# Network Migration Remaining Checklist Current intent: only safe, low-drama follow-up work remains. The easy-value client cleanup already completed should not be re-run. ## Already completed - Servers network/profile exists in UniFi - Protect WiFi Chime `upstairs landing` moved from Management -> Camera - Protect WiFi Chime `Living Room` moved from Management -> Camera - `LG_Smart_Laundry2_open` moved from Trusted -> IoT - `MyQ-29B` moved from Old IoT -> IoT - `LG_Smart_Dryer2_open` moved from Old IoT -> IoT - `Samsung-FamilyHub` moved from Old IoT -> IoT - `Main-Floor` ecobee moved from Old IoT -> IoT - `Upstairs` ecobee moved from Old IoT -> IoT - These 8 client moves were verified live from UniFi `stat/sta` - Firewall object/group scaffolding exists - Basic custom outbound policy scaffolding exists (`Allow Internal to Untrusted`) ## Safe to do now 1. Documentation cleanup - treat older pre-move docs as historical snapshots, not live next-step instructions - use this file as the current remaining-work reference 2. Finalize remaining task list - keep Google/cast pilot explicitly deferred until John is on the laptop - keep unknown Legacy CIA devices explicitly quarantine-first - keep Intellirocks-in-Trusted explicitly flagged for later identification/move decision 3. Non-disruptive firewall planning cleanup - compare staged firewall objects/policies against desired rule order - produce a precise missing-rules gap list before any live rule apply ## Still pending before the migration is truly finished ### A. Google/cast validation batch Do later, with user present on laptop: - pilot one Google/cast-class device only - validate Plex playback - validate Plex discovery/casting - validate Dispatcharr once relevant - if ugly, revert that one device and defer the rest Likely candidates still needing that treatment: - `dc:e5:5b:8f:57:d2` (Google client currently in Trusted) - `Google-Home-Mini` - `3c:8d:20:f3:92:36` - `90:ca:fa:b6:7f:6e` ### B. Remaining Trusted-lane cleanup - `d4:ad:fc:f2:df:d2` likely does not belong in Trusted - decide: identify better, move to IoT, or quarantine later ### C. Legacy CIA quarantine closeout Leave quarantined unless identified better: - `5c:61:99:41:73:40` - `60:74:f4:54:fd:ec` - `60:74:f4:7b:6a:11` - `c0:f5:35:20:5d:94` - `d4:ad:fc:60:90:6a` - `d4:ad:fc:ea:7f:65` ### D. Real firewall enforcement Still needed if the design is to be truly enforced rather than just staged: - stateful baseline rules - management shield - explicit Trusted admin -> Management allows - Trusted -> Servers allow - Guest internet-only enforcement - IoT narrow internal access only - Camera narrow internal access only - Legacy CIA quarantine-only posture - broad deny structure for restricted lanes Important distinction: - groups/objects exist - at least one custom outbound policy exists - the full inter-VLAN segmentation matrix is not yet fully enforced ### E. Final cleanup - SSID simplification once Google/cast behavior is understood - final validation sweep - confirm no temporary panic exceptions remain - document any intentionally deferred weird devices ## Suggested execution order from here 1. Produce firewall gap list 2. Wait for laptop session 3. Run one-device Google/cast pilot 4. Decide on Trusted Intellirocks device 5. Finish firewall enforcement carefully 6. Do final SSID simplification and closeout