420 lines
14 KiB
Markdown
420 lines
14 KiB
Markdown
# Home Network Redesign Implementation Runbook
|
||
|
||
> For Doris: use this during the live UniFi change window. Goal is a controlled cutover with explicit validation and rollback at each boundary.
|
||
|
||
Goal: deploy the target VLAN/SSID/firewall design with minimum drama, keep legacy CIA Via as a quarantine lane for devices that cannot yet be migrated, and finish the window with an understandable, supportable network.
|
||
|
||
Architecture summary:
|
||
- Final target lanes remain VLAN 10 Management, VLAN 20 Trusted, VLAN 30 Servers, VLAN 40 IoT, VLAN 50 Guest, VLAN 60 Cameras/Security.
|
||
- Legacy CIA Via remains temporarily alive as a quarantine/sunset VLAN for unmanageable legacy devices.
|
||
- No non-infrastructure devices stay on Management when the window closes.
|
||
- No broad trust exceptions are added just to make migration feel easier.
|
||
|
||
Tech stack / control surfaces:
|
||
- UniFi Network controller on UDM Pro
|
||
- UDM Pro gateway/firewall
|
||
- USW Pro HD 24 and other UniFi switching
|
||
- U7 Pro and optional U6 LR APs
|
||
- Doris artifacts for reference:
|
||
- `/home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/public/network-redesign.html`
|
||
- `/home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/public/network-web.html`
|
||
- `/home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/docs/network-redesign-plan.md`
|
||
|
||
---
|
||
|
||
## 1. Required Access
|
||
|
||
Required to implement directly:
|
||
- UniFi OS / Network write access on the UDM Pro site at `https://10.5.0.1`
|
||
- Ability to create/edit:
|
||
- VLANs / networks
|
||
- Wi-Fi SSIDs
|
||
- firewall rules
|
||
- port profiles
|
||
- switch port assignments
|
||
- device settings for APs/switches
|
||
- Ability to see client inventory with MAC/IP/vendor names
|
||
|
||
Required for safe validation after each move:
|
||
- Existing SSH access to PD via `pd` (`truenas_admin@10.5.30.6`)
|
||
- Reachability to NOMAD-hosted Doris web artifacts at `10.5.30.7:8787`
|
||
- A Trusted client on-site on Wi‑Fi for live user validation
|
||
- At least one device on each of these categories available for test:
|
||
- Trusted client
|
||
- server service
|
||
- IoT device/app pair
|
||
- guest client
|
||
- camera/security device if moved tomorrow
|
||
|
||
Optional but strongly preferred:
|
||
- Temporary full admin role in UniFi instead of pair-driving through read-only
|
||
- Access to export or screenshot current config before changes
|
||
- Ability to check AP/switch port LEDs/physical labels if anything is ambiguous
|
||
|
||
Fallback if you do not want to grant write access:
|
||
- Pair-drive the entire window with you at the keyboard in UniFi while I call every exact change in order
|
||
- This is slower but workable
|
||
|
||
## 2. What Can Be Finished Before Tomorrow
|
||
|
||
Pre-work Doris can finish now without write access:
|
||
- Final runbook and sequence document
|
||
- Final object naming convention
|
||
- Final firewall intent matrix
|
||
- Validation checklist per VLAN
|
||
- Rollback checklist per phase
|
||
- Device triage sheet for Legacy CIA Via:
|
||
- migrate
|
||
- quarantine
|
||
- kill
|
||
|
||
Pre-work requiring only read access / screenshots / exports from you:
|
||
- Confirm exact current UniFi object names
|
||
- Confirm whether VLAN IDs 10/20/30/40/50/60 already exist or must be created
|
||
- Confirm current SSID names and which APs broadcast each one
|
||
- Confirm current port-profile names and which switch ports use them
|
||
- Confirm which clients are currently on Management and CIA Via
|
||
- Confirm whether U6 LR is physically installed and link-ready or still shelved
|
||
|
||
Pre-work requiring write access, if granted tonight:
|
||
- Create missing target networks/VLAN objects without moving clients yet
|
||
- Create disabled/staged SSIDs without enabling them yet
|
||
- Create new port profiles without assigning them yet
|
||
- Create firewall rules in disabled or low-priority staged form
|
||
- Label/comment rules and profiles for tomorrow’s change window
|
||
|
||
## 3. Hard Rules For The Change Window
|
||
|
||
- One operator console on Trusted stays connected the whole time.
|
||
- One fallback path into UniFi must remain alive before any management change.
|
||
- Do not move multiple unknown devices at once.
|
||
- Do not delete Legacy CIA Via tomorrow unless it is truly empty, which is unlikely.
