# Network Migration Remaining Checklist Current intent: only safe, low-drama follow-up work remains. The easy-value client cleanup already completed should not be re-run. Current truth note: - use this file plus `unifi-protect-doorbell-chime-current-state-2026-05-26.md` as the source of truth for what is actually still pending - treat earlier cutover-prep docs with "tomorrow" language as historical planning artifacts unless they were explicitly updated later ## Already completed - Servers network/profile exists in UniFi - Historical attempt moved both Protect WiFi chimes from Management -> Camera, but that change was later reversed after Protect health failed on the Camera-lane override - Current known-good state keeps both Protect WiFi chimes on Management / default `UniFi Wireless`; see `unifi-protect-doorbell-chime-current-state-2026-05-26.md` - `LG_Smart_Laundry2_open` moved from Trusted -> IoT - `MyQ-29B` moved from Old IoT -> IoT - `LG_Smart_Dryer2_open` moved from Old IoT -> IoT - `Samsung-FamilyHub` moved from Old IoT -> IoT - `Main-Floor` ecobee moved from Old IoT -> IoT - `Upstairs` ecobee moved from Old IoT -> IoT - These 8 client moves were verified live from UniFi `stat/sta` - Firewall object/group scaffolding exists - Basic custom outbound policy scaffolding exists (`Allow Internal to Untrusted`) - First live management-plane hardening slice is now applied: `Block Untrusted to Gateway Admin Surfaces` - Reference: `unifi-firewall-enforcement-result-2026-05-23.md` ## Safe to do now 1. Documentation cleanup - treat older pre-move docs as historical snapshots, not live next-step instructions - use this file as the current remaining-work reference 2. Finalize remaining task list - keep Google/cast pilot explicitly deferred until John is on the laptop - keep unknown Legacy CIA devices explicitly quarantine-first - Trusted-lane Intellirocks cleanup is now resolved separately; see `intellirocks-triage-result-2026-05-23.md` - Legacy CIA leftovers are now dispositioned separately; see `unifi-legacy-cia-closeout-2026-05-23.md` - Protect chime lane cleanup is intentionally deferred until Protect connectivity is explicitly re-validated on a non-Management lane 3. Non-disruptive firewall planning cleanup - compare staged firewall objects/policies against desired rule order - produce a precise missing-rules gap list before any live rule apply ## Still pending before the migration is truly finished ### A. DHCP/DNS and gateway-dependency closeout - Fresh live verification is written up in `unifi-dhcp-dns-verification-2026-05-23.md` - Recommended design is written up in `unifi-restricted-lane-dns-ntp-recommendation-2026-05-23.md` - Live DNS cutover result is written up in `unifi-restricted-dns-cutover-result-2026-05-23.md` - Broader gateway shield result is written up in `unifi-broader-gateway-shield-result-2026-05-23.md` - Completed live changes: - `IoT`, `Camera`, and `Old IoT` now DHCP-advertise DNS `10.5.30.53` - explicit `Untrusted -> Internal` DNS allow now preserves access to `10.5.30.53:53` - broader `Untrusted -> Gateway` block is now in place with DHCP and mDNS preserved - NTP remains intentionally unchanged for now - Remaining follow-up is validation, not additional broad gateway-rule design ### B. Google/cast validation batch Do later, with user present on laptop: - pilot one Google/cast-class device only - validate Plex playback - validate Plex discovery/casting - validate Dispatcharr once relevant - if ugly, revert that one device and defer the rest Likely candidates still needing that treatment: - `dc:e5:5b:8f:57:d2` (Google client currently in Trusted) - `Google-Home-Mini` - `3c:8d:20:f3:92:36` - `90:ca:fa:b6:7f:6e` ### C. Remaining Trusted-lane cleanup - Completed: `d4:ad:fc:f2:df:d2` was removed from Trusted and re-homed to `Old IoT` - Reference: `intellirocks-triage-result-2026-05-23.md` ### D. Legacy CIA quarantine closeout - Completed as a disposition decision: the remaining unidentified leftovers stay quarantined on `Old IoT` - Reference: `unifi-legacy-cia-closeout-2026-05-23.md` ### E. Real firewall enforcement Substantially completed: - live custom rule blocks `IoT` / `Camera` / `Old IoT` access to the UDM Pro admin TCP ports - live custom rule allows restricted-lane DNS to `10.5.30.53:53` - live custom rule blocks general restricted-lane `Untrusted -> Gateway` access - live custom rules preserve DHCP and mDNS for the restricted lanes - references: - `unifi-firewall-enforcement-result-2026-05-23.md` - `unifi-broader-gateway-shield-result-2026-05-23.md` Still needed if the full design is to be enforced rather than just the current safe slices: - real client validation from each restricted lane after lease renewal - explicit Trusted admin -> Management allows if broad internal->gateway restrictions are introduced later - Trusted -> Servers allow only if later intra-Internal restrictions are introduced - any camera/Protect helper exceptions after port-level verification - any Google/cast discovery exceptions only after laptop validation Important distinction: - custom rules now cover the main restricted-lane gateway hardening path - the full inter-VLAN segmentation matrix is still not yet fully enforced ### F. Final cleanup - SSID simplification once Google/cast behavior is understood - reference SSID retire/keep plan: `unifi-ssid-cleanup-proposal-2026-05-23.md` - final validation sweep - confirm no temporary panic exceptions remain - document any intentionally deferred weird devices - keep the Protect doorbell/chime exception documented until a future validated lane migration replaces it ## Suggested execution order from here 1. Wait for laptop session 2. Human-validate Google/cast behavior from the laptop 3. Renew/validate one real client on each restricted lane against the new DNS + gateway shield posture 4. Add only any proven narrow exceptions that real validation actually requires 5. Do final SSID simplification and closeout using `unifi-ssid-cleanup-proposal-2026-05-23.md`