CIA quarantine
- Validation:
- app sees device
- casting/discovery from Trusted behaves acceptably
### 3c:8d:20:f3:92:36
- IP: `192.168.1.192`
- Vendor: Google, Inc.
- Tomorrow disposition: `migrate-later`
- Target: likely `IoT`
- Why:
- Google-class unknown-by-name device
- same discovery/cast risk profile
- Tomorrow handling:
- identify what it is before moving if possible
- otherwise defer
- Validation:
- whatever its expected Google behavior is still works
### 90:ca:fa:b6:7f:6e
- IP: `192.168.1.129`
- Vendor: Google, Inc.
- Tomorrow disposition: `migrate-later`
- Target: likely `IoT`
- Why:
- likely another Google/cast/discovery problem child
- Tomorrow handling:
- identify first if possible
- otherwise defer
- Validation:
- expected Google behavior survives move
## 3. Leave on Legacy CIA quarantine tomorrow unless identified better (`quarantine`)
### 5c:61:99:41:73:40
- IP: `192.168.1.172`
- Vendor: Cloud Network Technology Singapore Pte. Ltd.
- Tomorrow disposition: `quarantine`
- Why:
- unnamed
- unclear function
- not enough evidence to grant clean-IoT membership
- Tomorrow handling:
- leave on Legacy CIA with harsh restrictions
- identify later
### 60:74:f4:54:fd:ec
- IP: `192.168.1.136`
- Vendor: Private
- Tomorrow disposition: `quarantine`
- Why:
- private/randomized identity
- no useful name
- function unclear
- Tomorrow handling:
- quarantine first, not migration first
### 60:74:f4:7b:6a:11
- IP: `192.168.1.117`
- Vendor: Private
- Tomorrow disposition: `quarantine`
- Why:
- same reasoning as above
### c0:f5:35:20:5d:94
- IP: `192.168.1.183`
- Vendor: AMPAK Technology,Inc.
- Tomorrow disposition: `quarantine`
- Why:
- could be all sorts of embedded junk
- no positive identification
### d4:ad:fc:60:90:6a
- IP: `192.168.1.100`
- Vendor: Shenzhen Intellirocks Tech co., ltd
- Tomorrow disposition: `quarantine`
- Why:
- unclear function
- likely disposable/low-trust smart junk unless proven otherwise
### d4:ad:fc:ea:7f:65
- IP: `192.168.1.101`
- Vendor: Shenzhen Intellirocks Tech co., ltd
- Tomorrow disposition: `quarantine`
- Why:
- same reasoning as sister device above
## 4. Kill-candidate logic
No current Old IoT client is marked `kill-candidate` immediately from inventory alone because we still saw them as active.
But these become `kill-candidate` fast if:
- nobody can identify them
- nobody can say what they do
- blocking/quarantining them produces no complaints
- they are duplicate Google/embedded junk with no actual value
Most likely future kill-candidate pool:
- the unnamed `Private` devices
- the unknown Cloud Network / AMPAK devices
- the two unnamed Intellirocks devices
- any Google MAC-only device nobody can identify once mapped physically
## 5. Suggested tomorrow move order inside Old IoT
Use this order:
1. MyQ-29B
2. LG_Smart_Dryer2_open
3. Samsung-FamilyHub
4. Main-Floor ecobee
5. Upstairs ecobee
6. stop and assess
7. only then test one Google device if the window is still calm
Everything else:
- stays on Legacy CIA quarantine
- gets documented
- gets revisited later with actual identification work
## 6. Explicit anti-mistakes
Do not do these tomorrow:
- do not migrate unknown MAC-only devices just because they are online
- do not broaden IoT trust to appease Google discovery quickly
- do not move quarantine-worthy junk into Management or Trusted
- do not try to fully empty Old IoT if the window starts getting noisy
## 7. Success condition for tomorrow
A successful tomorrow outcome is:
- easy-value named devices are moved into IoT
- Google/discovery weirdness is either handled narrowly or deferred
- all unknown junk remains contained on Legacy CIA
- every remaining Old IoT device has an explicit reason it is still there

View File

@@ -0,0 +1,135 @@
# Server Batch Validation Checklist
Use this immediately after moving Nomad, Serenity, and PD.
Do not start Google nonsense, SSID cleanup, or extra cleanup until this is green.
Primary control path:
- operator box: Rocinante
- critical dependency group: Nomad + Serenity + PlausibleDeniability
---
## Before the batch
- [ ] Rocinante is stable and currently has UniFi/admin access.