|
||
- Do not move legacy/unmanageable junk into Management, Trusted, or Servers to “just get done.”
|
||
- After every change group, stop and validate before continuing.
|
||
- If management-plane reachability is degraded, roll back immediately before chasing anything else.
|
||
|
||
## 4. Target Objects
|
||
|
||
### Networks / VLANs
|
||
- `NET-MGMT` -> VLAN 10 -> `10.5.10.0/24`
|
||
- `NET-TRUSTED` -> VLAN 20 -> `10.5.20.0/24`
|
||
- `NET-SERVERS` -> VLAN 30 -> `10.5.30.0/24`
|
||
- `NET-IOT` -> VLAN 40 -> `10.5.40.0/24`
|
||
- `NET-GUEST` -> VLAN 50 -> `10.5.50.0/24`
|
||
- `NET-CAMERAS` -> VLAN 60 -> `10.5.60.0/24`
|
||
- `NET-LEGACY-CIA` -> existing legacy VLAN/subnet retained temporarily as quarantine lane
|
||
|
||
### Wi‑Fi SSIDs
|
||
- `Trusted` -> VLAN 20
|
||
- `Trusted-Compat` -> VLAN 20, optional temporary only
|
||
- `IoT` -> VLAN 40
|
||
- `Guest` -> VLAN 50
|
||
- `Security` -> VLAN 60
|
||
- `CIA Via` -> legacy VLAN, temporary only, no new joins
|
||
|
||
### Port profiles
|
||
- `PP-TRUNK-UPLINK`
|
||
- `PP-ACCESS-MGMT`
|
||
- `PP-ACCESS-TRUSTED`
|
||
- `PP-ACCESS-SERVERS`
|
||
- `PP-ACCESS-IOT`
|
||
- `PP-ACCESS-GUEST`
|
||
- `PP-ACCESS-CAMERAS`
|
||
- `PP-ACCESS-LEGACY-CIA`
|
||
|
||
## 5. Firewall Policy Intent
|
||
|
||
Trusted:
|
||
- allow to Management for admin devices only
|
||
- allow to Servers for normal human/service use
|
||
- allow to Cameras for operator/admin use
|
||
- allow limited control flows to IoT if required
|
||
|
||
Servers:
|
||
- allow explicit services outward as needed
|
||
- no sloppy east-west broad allow
|
||
- allow NVR/Protect-related flows to Cameras only if required
|
||
|
||
IoT:
|
||
- allow DHCP/DNS/NTP/internet
|
||
- deny Management
|
||
- deny Trusted by default
|
||
- deny Servers except specific helper/service destinations
|
||
- explicit discovery exceptions only when proven necessary
|
||
|
||
Guest:
|
||
- internet only
|
||
- deny all local RFC1918/internal subnets
|
||
- client isolation on Wi‑Fi
|
||
|
||
Cameras/Security:
|
||
- allow DHCP/DNS/NTP/internet/update paths as needed
|
||
- deny broad lateral movement
|
||
- allow only Protect/NVR/admin destinations
|
||
|
||
Legacy CIA quarantine lane:
|
||
- allow DHCP/DNS/NTP/internet
|
||
- deny Management
|
||
- deny Trusted
|
||
- deny Cameras
|
||
- deny Servers by default
|
||
- add only device-specific exceptions if absolutely required
|
||
- no new devices assigned here intentionally
|
||
|
||
## 6. Baseline Capture Before First Change
|
||
|
||
Capture all of this before changing anything:
|
||
- Screenshot/export all existing networks
|
||
- Screenshot/export all SSIDs
|
||
- Screenshot/export firewall rules in current order
|
||
- Screenshot/export port profiles
|
||
- Screenshot/export AP settings
|
||
- Screenshot/export switch port assignments
|
||
- Record current IP/gateway/subnet for:
|
||
- PD
|
||
- Serenity
|
||
- Nomad
|
||
- Rocinante
|
||
- UDM Pro
|
||
- U7 Pro
|
||
- U6 LR if present
|
||
- Record current MAC/IP list for important Old IoT devices:
|
||
- Google Home Mini / cast devices
|
||
- both ecobees
|
||
- MyQ
|
||
- Samsung Family Hub
|
||
- LG dryer
|
||
- known legacy bulbs/plugs
|
||
- doorbell
|
||
- Protect chimes
|
||
- Confirm current DHCP reservations/static mappings that may break when VLANs move
|
||
|
||
## 7. Validation Tests To Run Repeatedly
|
||
|
||
Trusted validation:
|
||
- Trusted Wi‑Fi client gets correct subnet/gateway
|
||
- internet works
|
||
- can reach UniFi admin
|
||
- can reach PD/NOMAD/Serenity services expected from user lane
|
||
|
||
Management validation:
|
||
- UDM, switches, APs remain visible/manageable in UniFi
|
||
- no unexpected client endpoints remain in Management
|
||
|
||
Servers validation:
|
||
- PD/Serenity/Nomad/Rocinante get correct subnet/gateway after move
|
||
- critical services respond from Trusted
|
||
- outbound internet works if required
|
||
|
||
IoT validation:
|
||
- device rejoins expected SSID/VLAN
|
||
- vendor app control still works
|
||
- local control still works only if intentionally allowed
|
||
|
||
Guest validation:
|
||
- guest device gets internet
|
||
- cannot reach local subnets
|
||
|
||
Security validation:
|
||
- doorbell/chimes/camera devices stay online
|
||
- admin/Protect access works if expected
|
||
- no reachability into unrelated lanes
|
||
|
||
Legacy CIA validation:
