5.9 KiB
5.9 KiB
Network Migration Remaining Checklist
Current intent: only safe, low-drama follow-up work remains. The easy-value client cleanup already completed should not be re-run.
Current truth note:
- use this file plus
unifi-protect-doorbell-chime-current-state-2026-05-26.mdas the source of truth for what is actually still pending - treat earlier cutover-prep docs with "tomorrow" language as historical planning artifacts unless they were explicitly updated later
Already completed
- Servers network/profile exists in UniFi
- Historical attempt moved both Protect WiFi chimes from Management -> Camera, but that change was later reversed after Protect health failed on the Camera-lane override
- Current known-good state keeps both Protect WiFi chimes on Management / default
UniFi Wireless; seeunifi-protect-doorbell-chime-current-state-2026-05-26.md LG_Smart_Laundry2_openmoved from Trusted -> IoTMyQ-29Bmoved from Old IoT -> IoTLG_Smart_Dryer2_openmoved from Old IoT -> IoTSamsung-FamilyHubmoved from Old IoT -> IoTMain-Floorecobee moved from Old IoT -> IoTUpstairsecobee moved from Old IoT -> IoT- These 8 client moves were verified live from UniFi
stat/sta - Firewall object/group scaffolding exists
- Basic custom outbound policy scaffolding exists (
Allow Internal to Untrusted) - First live management-plane hardening slice is now applied:
Block Untrusted to Gateway Admin Surfaces - Reference:
unifi-firewall-enforcement-result-2026-05-23.md
Safe to do now
-
Documentation cleanup
- treat older pre-move docs as historical snapshots, not live next-step instructions
- use this file as the current remaining-work reference
-
Finalize remaining task list
- keep Google/cast pilot explicitly deferred until John is on the laptop
- keep unknown Legacy CIA devices explicitly quarantine-first
- Trusted-lane Intellirocks cleanup is now resolved separately; see
intellirocks-triage-result-2026-05-23.md - Legacy CIA leftovers are now dispositioned separately; see
unifi-legacy-cia-closeout-2026-05-23.md - Protect chime lane cleanup is intentionally deferred until Protect connectivity is explicitly re-validated on a non-Management lane
-
Non-disruptive firewall planning cleanup
- compare staged firewall objects/policies against desired rule order
- produce a precise missing-rules gap list before any live rule apply
Still pending before the migration is truly finished
A. DHCP/DNS and gateway-dependency closeout
- Fresh live verification is written up in
unifi-dhcp-dns-verification-2026-05-23.md - Recommended design is written up in
unifi-restricted-lane-dns-ntp-recommendation-2026-05-23.md - Live DNS cutover result is written up in
unifi-restricted-dns-cutover-result-2026-05-23.md - Broader gateway shield result is written up in
unifi-broader-gateway-shield-result-2026-05-23.md - Completed live changes:
IoT,Camera, andOld IoTnow DHCP-advertise DNS10.5.30.53- explicit
Untrusted -> InternalDNS allow now preserves access to10.5.30.53:53 - broader
Untrusted -> Gatewayblock is now in place with DHCP and mDNS preserved
- NTP remains intentionally unchanged for now
- Remaining follow-up is validation, not additional broad gateway-rule design
B. Google/cast validation batch
Do later, with user present on laptop:
- pilot one Google/cast-class device only
- validate Plex playback
- validate Plex discovery/casting
- validate Dispatcharr once relevant
- if ugly, revert that one device and defer the rest
Likely candidates still needing that treatment:
dc:e5:5b:8f:57:d2(Google client currently in Trusted)Google-Home-Mini3c:8d:20:f3:92:3690:ca:fa:b6:7f:6e
C. Remaining Trusted-lane cleanup
- Completed:
d4:ad:fc:f2:df:d2was removed from Trusted and re-homed toOld IoT - Reference:
intellirocks-triage-result-2026-05-23.md
D. Legacy CIA quarantine closeout
- Completed as a disposition decision: the remaining unidentified leftovers stay quarantined on
Old IoT - Reference:
unifi-legacy-cia-closeout-2026-05-23.md
E. Real firewall enforcement
Substantially completed:
- live custom rule blocks
IoT/Camera/Old IoTaccess to the UDM Pro admin TCP ports - live custom rule allows restricted-lane DNS to
10.5.30.53:53 - live custom rule blocks general restricted-lane
Untrusted -> Gatewayaccess - live custom rules preserve DHCP and mDNS for the restricted lanes
- references:
unifi-firewall-enforcement-result-2026-05-23.mdunifi-broader-gateway-shield-result-2026-05-23.md
Still needed if the full design is to be enforced rather than just the current safe slices:
- real client validation from each restricted lane after lease renewal
- explicit Trusted admin -> Management allows if broad internal->gateway restrictions are introduced later
- Trusted -> Servers allow only if later intra-Internal restrictions are introduced
- any camera/Protect helper exceptions after port-level verification
- any Google/cast discovery exceptions only after laptop validation
Important distinction:
- custom rules now cover the main restricted-lane gateway hardening path
- the full inter-VLAN segmentation matrix is still not yet fully enforced
F. Final cleanup
- SSID simplification once Google/cast behavior is understood
- reference SSID retire/keep plan:
unifi-ssid-cleanup-proposal-2026-05-23.md - final validation sweep
- confirm no temporary panic exceptions remain
- document any intentionally deferred weird devices
- keep the Protect doorbell/chime exception documented until a future validated lane migration replaces it
Suggested execution order from here
- Wait for laptop session
- Human-validate Google/cast behavior from the laptop
- Renew/validate one real client on each restricted lane against the new DNS + gateway shield posture
- Add only any proven narrow exceptions that real validation actually requires
- Do final SSID simplification and closeout using
unifi-ssid-cleanup-proposal-2026-05-23.md