- [ ] Fallback admin path exists if Rocinante drops off.
- [ ] Current port/profile screenshots taken for:
- [ ] Port 22 -> Nomad
- [ ] Port 24 -> Serenity
- [ ] Port 23 -> PD
- [ ] Expected target subnet/gateway for Servers VLAN is written down.
- [ ] You are ready to unwind in reverse order if needed.
Move order:
1. Nomad
2. Serenity
3. PD
Rollback order if ugly:
1. PD
2. Serenity
3. Nomad
---
## Per-host quick checks during the wave
### After Nomad move
- [ ] Link came back
- [ ] Nomad got expected Servers IP/subnet/gateway
- [ ] Rocinante can still reach Nomad
- [ ] Expected Nomad-hosted service(s) respond
- [ ] No obvious share/dependency explosion yet
### After Serenity move
- [ ] Link came back
- [ ] Serenity got expected Servers IP/subnet/gateway
- [ ] Rocinante can still reach Serenity
- [ ] Expected Serenity-hosted service(s) respond
- [ ] No obvious share/dependency explosion yet
### After PD move
- [ ] Link came back
- [ ] PD got expected Servers IP/subnet/gateway
- [ ] Rocinante can still reach PD
- [ ] SSH/admin path to PD still works
- [ ] Critical PD-hosted homelab services respond
---
## Immediate batch validation
Do all of these before touching anything else:
### Reachability
- [ ] Rocinante -> Nomad reachable
- [ ] Rocinante -> Serenity reachable
- [ ] Rocinante -> PD reachable
### IP sanity
- [ ] Nomad is on the intended Servers subnet
- [ ] Serenity is on the intended Servers subnet
- [ ] PD is on the intended Servers subnet
- [ ] Default gateway is correct for all three
### Cross-host dependency sanity
- [ ] NFS mounts/shares recovered cleanly
- [ ] No host is hanging on stale routes or dead mount targets
- [ ] Any name-resolution dependency still works as expected
- [ ] No authentication/admin path you need for the rest of the window disappeared
### Service sanity
- [ ] Doris/dashboard path(s) you need are still reachable
- [ ] Any storage-backed services needed for the live window still work
- [ ] Nothing critical is stuck waiting on a dead share
### Control-plane sanity
- [ ] UniFi is still reachable from Rocinante
- [ ] Switch/AP visibility still looks normal
- [ ] No management-plane surprise coincided with the server batch
---
## Stop conditions
Stop and unwind if any of these are true:
- [ ] PD is not reachable from Rocinante
- [ ] NFS/share recovery is unclear after a short wait
- [ ] You cannot tell whether the problem is routing, DNS, or service binding
- [ ] UniFi/admin access is degraded at the same time
- [ ] You are guessing instead of validating
---
## Reverse-order rollback strip
If the batch is bad and the reason is not immediately obvious:
1. Revert PD port/profile first.
- [ ] PD returns to prior lane/profile
- [ ] PD admin path restored
2. Revert Serenity port/profile second.
- [ ] Serenity returns to prior lane/profile
3. Revert Nomad port/profile third.
- [ ] Nomad returns to prior lane/profile
4. Re-check:
- [ ] Rocinante -> PD
- [ ] Rocinante -> Serenity
- [ ] Rocinante -> Nomad
- [ ] UniFi/admin access stable again
Do not continue the broader migration until this set is stable.
---
## When this batch counts as successful
- [ ] Nomad moved successfully
- [ ] Serenity moved successfully
- [ ] PD moved successfully
- [ ] Rocinante still has the admin path you need
- [ ] Shares/services recovered cleanly enough to continue
- [ ] No emergency broad firewall workaround was needed
If all six are true, move on.
If not, stop pretending and fix or roll back first.

View File

@@ -0,0 +1,117 @@
# UniFi Live Preflight Snapshot
Date: 2026-05-22
Mode: read-only live pull from PD using the Doris UniFi operator account
Controller: `https://10.5.0.1`
Site: `default`
## Why this exists
This is a fresh, low-risk preflight snapshot taken after the earlier recon so tomorrow does not start from stale assumptions.