|
||
- quarantined devices still work at the minimum acceptable level
|
||
- no new devices are added there
|
||
|
||
## 8. Change Sequence For Tomorrow
|
||
|
||
### Phase A: Safety setup
|
||
1. Confirm one wired or strongly stable Trusted admin client is connected.
|
||
2. Open UniFi in one session and keep Doris artifacts open in another.
|
||
3. Capture all baseline screenshots/exports.
|
||
4. Confirm rollback path into UniFi if Wi‑Fi changes go bad.
|
||
5. Confirm whether U6 LR participates tomorrow or stays out of scope.
|
||
|
||
Exit criteria:
|
||
- baseline captured
|
||
- management reachability stable
|
||
- rollback path confirmed
|
||
|
||
### Phase B: Create or normalize objects without moving clients
|
||
1. Create any missing target networks.
|
||
2. Create any missing port profiles.
|
||
3. Create/stage SSIDs:
|
||
- Trusted
|
||
- Trusted-Compat if needed
|
||
- IoT
|
||
- Guest
|
||
- Security
|
||
4. Create/stage Legacy CIA quarantine policy object naming.
|
||
5. Create staged firewall rules with comments.
|
||
|
||
Exit criteria:
|
||
- all objects exist
|
||
- nothing has moved yet
|
||
- no current connectivity loss
|
||
|
||
### Phase C: Management cleanup first
|
||
1. Ensure UDM, switches, and AP management surfaces are on VLAN 10 intent.
|
||
2. Remove obvious non-infrastructure devices from Management.
|
||
3. Move Protect chimes out of Management as top cleanup item if Security lane is ready.
|
||
4. Re-validate UniFi visibility of gateway, switches, APs.
|
||
|
||
Rollback if:
|
||
- UniFi loses management of gateway/switch/APs
|
||
- admin client can no longer reach management plane
|
||
|
||
Exit criteria:
|
||
- Management is infrastructure-only or very close to it
|
||
- no human endpoints or smart accessories remain there except known temporary exceptions tracked in writing
|
||
|
||
### Phase D: Build/activate Cameras lane
|
||
1. Activate/validate `NET-CAMERAS`.
|
||
2. Activate `Security` SSID if used.
|
||
3. Move doorbell and Protect chimes to Cameras/Security.
|
||
4. Validate app/admin behavior.
|
||
|
||
Rollback if:
|
||
- security devices fall offline and cannot be recovered quickly
|
||
|
||
Exit criteria:
|
||
- doorbell/chimes are no longer polluting Management
|
||
- Camera lane exists for future growth
|
||
|
||
### Phase E: Move core servers to Servers VLAN 30
|
||
1. Move one least-scary server first.
|
||
2. Validate from Trusted.
|
||
3. Update any reservation/DNS/profile dependency if needed.
|
||
4. Move remaining core hosts one by one:
|
||
- PD
|
||
- Serenity
|
||
- Nomad
|
||
- Rocinante
|
||
5. After each move, validate service reachability and outbound needs.
|
||
|
||
Rollback if:
|
||
- critical service path breaks and root cause is not obvious within a few minutes
|
||
|
||
Exit criteria:
