# UniFi Read-Only Recon Notes Date: 2026-05-22 Mode: read-only only Auth status: verified working with upgraded Doris admin login ## Scope completed - authenticated login verified - network object inventory read - SSID inventory read - port profile inventory read - client inventory read - AP/client mapping read - wired switch-port/client mapping read - firewall/policy endpoint probes read ## High-value findings ### 1. Firewall model / current policy state - `firewallrule`: 200, count 0 - `firewallgroup`: 200, count 0 - `firewallzone`: 400 - `trafficrule`: 400 - `routing`: 200, count 0 Interpretation: - there are currently no custom classic firewall rules in the Network app dataset returned by the API - no custom firewall groups are defined there either - zone/traffic-rule endpoints are not active in the way this API helper expected - practical implication: tomorrow’s segmentation policy work is largely greenfield, not cleanup of a big custom ruleset ### 2. Current network objects - Management -> corporate -> untagged -> `10.5.0.1/24` - Trusted -> corporate -> VLAN 51 -> `10.5.1.1/24` - Old IoT -> corporate -> VLAN 2 -> `192.168.1.1/24` - IoT -> corporate -> VLAN 510 -> `10.5.10.1/24` - Camera -> corporate -> VLAN 520 -> `10.5.20.1/24` - Guest -> guest -> VLAN 590 -> `10.5.90.1/24` ### 3. Current SSIDs - `CIA Via` -> Old IoT - `UNEF's Playhouse` -> Camera - `Whiskey Neat Fuck Ice` -> Trusted - `Yer a Wifi Harry` -> Trusted ### 4. Management offenders Both Management-lane clients are Wi‑Fi clients on the U7 Pro and both are unnamed `espressif` devices on the default `UniFi Wireless` SSID. - `espressif` -> `10.5.0.123` -> U7 Pro -> SSID `UniFi Wireless` - `espressif` -> `10.5.0.189` -> U7 Pro -> SSID `UniFi Wireless` Interpretation: - these are almost certainly stray ESP-class smart devices and exactly the kind of junk that should not live on Management - tomorrow we should either identify and move them, or quarantine them if they are brittle ### 5. Old IoT live inventory All are currently on SSID `CIA Via` via the U7 Pro. Likely migrate-first / easy-value: - `MyQ-29B` -> `192.168.1.130` - `Main-Floor` ecobee -> `192.168.1.102` - `Upstairs` ecobee -> `192.168.1.131` - `LG_Smart_Dryer2_open` -> `192.168.1.186` - `Samsung-FamilyHub` -> `192.168.1.149` Likely migrate-later / discovery pain: - `Google-Home-Mini` -> `192.168.1.185` - `3c:8d:20:f3:92:36` -> Google -> `192.168.1.192` - `90:ca:fa:b6:7f:6e` -> Google -> `192.168.1.129` Likely quarantine until identified better: - `5c:61:99:41:73:40` -> Cloud Network Technology Singapore -> `192.168.1.172` - `60:74:f4:54:fd:ec` -> Private -> `192.168.1.136` - `60:74:f4:7b:6a:11` -> Private -> `192.168.1.117` - `c0:f5:35:20:5d:94` -> AMPAK -> `192.168.1.183` - `d4:ad:fc:60:90:6a` -> Shenzhen Intellirocks -> `192.168.1.100` - `d4:ad:fc:ea:7f:65` -> Shenzhen Intellirocks -> `192.168.1.101` ### 6. Camera lane live state - `front-doorbell` is already on Camera network at `10.5.20.217` Interpretation: - the doorbell is already where it belongs logically - tomorrow’s security cleanup work is mainly about chimes and future policy tightening ### 7. Trusted lane still carrying infrastructure-class hosts Trusted currently includes: - `PlausibleDeniability` -> `10.5.1.6` - `Serenity` -> `10.5.1.5` - `Nomad` -> `10.5.1.16` - `Rocinante` -> `10.5.1.112` - `FlyingDutchman` -> `10.5.1.111` Interpretation: - tomorrow’s server-lane work is real and necessary - these should not stay blended into the human client lane long-term ### 8. AP/client mapping - `U7 Pro`: 26 clients - `wired/unknown`: 5 clients Interpretation: - almost all current active wireless load is concentrated on the U7 Pro - the U6 LR is presently not carrying client load ### 9. Wired client to switch-port mapping On `USW Pro HD 24`: - port 2 -> `Rocinante` - port 3 -> `FlyingDutchman` - port 22 -> `Nomad` - port 23 -> `PlausibleDeniability` - port 24 -> `Serenity` ### 10. Important switch-port assignments On `USW Pro HD 24`: - port 1 -> profile `Management` -> `U7 Pro (Upstairs)` - port 22 -> profile `Trusted` -> `Nomad` - port 23 -> profile `Trusted` -> `Docker Server` / PD - port 24 -> profile `Trusted` -> `Serenity 10G (1)` - port 27 -> profile `Management` -> up at 10G - port 3 -> profile `Trusted` -> `FlyingDutchman` - port 2 -> up at 2.5G with no explicit profile shown -> `Rocinante` On `USW-24-PoE`: - port 24 -> profile `Management` -> up at 1G - many inactive preassigned ports exist for `IoT`, `Old IoT`, and `Management` Interpretation: - the core server moves tomorrow are mechanically straightforward because their live ports are visible - PD / Serenity / Nomad / FlyingDutchman are explicitly sitting on Trusted access profiles today - Rocinante needs a quick extra look because the client is live on port 2 but that port did not show an explicit profile name in the returned record ## Recommended next actions for tomorrow 1. identify the two Management `espressif` devices before or during the window 2. move/changeprofile for server ports on the USW Pro HD 24 one at a time 3. treat Google devices as late-batch or defer 4. treat unknown Old IoT clients as quarantine by default, not migration by default 5. keep Camera cleanup focused on chimes and policy, because the doorbell is already in the correct lane