## Networks
- Internet 1 -> purpose=`wan` vlan=`untagged` subnet=`n/a`
- Internet 2 -> purpose=`wan` vlan=`untagged` subnet=`n/a`
- One-Click VPN -> purpose=`remote-user-vpn` vlan=`untagged` subnet=`192.168.2.1/24`
- Proton Chicago -> purpose=`vpn-client` vlan=`untagged` subnet=`10.2.0.2/32`
- Slate 7 -> purpose=`remote-user-vpn` vlan=`untagged` subnet=`192.168.3.1/24`
- Old IoT -> purpose=`corporate` vlan=`2` subnet=`192.168.1.1/24`
- Trusted -> purpose=`corporate` vlan=`51` subnet=`10.5.1.1/24`
- IoT -> purpose=`corporate` vlan=`510` subnet=`10.5.10.1/24`
- Camera -> purpose=`corporate` vlan=`520` subnet=`10.5.20.1/24`
- Guest -> purpose=`guest` vlan=`590` subnet=`10.5.90.1/24`
- Management -> purpose=`corporate` vlan=`untagged` subnet=`10.5.0.1/24`
## SSIDs currently enabled
- `CIA Via`
- `UNEF's Playhouse`
- `Whiskey Neat Fuck Ice`
- `Yer a Wifi Harry`
## Port profiles currently present
- `Camera`
- `IoT`
- `Management`
- `Old IoT`
- `Trusted`
Operator implication:
- `Servers` still does not exist as a live port profile/object visible in this pull.
- Tomorrow must not begin server moves until `Servers` is created/confirmed.
## UniFi device state
- `U6 LR` -> type=`uap` ip=`10.5.0.20` state=`0` version=`6.7.41.15623`
- `U7 Pro` -> type=`uap` ip=`10.5.0.21` state=`1` version=`8.5.21.18681`
- `UDM Pro - Old` -> type=`udm` ip=`69.166.182.157` state=`1` version=`5.1.11.33023`
- `USW Pro HD 24` -> type=`usw` ip=`10.5.0.135` state=`1` version=`7.4.1.16850`
- `USW-24-PoE` -> type=`usw` ip=`10.5.0.10` state=`1` version=`7.4.1.16850`
Interpretation:
- U6 LR still appears disconnected/offline in the current API view.
- The active wireless load is still effectively on the U7 Pro.
## Current client counts by network
- Camera: 1
- Management: 2
- Old IoT: 14
- Trusted: 14
## Critical named clients for tomorrow
- `PlausibleDeniability` -> Trusted -> `10.5.1.6`
- `Serenity` -> Trusted -> `10.5.1.5`
- `Nomad` -> Trusted -> `10.5.1.16`
- `Rocinante` -> Trusted -> `10.5.1.112`
- `FlyingDutchman` -> Trusted -> `10.5.1.111`
- `MyQ-29B` -> Old IoT -> `192.168.1.130`
- `Samsung-FamilyHub` -> Old IoT -> `192.168.1.149`
- `LG_Smart_Dryer2_open` -> Old IoT -> `192.168.1.186`
- `LG_Smart_Laundry2_open` -> Trusted -> `10.5.1.184`
- `Main-Floor` -> Old IoT -> `192.168.1.102`
- `Upstairs` -> Old IoT -> `192.168.1.131`
- `Google-Home-Mini` -> Old IoT -> `192.168.1.185`
- `front-doorbell` -> Camera -> `10.5.20.217`
## Management offenders still present
- `58:d6:1f:54:e5:6d` -> `10.5.0.123`
- `58:d6:1f:54:e5:af` -> `10.5.0.189`
These are still the two management-lane ESP-class offenders to identify or evict.
## Fresh anomalies vs the earlier planning assumptions
1. `LG_Smart_Laundry2_open` is currently on `Trusted` at `10.5.1.184`.
- This was not part of the original Old IoT-first migration set.
- Decide tomorrow whether it belongs on IoT or whether it is a separate harmless laundry app endpoint you intentionally trust.
2. `U6 LR` still shows state `0`.
- Treat it as optional only if needed, not as assumed active infrastructure.
3. The controller still shows zero custom firewall groups/rules/routing objects from the earlier read-only recon.
- Firewall staging is still basically greenfield.
