4.1 KiB
4.1 KiB
Network Migration Remaining Checklist
Current intent: only safe, low-drama follow-up work remains. The easy-value client cleanup already completed should not be re-run.
Already completed
- Servers network/profile exists in UniFi
- Protect WiFi Chime
upstairs landingmoved from Management -> Camera - Protect WiFi Chime
Living Roommoved from Management -> Camera LG_Smart_Laundry2_openmoved from Trusted -> IoTMyQ-29Bmoved from Old IoT -> IoTLG_Smart_Dryer2_openmoved from Old IoT -> IoTSamsung-FamilyHubmoved from Old IoT -> IoTMain-Floorecobee moved from Old IoT -> IoTUpstairsecobee moved from Old IoT -> IoT- These 8 client moves were verified live from UniFi
stat/sta - Firewall object/group scaffolding exists
- Basic custom outbound policy scaffolding exists (
Allow Internal to Untrusted) - First live management-plane hardening slice is now applied:
Block Untrusted to Gateway Admin Surfaces - Reference:
unifi-firewall-enforcement-result-2026-05-23.md
Safe to do now
-
Documentation cleanup
- treat older pre-move docs as historical snapshots, not live next-step instructions
- use this file as the current remaining-work reference
-
Finalize remaining task list
- keep Google/cast pilot explicitly deferred until John is on the laptop
- keep unknown Legacy CIA devices explicitly quarantine-first
- Trusted-lane Intellirocks cleanup is now resolved separately; see
intellirocks-triage-result-2026-05-23.md - Legacy CIA leftovers are now dispositioned separately; see
unifi-legacy-cia-closeout-2026-05-23.md
-
Non-disruptive firewall planning cleanup
- compare staged firewall objects/policies against desired rule order
- produce a precise missing-rules gap list before any live rule apply
Still pending before the migration is truly finished
A. Google/cast validation batch
Do later, with user present on laptop:
- pilot one Google/cast-class device only
- validate Plex playback
- validate Plex discovery/casting
- validate Dispatcharr once relevant
- if ugly, revert that one device and defer the rest
Likely candidates still needing that treatment:
dc:e5:5b:8f:57:d2(Google client currently in Trusted)Google-Home-Mini3c:8d:20:f3:92:3690:ca:fa:b6:7f:6e
B. Remaining Trusted-lane cleanup
- Completed:
d4:ad:fc:f2:df:d2was removed from Trusted and re-homed toOld IoT - Reference:
intellirocks-triage-result-2026-05-23.md
C. Legacy CIA quarantine closeout
- Completed as a disposition decision: the remaining unidentified leftovers stay quarantined on
Old IoT - Reference:
unifi-legacy-cia-closeout-2026-05-23.md
D. Real firewall enforcement
Partially completed:
- live custom rule now blocks
IoT/Camera/Old IoTaccess to the UDM Pro admin TCP ports - reference:
unifi-firewall-enforcement-result-2026-05-23.md
Still needed if the full design is to be enforced rather than just the first safe slice:
- stateful baseline review against UniFi built-ins
- broader management shield only after DHCP/DNS/gateway dependencies are verified
- explicit Trusted admin -> Management allows if broad internal->gateway restrictions are introduced later
- Trusted -> Servers allow only if later intra-Internal restrictions are introduced
- any camera/Protect helper exceptions after port-level verification
- any Google/cast discovery exceptions only after laptop validation
Important distinction:
- groups/objects exist
- at least one custom outbound policy exists
- the full inter-VLAN segmentation matrix is not yet fully enforced
E. Final cleanup
- SSID simplification once Google/cast behavior is understood
- reference SSID retire/keep plan:
unifi-ssid-cleanup-proposal-2026-05-23.md - final validation sweep
- confirm no temporary panic exceptions remain
- document any intentionally deferred weird devices
Suggested execution order from here
- Wait for laptop session
- Human-validate the already-completed Google/cast pilot from the laptop
- Finish firewall enforcement carefully
- Do final SSID simplification and closeout using
unifi-ssid-cleanup-proposal-2026-05-23.md