Sync network redesign repo state and cutover artifacts

This commit is contained in:
Fizzlepoof
2026-05-22 20:16:21 +00:00
parent 4b1e3d4061
commit 9e6dde7695
59 changed files with 5389 additions and 244 deletions

View File

@@ -0,0 +1,411 @@
# Home Network Redesign Firewall Rule Order
> For Doris: this is the intended UniFi firewall ordering for the redesign. Use groups/comments so every rule is explainable at 2 AM.
Goal: enforce clean segmentation between Management, Trusted, Servers, IoT, Guest, Cameras, and Legacy CIA quarantine without using broad lazy exceptions.
Assumptions:
- Final networks:
- VLAN 10 Management -> `10.5.10.0/24`
- VLAN 20 Trusted -> `10.5.20.0/24`
- VLAN 30 Servers -> `10.5.30.0/24`
- VLAN 40 IoT -> `10.5.40.0/24`
- VLAN 50 Guest -> `10.5.50.0/24`
- VLAN 60 Cameras -> `10.5.60.0/24`
- Legacy CIA quarantine -> existing legacy subnet/VLAN retained temporarily
- Use address/object groups where UniFi allows them.
- Apply stateful best practice first: established/related before policy rules.
- Specific allows always go above broad denies.
---
## 1. Object / Group Inventory To Create First
Create these objects before writing rules:
### Network groups
- `NET-MGMT`
- `NET-TRUSTED`
- `NET-SERVERS`
- `NET-IOT`
- `NET-GUEST`
- `NET-CAMERAS`
- `NET-LEGACY-CIA`
- `NET-RFC1918-ALL` = all internal subnets above plus any other local internal ranges
### Device / host groups
- `HOST-ADMIN-TRUSTED`
- your main laptop
- your phone/tablet if you really need admin from it
- `HOST-CORE-SERVICES`
- PD
- Serenity
- Nomad
- Rocinante
- any controller/helper hosts
- `HOST-PROTECT-SERVICES`
- NVR / Protect endpoints if separate from above
- `HOST-DNS`
- whichever DNS resolvers clients should use
- `HOST-NTP`
- if you use local NTP, otherwise this can be omitted
- `HOST-IOT-HELPERS`
- only services IoT devices are explicitly allowed to hit
- `HOST-CAMERA-HELPERS`
- only services Cameras are explicitly allowed to hit
- `HOST-LEGACY-EXCEPTIONS`
- only for ugly one-off CIA quarantine exceptions
### Port groups
- `PORT-DNS` = 53 TCP/UDP
- `PORT-DHCP` = 67-68 UDP
- `PORT-NTP` = 123 UDP
- `PORT-WEB-ADMIN` = 80,443,8443,9443 or whatever you actually use
- `PORT-SSH` = 22
- `PORT-PROTECT` = exact ports only if needed
- `PORT-MDNS` = 5353 UDP
- `PORT-CAST` = exact discovery/control ports if later proven necessary
## 2. Rule Philosophy
- Trusted is the only lane that gets routine admin rights.
- Management is infrastructure-only and should accept traffic only from explicit admin initiators.
- Servers accept specific human/service traffic from Trusted and tightly scoped helper traffic from IoT/Cameras.
- IoT, Cameras, and Legacy CIA are default-deny internally.
- Guest is internet-only.
- Legacy CIA is hospice, not production.
## 3. Recommended Rule Order
This is ordered top to bottom.
