Files
truenas-stacks/home/doris-dashboard/docs/network-redesign-implementation-runbook.md
Fizzlepoof 77da65e64a
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled
docs: clarify current unifi protect chime state
2026-05-26 20:10:45 +00:00

15 KiB
Raw Permalink Blame History

Home Network Redesign Implementation Runbook

For Doris: use this during the live UniFi change window. Goal is a controlled cutover with explicit validation and rollback at each boundary.

Historical status note:

  • this runbook came from the 2026-05-22 cutover-planning wave
  • preserve it as the detailed plan, but do not treat every "tomorrow" step as still pending without checking later result docs
  • current remaining-work truth lives in network-migration-remaining-checklist-2026-05-22.md and unifi-protect-doorbell-chime-current-state-2026-05-26.md

Goal: deploy the target VLAN/SSID/firewall design with minimum drama, keep legacy CIA Via as a quarantine lane for devices that cannot yet be migrated, and finish the window with an understandable, supportable network.

Architecture summary:

  • Final target lanes remain VLAN 10 Management, VLAN 20 Trusted, VLAN 30 Servers, VLAN 40 IoT, VLAN 50 Guest, VLAN 60 Cameras/Security.
  • Legacy CIA Via remains temporarily alive as a quarantine/sunset VLAN for unmanageable legacy devices.
  • No non-infrastructure devices stay on Management when the window closes.
  • No broad trust exceptions are added just to make migration feel easier.

Tech stack / control surfaces:

  • UniFi Network controller on UDM Pro
  • UDM Pro gateway/firewall
  • USW Pro HD 24 and other UniFi switching
  • U7 Pro and optional U6 LR APs
  • Doris artifacts for reference:
    • /home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/public/network-redesign.html
    • /home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/public/network-web.html
    • /home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/docs/network-redesign-plan.md

1. Required Access

Required to implement directly:

  • UniFi OS / Network write access on the UDM Pro site at https://10.5.0.1
  • Ability to create/edit:
    • VLANs / networks
    • Wi-Fi SSIDs
    • firewall rules
    • port profiles
    • switch port assignments
    • device settings for APs/switches
  • Ability to see client inventory with MAC/IP/vendor names

Required for safe validation after each move:

  • Existing SSH access to PD via pd (truenas_admin@10.5.30.6)
  • Reachability to NOMAD-hosted Doris web artifacts at 10.5.30.7:8787
  • A Trusted client on-site on WiFi for live user validation
  • At least one device on each of these categories available for test:
    • Trusted client
    • server service
    • IoT device/app pair
    • guest client
    • camera/security device if moved tomorrow

Optional but strongly preferred:

  • Temporary full admin role in UniFi instead of pair-driving through read-only
  • Access to export or screenshot current config before changes
  • Ability to check AP/switch port LEDs/physical labels if anything is ambiguous

Fallback if you do not want to grant write access:

  • Pair-drive the entire window with you at the keyboard in UniFi while I call every exact change in order
  • This is slower but workable

2. What Can Be Finished Before Tomorrow

Pre-work Doris can finish now without write access:

  • Final runbook and sequence document
  • Final object naming convention
  • Final firewall intent matrix
  • Validation checklist per VLAN
  • Rollback checklist per phase
  • Device triage sheet for Legacy CIA Via:
    • migrate
    • quarantine
    • kill

Pre-work requiring only read access / screenshots / exports from you:

  • Confirm exact current UniFi object names
  • Confirm whether VLAN IDs 10/20/30/40/50/60 already exist or must be created
  • Confirm current SSID names and which APs broadcast each one
  • Confirm current port-profile names and which switch ports use them
  • Confirm which clients are currently on Management and CIA Via
  • Confirm whether U6 LR is physically installed and link-ready or still shelved

Pre-work requiring write access, if granted tonight:

  • Create missing target networks/VLAN objects without moving clients yet
  • Create disabled/staged SSIDs without enabling them yet
  • Create new port profiles without assigning them yet
  • Create firewall rules in disabled or low-priority staged form
  • Label/comment rules and profiles for tomorrows change window

3. Hard Rules For The Change Window

  • One operator console on Trusted stays connected the whole time.
  • One fallback path into UniFi must remain alive before any management change.
  • Do not move multiple unknown devices at once.
  • Do not delete Legacy CIA Via tomorrow unless it is truly empty, which is unlikely.
  • Do not move legacy/unmanageable junk into Management, Trusted, or Servers to “just get done.”
  • After every change group, stop and validate before continuing.
  • If management-plane reachability is degraded, roll back immediately before chasing anything else.