|
||
- core hosts reside in Servers lane
|
||
- Trusted still reaches intended services
|
||
|
||
### Phase F: Move easy IoT first
|
||
1. Activate/validate `IoT` SSID and VLAN 40.
|
||
2. Move easiest/least-fragile devices first:
|
||
- MyQ
|
||
- Samsung Family Hub
|
||
- LG dryer
|
||
- ecobees if confidence is high
|
||
3. Validate each class before moving the next.
|
||
4. Leave Google/cast pain until the end of IoT work.
|
||
|
||
Rollback if:
|
||
- essential household function breaks and app recovery is not immediate
|
||
|
||
Exit criteria:
|
||
- easy-value devices are out of Legacy CIA
|
||
- no unnecessary broad allow rules were added
|
||
|
||
### Phase G: Legacy CIA quarantine handling
|
||
1. Rename/reclassify CIA Via mentally and operationally as quarantine, not production IoT.
|
||
2. Leave orphaned bulbs/plugs/mystery devices there.
|
||
3. Apply strict quarantine firewall posture.
|
||
4. Build a written list of remaining MACs/devices with disposition:
|
||
- migrate later
|
||
- quarantine indefinitely for now
|
||
- kill/remove when safe
|
||
|
||
Exit criteria:
|
||
- Legacy CIA contains only leftovers and quarantined junk
|
||
- its policy is harsh and explicit
|
||
|
||
### Phase H: Google / discovery problem children
|
||
1. Move one Google/cast-class device only if time and energy remain.
|
||
2. Test discovery/casting behavior from Trusted.
|
||
3. Add only narrow exceptions if evidence proves a need.
|
||
4. If messy, stop. Leave the rest in Legacy CIA quarantine for a later targeted session.
|
||
|
||
Exit criteria:
|
||
- either one known-good pattern exists, or the problem is intentionally deferred
|
||
|
||
### Phase I: Guest and SSID cleanup
|
||
1. Validate Guest SSID maps to VLAN 50.
|
||
2. Confirm internet-only behavior.
|
||
3. Disable/retire any stale SSIDs not still needed for migration.
|
||
4. Keep `Trusted-Compat` only if it earns its keep.
|
||
5. Keep `CIA Via` only as temporary quarantine SSID if required for remaining devices.
|
||
|
||
Exit criteria:
|
||
- SSIDs reflect policy, not history
|
||
- only necessary temporary migration SSIDs remain
|
||
|
||
## 9. Explicit Device Triage
|
||
|
||
Move tomorrow if practical:
|
||
- Protect chimes
|
||
- doorbell
|
||
- PD
|
||
- Serenity
|
||
- Nomad
|
||
- Rocinante
|
||
- MyQ
|
||
- Samsung Family Hub
|
||
- LG dryer
|
||
- both ecobees if low risk
|
||
|
||
Probably defer or treat carefully:
|
||
- Google Home / cast ecosystem
|
||
- any device requiring odd mDNS/broadcast behavior
|
||
|
||
Quarantine in Legacy CIA:
|
||
- legacy lights
|
||
- legacy plugs
|
||
- mystery old smart devices
|
||
- anything no longer controllable but still physically present
|
||
|
||
Kill candidates after observation:
|
||
- unknown inactive MACs
|
||
- devices nobody misses after blocking
|
||
- duplicate/orphaned historical entries
|
||
|
||
## 10. Rollback Rules
|
||
|
||
Immediate rollback triggers:
|
||
- loss of UniFi management-plane access
|
||
- APs/switches vanish or go isolated unexpectedly
|
||
- Trusted admin client cannot reach controller/gateway
|
||
- critical household function breaks with no quick diagnosis
|
||
|
||
Rollback scope:
|
||
- revert last moved device first
|
||
- revert last SSID mapping change second
|
||
- revert last firewall rule addition/position third
|
||
- revert network object only if the object itself is wrong
|
||
- never stack more changes onto a broken state
|
||
|
||
## 11. Definition Of Done For Tomorrow
|
||
|
||
Minimum successful tomorrow outcome:
|
||
- Management is cleaned up
|
||
- Cameras/Security lane exists
|
||
- Servers lane exists and at least core hosts are moved or staged with confidence
|
||
- IoT lane exists and at least easy-value devices are moved
|
||
- Legacy CIA is converted into explicit quarantine/sunset lane
|
||
- no broad insecure exceptions were added out of fatigue
|
||
|
||
Nice-to-have, not mandatory tomorrow:
|
||
- U6 LR restored and tuned
|
||
- Google/cast fully migrated
|
||
- Legacy CIA emptied completely
|
||
- perfect final SSID simplification
|
||
|
||
## 12. Follow-up Work After Tomorrow
|
||
|
||
- Build exact firewall rule matrix page/artifact
|
||
- Commit/push dashboard docs and artifacts into repo properly
|
||
- Review remaining Legacy CIA devices one by one
|
||
- Decide whether U6 LR returns based on actual coverage evidence
|
||
- Remove stale SSIDs, port profiles, and rules once migration dust settles
|