## Safe prep work completed tonight
- verified UniFi read access still works from PD
- refreshed live device/client counts
- confirmed named host placement for the server batch and Old IoT migration set
- confirmed management offenders remain present
- confirmed U6 LR still appears offline/disconnected
- captured a raw pre-write baseline of `networkconf` and `portconf` at `/home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/docs/baselines/unifi-object-baseline-2026-05-22-024653.json`
- authored an idempotent staging helper at `/home/fizzlepoof/repos/truenas-stacks/automation/bin/unifi_stage_low_risk_objects.py`
- copied that helper to PD at `/mnt/docker-ssd/docker/compose/automation/bin/unifi_stage_low_risk_objects.py`
- confirmed the current Doris UniFi account is still read-only for writes: `POST /rest/networkconf` returns `403 Forbidden`
## Recommended no-surprise start conditions for tomorrow
- create/confirm `Servers` object/profile before any server port move
- keep Rocinante on Trusted as the live control box until the Nomad/Serenity/PD wave is complete
- leave FlyingDutchman on Trusted
- treat Google as in-scope only through narrow reversible tests
- do not assume U6 LR is usable unless you explicitly verify it in the UI

View File

@@ -0,0 +1,138 @@
# UniFi Read-Only Recon Notes
Date: 2026-05-22
Mode: read-only only
Auth status: verified working with upgraded Doris admin login
## Scope completed
- authenticated login verified
- network object inventory read
- SSID inventory read
- port profile inventory read
- client inventory read
- AP/client mapping read
- wired switch-port/client mapping read
- firewall/policy endpoint probes read
## High-value findings
### 1. Firewall model / current policy state
- `firewallrule`: 200, count 0
- `firewallgroup`: 200, count 0
- `firewallzone`: 400
- `trafficrule`: 400
- `routing`: 200, count 0
Interpretation:
- there are currently no custom classic firewall rules in the Network app dataset returned by the API
- no custom firewall groups are defined there either
- zone/traffic-rule endpoints are not active in the way this API helper expected
- practical implication: tomorrows segmentation policy work is largely greenfield, not cleanup of a big custom ruleset
### 2. Current network objects
- Management -> corporate -> untagged -> `10.5.0.1/24`
- Trusted -> corporate -> VLAN 51 -> `10.5.1.1/24`
- Old IoT -> corporate -> VLAN 2 -> `192.168.1.1/24`
- IoT -> corporate -> VLAN 510 -> `10.5.10.1/24`
- Camera -> corporate -> VLAN 520 -> `10.5.20.1/24`
- Guest -> guest -> VLAN 590 -> `10.5.90.1/24`
### 3. Current SSIDs
- `CIA Via` -> Old IoT
- `UNEF's Playhouse` -> Camera
- `Whiskey Neat Fuck Ice` -> Trusted
- `Yer a Wifi Harry` -> Trusted
### 4. Management offenders
Both Management-lane clients are WiFi clients on the U7 Pro and both are unnamed `espressif` devices on the default `UniFi Wireless` SSID.
- `espressif` -> `10.5.0.123` -> U7 Pro -> SSID `UniFi Wireless`
- `espressif` -> `10.5.0.189` -> U7 Pro -> SSID `UniFi Wireless`
Interpretation:
- these are almost certainly stray ESP-class smart devices and exactly the kind of junk that should not live on Management
- tomorrow we should either identify and move them, or quarantine them if they are brittle
### 5. Old IoT live inventory
All are currently on SSID `CIA Via` via the U7 Pro.
Likely migrate-first / easy-value:
- `MyQ-29B` -> `192.168.1.130`
- `Main-Floor` ecobee -> `192.168.1.102`
- `Upstairs` ecobee -> `192.168.1.131`
- `LG_Smart_Dryer2_open` -> `192.168.1.186`
- `Samsung-FamilyHub` -> `192.168.1.149`
Likely migrate-later / discovery pain:
- `Google-Home-Mini` -> `192.168.1.185`
- `3c:8d:20:f3:92:36` -> Google -> `192.168.1.192`
- `90:ca:fa:b6:7f:6e` -> Google -> `192.168.1.129`
Likely quarantine until identified better:
- `5c:61:99:41:73:40` -> Cloud Network Technology Singapore -> `192.168.1.172`
- `60:74:f4:54:fd:ec` -> Private -> `192.168.1.136`
- `60:74:f4:7b:6a:11` -> Private -> `192.168.1.117`
- `c0:f5:35:20:5d:94` -> AMPAK -> `192.168.1.183`
- `d4:ad:fc:60:90:6a` -> Shenzhen Intellirocks -> `192.168.1.100`
- `d4:ad:fc:ea:7f:65` -> Shenzhen Intellirocks -> `192.168.1.101`
### 6. Camera lane live state
- `front-doorbell` is already on Camera network at `10.5.20.217`
Interpretation:
- the doorbell is already where it belongs logically
- tomorrows security cleanup work is mainly about chimes and future policy tightening
### 7. Trusted lane still carrying infrastructure-class hosts
Trusted currently includes:
- `PlausibleDeniability` -> `10.5.1.6`