4. Target Objects

Networks / VLANs

  • NET-MGMT -> VLAN 10 -> 10.5.10.0/24
  • NET-TRUSTED -> VLAN 20 -> 10.5.20.0/24
  • NET-SERVERS -> VLAN 30 -> 10.5.30.0/24
  • NET-IOT -> VLAN 40 -> 10.5.40.0/24
  • NET-GUEST -> VLAN 50 -> 10.5.50.0/24
  • NET-CAMERAS -> VLAN 60 -> 10.5.60.0/24
  • NET-LEGACY-CIA -> existing legacy VLAN/subnet retained temporarily as quarantine lane

WiFi SSIDs

  • Trusted -> VLAN 20
  • Trusted-Compat -> VLAN 20, optional temporary only
  • IoT -> VLAN 40
  • Guest -> VLAN 50
  • Security -> VLAN 60
  • CIA Via -> legacy VLAN, temporary only, no new joins

Port profiles

  • PP-TRUNK-UPLINK
  • PP-ACCESS-MGMT
  • PP-ACCESS-TRUSTED
  • PP-ACCESS-SERVERS
  • PP-ACCESS-IOT
  • PP-ACCESS-GUEST
  • PP-ACCESS-CAMERAS
  • PP-ACCESS-LEGACY-CIA

5. Firewall Policy Intent

Trusted:

  • allow to Management for admin devices only
  • allow to Servers for normal human/service use
  • allow to Cameras for operator/admin use
  • allow limited control flows to IoT if required

Servers:

  • allow explicit services outward as needed
  • no sloppy east-west broad allow
  • allow NVR/Protect-related flows to Cameras only if required

IoT:

  • allow DHCP/DNS/NTP/internet
  • deny Management
  • deny Trusted by default
  • deny Servers except specific helper/service destinations
  • explicit discovery exceptions only when proven necessary

Guest:

  • internet only
  • deny all local RFC1918/internal subnets
  • client isolation on WiFi

Cameras/Security:

  • allow DHCP/DNS/NTP/internet/update paths as needed
  • deny broad lateral movement
  • allow only Protect/NVR/admin destinations

Legacy CIA quarantine lane:

  • allow DHCP/DNS/NTP/internet
  • deny Management
  • deny Trusted
  • deny Cameras
  • deny Servers by default
  • add only device-specific exceptions if absolutely required
  • no new devices assigned here intentionally

6. Baseline Capture Before First Change

Capture all of this before changing anything:

  • Screenshot/export all existing networks
  • Screenshot/export all SSIDs
  • Screenshot/export firewall rules in current order
  • Screenshot/export port profiles
  • Screenshot/export AP settings
  • Screenshot/export switch port assignments
  • Record current IP/gateway/subnet for:
    • PD
    • Serenity
    • Nomad
    • Rocinante
    • UDM Pro
    • U7 Pro
    • U6 LR if present
  • Record current MAC/IP list for important Old IoT devices:
    • Google Home Mini / cast devices
    • both ecobees
    • MyQ
    • Samsung Family Hub
    • LG dryer
    • known legacy bulbs/plugs
    • doorbell
    • Protect chimes
  • Confirm current DHCP reservations/static mappings that may break when VLANs move

7. Validation Tests To Run Repeatedly

Trusted validation:

  • Trusted WiFi client gets correct subnet/gateway
  • internet works
  • can reach UniFi admin
  • can reach PD/NOMAD/Serenity services expected from user lane

Management validation:

  • UDM, switches, APs remain visible/manageable in UniFi
  • no unexpected client endpoints remain in Management

Servers validation:

  • PD/Serenity/Nomad/Rocinante get correct subnet/gateway after move
  • critical services respond from Trusted
  • outbound internet works if required

IoT validation:

  • device rejoins expected SSID/VLAN
  • vendor app control still works
  • local control still works only if intentionally allowed

Guest validation:

  • guest device gets internet
  • cannot reach local subnets

Security validation:

  • doorbell/chimes/camera devices stay online
  • admin/Protect access works if expected
  • no reachability into unrelated lanes

Legacy CIA validation:

  • quarantined devices still work at the minimum acceptable level
  • no new devices are added there

8. Change Sequence For Tomorrow

Phase A: Safety setup

  1. Confirm one wired or strongly stable Trusted admin client is connected.
  2. Open UniFi in one session and keep Doris artifacts open in another.
  3. Capture all baseline screenshots/exports.
  4. Confirm rollback path into UniFi if WiFi changes go bad.
  5. Confirm whether U6 LR participates tomorrow or stays out of scope.

Exit criteria:

  • baseline captured
  • management reachability stable
  • rollback path confirmed

Phase B: Create or normalize objects without moving clients

  1. Create any missing target networks.
  2. Create any missing port profiles.
  3. Create/stage SSIDs:
    • Trusted
    • Trusted-Compat if needed
    • IoT
    • Guest
    • Security
  4. Create/stage Legacy CIA quarantine policy object naming.
  5. Create staged firewall rules with comments.

Exit criteria:

  • all objects exist
  • nothing has moved yet
  • no current connectivity loss

Phase C: Management cleanup first

  1. Ensure UDM, switches, and AP management surfaces are on VLAN 10 intent.
  2. Remove obvious non-infrastructure devices from Management.
  3. Treat Protect chimes as a documented temporary Management exception unless you are explicitly re-validating their Protect health on a non-Management lane.
  4. Re-validate UniFi visibility of gateway, switches, APs.