### Section A: Core state handling
1. `ALLOW Established/Related`
- Action: Allow
- States: Established, Related
- Source: Any
- Destination: Any
- Comment: `baseline stateful return traffic`
2. `DROP Invalid`
- Action: Drop
- States: Invalid
- Source: Any
- Destination: Any
- Comment: `drop broken/invalid sessions early`
### Section B: Management protection
3. `ALLOW Trusted Admin -> Management Admin Surfaces`
- Action: Allow
- Source: `HOST-ADMIN-TRUSTED`
- Destination: `NET-MGMT`
- Ports: `PORT-WEB-ADMIN`, `PORT-SSH` and anything truly required
- Comment: `explicit admin to management`
4. `ALLOW Trusted Admin -> Gateway Infra Utilities`
- Action: Allow
- Source: `HOST-ADMIN-TRUSTED`
- Destination: `NET-MGMT`
- Ports: ICMP plus other explicitly needed management utilities
- Comment: `ping/test/manage infra`
5. `DROP IoT -> Management`
- Action: Drop
- Source: `NET-IOT`
- Destination: `NET-MGMT`
- Comment: `iot never initiates to management`
6. `DROP Cameras -> Management`
- Action: Drop
- Source: `NET-CAMERAS`
- Destination: `NET-MGMT`
- Comment: `camera lane never initiates to management`
7. `DROP Guest -> Management`
- Action: Drop
- Source: `NET-GUEST`
- Destination: `NET-MGMT`
- Comment: `guest blocked from management`
8. `DROP Legacy CIA -> Management`
- Action: Drop
- Source: `NET-LEGACY-CIA`
- Destination: `NET-MGMT`
- Comment: `legacy quarantine blocked from management`
9. `DROP Any Internal -> Management`
- Action: Drop
- Source: `NET-RFC1918-ALL`
- Destination: `NET-MGMT`
- Comment: `default management shield after explicit allows`
### Section C: Trusted human lane
10. `ALLOW Trusted -> Servers Approved Access`
- Action: Allow
- Source: `NET-TRUSTED`
- Destination: `NET-SERVERS`
- Ports: Any or explicit service groups depending on how tight you want day one
- Comment: `trusted human lane to servers`
11. `ALLOW Trusted -> Cameras Admin/Viewer Access`
- Action: Allow
- Source: `NET-TRUSTED`
- Destination: `NET-CAMERAS`
- Ports: exact ports if known, otherwise temporary broader allow during migration
- Comment: `trusted operator to camera lane`
12. `ALLOW Trusted -> IoT Control Exceptions`
- Action: Allow
- Source: `NET-TRUSTED`
- Destination: `NET-IOT`
- Ports: only what control/discovery really needs
- Comment: `trusted control to iot where required`
### Section D: Server helper traffic
13. `ALLOW Servers -> IoT Approved Helpers`
- Action: Allow
- Source: `HOST-IOT-HELPERS` or `NET-SERVERS` narrowed to real helper hosts
- Destination: `NET-IOT`
- Ports: exact service ports only
- Comment: `ha/mqtt/etc only if actually used`
14. `ALLOW Cameras -> Protect Services`
- Action: Allow
- Source: `NET-CAMERAS`
- Destination: `HOST-PROTECT-SERVICES`
- Ports: exact Protect/NVR ports
- Comment: `camera lane to protect only`
15. `ALLOW IoT -> Approved Server Helpers`
- Action: Allow
- Source: `NET-IOT`
- Destination: `HOST-IOT-HELPERS`
- Ports: exact ports only
- Comment: `iot can only hit specific helper services`
16. `ALLOW Legacy CIA -> Approved One-Off Exception`
- Action: Allow
- Source: specific host(s) in `NET-LEGACY-CIA`
- Destination: specific host(s)
- Ports: exact ports only
- Disabled by default unless proven needed
- Comment: `ugly but narrow quarantine exception`
### Section E: DNS / NTP baseline for restricted lanes
17. `ALLOW IoT -> DNS`
- Action: Allow
- Source: `NET-IOT`
- Destination: `HOST-DNS`
- Ports: `PORT-DNS`
- Comment: `iot dns`
18. `ALLOW Cameras -> DNS`
- Action: Allow
- Source: `NET-CAMERAS`
- Destination: `HOST-DNS`
- Ports: `PORT-DNS`
- Comment: `camera dns`
19. `ALLOW Legacy CIA -> DNS`
- Action: Allow
- Source: `NET-LEGACY-CIA`
- Destination: `HOST-DNS`
- Ports: `PORT-DNS`
- Comment: `legacy dns`
20. `ALLOW IoT -> NTP`
- Action: Allow
- Source: `NET-IOT`
- Destination: `HOST-NTP` or Any if using public NTP
- Ports: `PORT-NTP`
- Comment: `iot ntp`
21. `ALLOW Cameras -> NTP`
- Action: Allow
- Source: `NET-CAMERAS`
- Destination: `HOST-NTP` or Any if using public NTP
- Ports: `PORT-NTP`
- Comment: `camera ntp`
22. `ALLOW Legacy CIA -> NTP`
- Action: Allow
- Source: `NET-LEGACY-CIA`
- Destination: `HOST-NTP` or Any if using public NTP
- Ports: `PORT-NTP`
- Comment: `legacy ntp`
### Section F: Internet access for constrained lanes
23. `ALLOW Guest -> Internet`
- Action: Allow
- Source: `NET-GUEST`
- Destination: Internet / Not RFC1918
- Comment: `guest internet only`
24. `ALLOW IoT -> Internet`
- Action: Allow
- Source: `NET-IOT`
- Destination: Internet / Not RFC1918
- Comment: `iot outbound internet`
25. `ALLOW Cameras -> Internet Updates`
- Action: Allow
- Source: `NET-CAMERAS`
- Destination: Internet / Not RFC1918
- Comment: `camera updates/cloud only if needed`