- `Serenity` -> `10.5.1.5`
- `Nomad` -> `10.5.1.16`
- `Rocinante` -> `10.5.1.112`
- `FlyingDutchman` -> `10.5.1.111`
Interpretation:
- tomorrows server-lane work is real and necessary
- these should not stay blended into the human client lane long-term
### 8. AP/client mapping
- `U7 Pro`: 26 clients
- `wired/unknown`: 5 clients
Interpretation:
- almost all current active wireless load is concentrated on the U7 Pro
- the U6 LR is presently not carrying client load
### 9. Wired client to switch-port mapping
On `USW Pro HD 24`:
- port 2 -> `Rocinante`
- port 3 -> `FlyingDutchman`
- port 22 -> `Nomad`
- port 23 -> `PlausibleDeniability`
- port 24 -> `Serenity`
### 10. Important switch-port assignments
On `USW Pro HD 24`:
- port 1 -> profile `Management` -> `U7 Pro (Upstairs)`
- port 22 -> profile `Trusted` -> `Nomad`
- port 23 -> profile `Trusted` -> `Docker Server` / PD
- port 24 -> profile `Trusted` -> `Serenity 10G (1)`
- port 27 -> profile `Management` -> up at 10G
- port 3 -> profile `Trusted` -> `FlyingDutchman`
- port 2 -> up at 2.5G with no explicit profile shown -> `Rocinante`
On `USW-24-PoE`:
- port 24 -> profile `Management` -> up at 1G
- many inactive preassigned ports exist for `IoT`, `Old IoT`, and `Management`
Interpretation:
- the core server moves tomorrow are mechanically straightforward because their live ports are visible
- PD / Serenity / Nomad / FlyingDutchman are explicitly sitting on Trusted access profiles today
- Rocinante needs a quick extra look because the client is live on port 2 but that port did not show an explicit profile name in the returned record
## Recommended next actions for tomorrow
1. identify the two Management `espressif` devices before or during the window
2. move/changeprofile for server ports on the USW Pro HD 24 one at a time
3. treat Google devices as late-batch or defer
4. treat unknown Old IoT clients as quarantine by default, not migration by default
5. keep Camera cleanup focused on chimes and policy, because the doorbell is already in the correct lane

View File

@@ -0,0 +1,209 @@
# USW Pro HD 24 Exact Change Sheet
> For Doris: this is the mechanical switch-port sheet for tomorrow. Do not freestyle. Change one thing, validate, then continue.
Source basis:
- live UniFi read-only recon on 2026-05-22
- /home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/docs/unifi-readonly-recon-2026-05-22.md
- /home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/docs/network-redesign-implementation-runbook.md
## Core principle
- Uplink/AP/infra ports stay Management or trunked as appropriate.
- Server-class hosts leave Trusted and move to Servers.
- Unknown live ports get eyeballed before change.
- Do not bulk-edit profiles blindly.
- Rocinante is the live operator box, so keep it stable until the main server batch is complete or an alternate admin path is proven.
- Nomad, Serenity, and PD may need to move as one controlled wave because of NFS/shared-service coupling; validate the batch immediately.
---
## 1. Desired profile set for tomorrow
Current relevant profiles seen live:
- Management
- Trusted
- IoT
- Camera
- Old IoT
Needed for tomorrow:
- Management
- Trusted
- Servers
- IoT
- Camera
- Guest
- Old IoT
- trunk/uplink profile if you choose to normalize uplinks now
If `Servers` does not exist yet:
- create it before changing server ports
- use it as the target for the core host ports below
## 2. USW Pro HD 24 live ports that matter
### Port 1
- Name: `U7 Pro (Upstairs)`
- Current profile: `Management`
- Link: up
- Speed: 2.5G
- Role: AP uplink / infrastructure
- Tomorrow action: leave on Management unless/until you replace with an explicit trunk/uplink profile
- Risk: high if changed incorrectly
- Validation after any change:
- U7 Pro remains online in UniFi
- wireless clients stay associated
- management plane remains reachable
### Port 2
- Name: `Port 2`
- Current observed live client: `Rocinante`
- Current explicit profile visibility: not clearly returned by API
- Link: up
- Speed: 2.5G
- Role: server/core host
- Tomorrow action: inspect in UniFi UI first, confirm current native network/profile, but keep Rocinante in place as the live operator station until the Nomad/Serenity/PD batch is done or a backup admin path is proven
- Risk: medium because profile visibility was ambiguous in API data
- Validation after move:
- Rocinante gets expected Servers subnet/gateway
- reachable from Trusted as intended
- any expected service ports work
### Port 3
- Name: `FlyingDutchman`