Rollback if:

  • UniFi loses management of gateway/switch/APs
  • admin client can no longer reach management plane

Exit criteria:

  • Management is infrastructure-only or very close to it
  • no human endpoints or smart accessories remain there except known temporary exceptions tracked in writing

Phase D: Build/activate Cameras lane

  1. Activate/validate NET-CAMERAS.
  2. Activate Security SSID if used.
  3. Move doorbell and Protect chimes to Cameras/Security only if Protect health is explicitly validated during the move.
  4. Validate app/admin behavior.

Rollback if:

  • security devices fall offline and cannot be recovered quickly

Exit criteria:

  • either doorbell/chimes are healthy on Cameras/Security, or the documented Management exception is preserved intentionally
  • Camera lane exists for future growth

Phase E: Move core servers to Servers VLAN 30

  1. Move one least-scary server first.
  2. Validate from Trusted.
  3. Update any reservation/DNS/profile dependency if needed.
  4. Move remaining core hosts one by one:
    • PD
    • Serenity
    • Nomad
    • Rocinante
  5. After each move, validate service reachability and outbound needs.

Rollback if:

  • critical service path breaks and root cause is not obvious within a few minutes

Exit criteria:

  • core hosts reside in Servers lane
  • Trusted still reaches intended services

Phase F: Move easy IoT first

  1. Activate/validate IoT SSID and VLAN 40.
  2. Move easiest/least-fragile devices first:
    • MyQ
    • Samsung Family Hub
    • LG dryer
    • ecobees if confidence is high
  3. Validate each class before moving the next.
  4. Leave Google/cast pain until the end of IoT work.

Rollback if:

  • essential household function breaks and app recovery is not immediate

Exit criteria:

  • easy-value devices are out of Legacy CIA
  • no unnecessary broad allow rules were added

Phase G: Legacy CIA quarantine handling

  1. Rename/reclassify CIA Via mentally and operationally as quarantine, not production IoT.
  2. Leave orphaned bulbs/plugs/mystery devices there.
  3. Apply strict quarantine firewall posture.
  4. Build a written list of remaining MACs/devices with disposition:
    • migrate later
    • quarantine indefinitely for now
    • kill/remove when safe

Exit criteria:

  • Legacy CIA contains only leftovers and quarantined junk
  • its policy is harsh and explicit

Phase H: Google / discovery problem children

  1. Move one Google/cast-class device only if time and energy remain.
  2. Test discovery/casting behavior from Trusted.
  3. Add only narrow exceptions if evidence proves a need.
  4. If messy, stop. Leave the rest in Legacy CIA quarantine for a later targeted session.

Exit criteria:

  • either one known-good pattern exists, or the problem is intentionally deferred

Phase I: Guest and SSID cleanup

  1. Validate Guest SSID maps to VLAN 50.
  2. Confirm internet-only behavior.
  3. Disable/retire any stale SSIDs not still needed for migration.
  4. Keep Trusted-Compat only if it earns its keep.
  5. Keep CIA Via only as temporary quarantine SSID if required for remaining devices.

Exit criteria:

  • SSIDs reflect policy, not history
  • only necessary temporary migration SSIDs remain

9. Explicit Device Triage

Move tomorrow if practical:

  • Protect chimes only during an explicit Protect-validation test
  • doorbell only if healthy-state validation is immediate and reversible
  • PD
  • Serenity
  • Nomad
  • Rocinante
  • MyQ
  • Samsung Family Hub
  • LG dryer
  • both ecobees if low risk

Probably defer or treat carefully:

  • Google Home / cast ecosystem
  • any device requiring odd mDNS/broadcast behavior

Quarantine in Legacy CIA:

  • legacy lights
  • legacy plugs
  • mystery old smart devices
  • anything no longer controllable but still physically present

Kill candidates after observation:

  • unknown inactive MACs
  • devices nobody misses after blocking
  • duplicate/orphaned historical entries

10. Rollback Rules

Immediate rollback triggers:

  • loss of UniFi management-plane access
  • APs/switches vanish or go isolated unexpectedly
  • Trusted admin client cannot reach controller/gateway
  • critical household function breaks with no quick diagnosis

Rollback scope:

  • revert last moved device first
  • revert last SSID mapping change second
  • revert last firewall rule addition/position third
  • revert network object only if the object itself is wrong
  • never stack more changes onto a broken state

11. Definition Of Done For Tomorrow

Minimum successful tomorrow outcome:

  • Management is cleaned up
  • Cameras/Security lane exists
  • Servers lane exists and at least core hosts are moved or staged with confidence
  • IoT lane exists and at least easy-value devices are moved
  • Legacy CIA is converted into explicit quarantine/sunset lane
  • no broad insecure exceptions were added out of fatigue
  • any documented temporary Protect chime exception is written down instead of being rediscovered later

Nice-to-have, not mandatory tomorrow:

  • U6 LR restored and tuned
  • Google/cast fully migrated
  • Legacy CIA emptied completely
  • perfect final SSID simplification

12. Follow-up Work After Tomorrow

  • Build exact firewall rule matrix page/artifact
  • Commit/push dashboard docs and artifacts into repo properly
  • Review remaining Legacy CIA devices one by one
  • Decide whether U6 LR returns based on actual coverage evidence
  • Remove stale SSIDs, port profiles, and rules once migration dust settles