26. `ALLOW Legacy CIA -> Internet`
- Action: Allow
- Source: `NET-LEGACY-CIA`
- Destination: Internet / Not RFC1918
- Comment: `legacy quarantine outbound only`
### Section G: Broad internal denies for restricted lanes
27. `DROP Guest -> RFC1918/Internal`
- Action: Drop
- Source: `NET-GUEST`
- Destination: `NET-RFC1918-ALL`
- Comment: `guest blocked from local networks`
28. `DROP IoT -> Trusted`
- Action: Drop
- Source: `NET-IOT`
- Destination: `NET-TRUSTED`
- Comment: `iot blocked from human lane`
29. `DROP IoT -> Servers`
- Action: Drop
- Source: `NET-IOT`
- Destination: `NET-SERVERS`
- Comment: `iot blocked from servers after helper exceptions`
30. `DROP IoT -> Cameras`
- Action: Drop
- Source: `NET-IOT`
- Destination: `NET-CAMERAS`
- Comment: `iot blocked from camera lane`
31. `DROP Cameras -> Trusted`
- Action: Drop
- Source: `NET-CAMERAS`
- Destination: `NET-TRUSTED`
- Comment: `cameras blocked from human lane`
32. `DROP Cameras -> Servers`
- Action: Drop
- Source: `NET-CAMERAS`
- Destination: `NET-SERVERS`
- Comment: `cameras blocked from servers except protect`
33. `DROP Cameras -> IoT`
- Action: Drop
- Source: `NET-CAMERAS`
- Destination: `NET-IOT`
- Comment: `camera lane blocked from iot`
34. `DROP Legacy CIA -> Trusted`
- Action: Drop
- Source: `NET-LEGACY-CIA`
- Destination: `NET-TRUSTED`
- Comment: `legacy blocked from human lane`
35. `DROP Legacy CIA -> Servers`
- Action: Drop
- Source: `NET-LEGACY-CIA`
- Destination: `NET-SERVERS`
- Comment: `legacy blocked from servers after one-offs`
36. `DROP Legacy CIA -> Cameras`
- Action: Drop
- Source: `NET-LEGACY-CIA`
- Destination: `NET-CAMERAS`
- Comment: `legacy blocked from security lane`
37. `DROP Legacy CIA -> IoT`
- Action: Drop
- Source: `NET-LEGACY-CIA`
- Destination: `NET-IOT`
- Comment: `legacy does not mingle with clean iot`
### Section H: Optional discovery exceptions
38. `ALLOW Trusted -> mDNS Reflector / Discovery Helper`
- Only if real testing proves needed
- Prefer reflector/helper architecture over broad subnet trust
39. `ALLOW Specific Google/Cast Device -> Specific Helper`
- Host-specific only
- Ports exact only
- Comment with device name and why it exists
40. `DROP Any Temporary Discovery Exception Cleanup Marker`
- Not a real rule type, just a process note
- Every temporary discovery rule gets a unique comment and review date
## 4. Rule Notes By Lane
Management:
- Most-protected lane.
- Admin access only from known trusted admin devices.
Trusted:
- Primary operator lane.
- Allowed to talk where humans need to talk, but still not a dumping ground.
Servers:
- Prefer exact service-based exposure later.
- For tomorrow, a broader Trusted -> Servers allow is acceptable if you document it and tighten later.
IoT:
- Default deny inward and outward to internal LANs except helper carve-outs.
Cameras:
- Same philosophy as IoT, but even stricter.
- If Protect is local, keep camera-to-protect flow exact.
Legacy CIA:
- Outbound internet, DNS, NTP, nothing more unless explicitly justified.
- Every exception should feel embarrassing.
## 5. What To Stage Tomorrow Versus Later
Stage tomorrow:
- established/related
- invalid drop
- management shield
- guest internet-only pattern
- IoT/Cameras/Legacy broad internal denies
- Trusted admin to Management
- Trusted to Servers
- DNS/NTP for restricted lanes
- Legacy CIA quarantine posture
Defer if not needed immediately:
- mDNS/cast helper rules
- fancy service-specific microsegmentation between Trusted and Servers
- any discovery exceptions not proven by real failure testing
## 6. Validation Checklist After Rule Deployment
- Trusted admin client can still reach UniFi/gateway/switch/AP admin surfaces
- Trusted can reach core server services
- Guest gets internet and cannot reach local IPs
- IoT device can resolve DNS, keep time, and reach vendor cloud if expected
- Camera/security device remains online and can reach Protect if required
- Legacy CIA device still works only at minimum acceptable level
- No restricted lane can initiate into Management
## 7. Red Flags
Do not do these:
- allow `IoT -> Servers any`
- allow `Legacy CIA -> Trusted any`
- allow `Guest -> RFC1918 any`
- put discovery/broadcast panic rules above security structure without device-specific justification
- leave unnamed temporary rules in place after testing
## 8. First Tightening Pass After Tomorrow
After the cutover stabilizes:
- narrow Trusted -> Servers from broad allow to explicit service sets if useful
- delete any temporary discovery exceptions that proved unnecessary
- audit whether Cameras even need outbound internet
- audit whether Legacy CIA can lose individual devices or the whole SSID