- Current profile: `Trusted`
- Link: up
- Speed: 2.5G
- Role: human endpoint / gaming PC unless proven otherwise
- Tomorrow action: leave on `Trusted` tomorrow unless you deliberately reclassify it later; default assumption is that it should stay with trusted human endpoints
- Risk: medium
- Validation after move:
- host gets expected subnet/gateway
- reachable from Trusted as intended
- only move if this box is actually supposed to live with the homelab service lane
### Port 22
- Name: `Port 22`
- Current live client: `Nomad`
- Current profile: `Trusted`
- Link: up
- Speed: 2.5G
- Role: core host
- Tomorrow action: move to `Servers`
- Risk: medium
- Validation after move:
- Nomad gets expected Servers address
- Doris pages / services expected on Nomad still reachable from Trusted
### Port 23
- Name: `Docker Server`
- Current live client: `PlausibleDeniability`
- Current profile: `Trusted`
- Link: up
- Speed: 10G
- Role: primary core server
- Tomorrow action: move to `Servers`
- Risk: high-ish because this is central infrastructure
- Validation after move:
- PD gets expected Servers address
- SSH to `pd` still works from Trusted/admin lane
- critical services still reachable from Trusted
- no surprise breakage to shared homelab functions
### Port 24
- Name: `Serenity 10G (1)`
- Current live client: `Serenity`
- Current profile: `Trusted`
- Link: up
- Speed: 10G
- Role: core host
- Tomorrow action: move to `Servers`
- Risk: medium-high
- Validation after move:
- Serenity gets expected Servers address
- intended services still reachable from Trusted
### Port 27
- Name: `Port 27`
- Current profile: `Management`
- Link: up
- Speed: 10G
- Role: likely infra/uplink
- Tomorrow action: do not touch unless you have positively identified what it is
- Risk: very high
- Validation if ever touched:
- upstream/downstream infra remains healthy
- no switch isolation or mgmt loss
## 3. Recommended exact move order for server ports
Use this order, not random order:
1. Port 2 -> Rocinante
- inspect/profile-confirm first
- do not move it early if it is your live admin path
2. Port 22 -> Nomad
- first member of the controlled three-host batch
3. Port 24 -> Serenity
- second member of the controlled three-host batch
4. Port 23 -> PlausibleDeniability
- third member of the controlled three-host batch
5. Port 3 -> FlyingDutchman
- default action is no move; only revisit if you intentionally decide it belongs in Servers after all
If you want the most conservative variant:
- leave Rocinante on Trusted during the live work
- move Nomad, Serenity, and PD as the only server-lane batch
- leave FlyingDutchman on Trusted
## 4. Per-port execution script
For each independent server port or server batch:
1. open switch port in UniFi UI
2. confirm live client identity matches expectation
3. screenshot current state
4. if touching Nomad/Serenity/PD, pre-stage the exact order before the first change
5. change profile from `Trusted` (or current) -> `Servers`
6. wait for link/client/IP reassignment
7. verify host gets expected subnet/gateway
8. verify reachability from Rocinante/admin path
9. verify expected service behavior
10. if it was the three-host batch, verify cross-host dependencies before anything else
11. only then proceed to next port
## 5. Ports to explicitly leave alone tomorrow
Leave alone unless a later issue forces action:
- Port 1 (U7 Pro upstairs)
- Port 27 (likely infra/uplink)
- all inactive ports
- any uplink/trunk-ish port not positively identified
## 6. Potential follow-up ports outside the main switch
USW-24-PoE notable live port:
- Port 24 -> profile `Management` -> link up at 1G
- Tomorrow action: read-only verify what it is before touching
- Do not change it casually during the same window unless you have confirmed its role
## 7. Success criteria for this port sheet
Successful tomorrow outcome:
- Nomad, Serenity, and PD are no longer sitting on Trusted access ports
- Rocinante is either still the live admin box by deliberate choice or moved cleanly after the main batch is complete
- FlyingDutchman stays on Trusted unless deliberately reclassified with reason
- AP/uplink/infra ports remain stable
- no server move proceeds without validation
## 8. Red flags
Stop immediately if:
- a moved host does not pull the expected subnet
- SSH/admin access path disappears unexpectedly
- a port identity in the UI does not match expected host
- changing one port breaks unrelated infra
- PD move causes unclear blast radius and you cannot explain it within a couple minutes