14 KiB
Home Network Redesign Implementation Runbook
For Doris: use this during the live UniFi change window. Goal is a controlled cutover with explicit validation and rollback at each boundary.
Goal: deploy the target VLAN/SSID/firewall design with minimum drama, keep legacy CIA Via as a quarantine lane for devices that cannot yet be migrated, and finish the window with an understandable, supportable network.
Architecture summary:
- Final target lanes remain VLAN 10 Management, VLAN 20 Trusted, VLAN 30 Servers, VLAN 40 IoT, VLAN 50 Guest, VLAN 60 Cameras/Security.
- Legacy CIA Via remains temporarily alive as a quarantine/sunset VLAN for unmanageable legacy devices.
- No non-infrastructure devices stay on Management when the window closes.
- No broad trust exceptions are added just to make migration feel easier.
Tech stack / control surfaces:
- UniFi Network controller on UDM Pro
- UDM Pro gateway/firewall
- USW Pro HD 24 and other UniFi switching
- U7 Pro and optional U6 LR APs
- Doris artifacts for reference:
/home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/public/network-redesign.html/home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/public/network-web.html/home/fizzlepoof/repos/truenas-stacks/home/doris-dashboard/docs/network-redesign-plan.md
1. Required Access
Required to implement directly:
- UniFi OS / Network write access on the UDM Pro site at
https://10.5.0.1 - Ability to create/edit:
- VLANs / networks
- Wi-Fi SSIDs
- firewall rules
- port profiles
- switch port assignments
- device settings for APs/switches
- Ability to see client inventory with MAC/IP/vendor names
Required for safe validation after each move:
- Existing SSH access to PD via
pd(truenas_admin@10.5.30.6) - Reachability to NOMAD-hosted Doris web artifacts at
10.5.30.7:8787 - A Trusted client on-site on Wi‑Fi for live user validation
- At least one device on each of these categories available for test:
- Trusted client
- server service
- IoT device/app pair
- guest client
- camera/security device if moved tomorrow
Optional but strongly preferred:
- Temporary full admin role in UniFi instead of pair-driving through read-only
- Access to export or screenshot current config before changes
- Ability to check AP/switch port LEDs/physical labels if anything is ambiguous
Fallback if you do not want to grant write access:
- Pair-drive the entire window with you at the keyboard in UniFi while I call every exact change in order
- This is slower but workable
2. What Can Be Finished Before Tomorrow
Pre-work Doris can finish now without write access:
- Final runbook and sequence document
- Final object naming convention
- Final firewall intent matrix
- Validation checklist per VLAN
- Rollback checklist per phase
- Device triage sheet for Legacy CIA Via:
- migrate
- quarantine
- kill
Pre-work requiring only read access / screenshots / exports from you:
- Confirm exact current UniFi object names
- Confirm whether VLAN IDs 10/20/30/40/50/60 already exist or must be created
- Confirm current SSID names and which APs broadcast each one
- Confirm current port-profile names and which switch ports use them
- Confirm which clients are currently on Management and CIA Via
- Confirm whether U6 LR is physically installed and link-ready or still shelved
Pre-work requiring write access, if granted tonight:
- Create missing target networks/VLAN objects without moving clients yet
- Create disabled/staged SSIDs without enabling them yet
- Create new port profiles without assigning them yet
- Create firewall rules in disabled or low-priority staged form
- Label/comment rules and profiles for tomorrow’s change window
3. Hard Rules For The Change Window
- One operator console on Trusted stays connected the whole time.
- One fallback path into UniFi must remain alive before any management change.
- Do not move multiple unknown devices at once.
- Do not delete Legacy CIA Via tomorrow unless it is truly empty, which is unlikely.
- Do not move legacy/unmanageable junk into Management, Trusted, or Servers to “just get done.”
- After every change group, stop and validate before continuing.
- If management-plane reachability is degraded, roll back immediately before chasing anything else.
4. Target Objects
Networks / VLANs
NET-MGMT-> VLAN 10 ->10.5.10.0/24NET-TRUSTED-> VLAN 20 ->10.5.20.0/24NET-SERVERS-> VLAN 30 ->10.5.30.0/24NET-IOT-> VLAN 40 ->10.5.40.0/24NET-GUEST-> VLAN 50 ->10.5.50.0/24NET-CAMERAS-> VLAN 60 ->10.5.60.0/24NET-LEGACY-CIA-> existing legacy VLAN/subnet retained temporarily as quarantine lane
Wi‑Fi SSIDs
Trusted-> VLAN 20Trusted-Compat-> VLAN 20, optional temporary onlyIoT-> VLAN 40Guest-> VLAN 50Security-> VLAN 60CIA Via-> legacy VLAN, temporary only, no new joins
Port profiles
PP-TRUNK-UPLINKPP-ACCESS-MGMTPP-ACCESS-TRUSTEDPP-ACCESS-SERVERSPP-ACCESS-IOTPP-ACCESS-GUESTPP-ACCESS-CAMERASPP-ACCESS-LEGACY-CIA
5. Firewall Policy Intent
Trusted:
- allow to Management for admin devices only
- allow to Servers for normal human/service use
- allow to Cameras for operator/admin use
- allow limited control flows to IoT if required
Servers:
- allow explicit services outward as needed
- no sloppy east-west broad allow
- allow NVR/Protect-related flows to Cameras only if required
IoT:
- allow DHCP/DNS/NTP/internet
- deny Management
- deny Trusted by default
- deny Servers except specific helper/service destinations
- explicit discovery exceptions only when proven necessary
Guest:
- internet only
- deny all local RFC1918/internal subnets
- client isolation on Wi‑Fi
Cameras/Security:
- allow DHCP/DNS/NTP/internet/update paths as needed
- deny broad lateral movement
- allow only Protect/NVR/admin destinations
Legacy CIA quarantine lane:
- allow DHCP/DNS/NTP/internet
- deny Management
- deny Trusted
- deny Cameras
- deny Servers by default
- add only device-specific exceptions if absolutely required
- no new devices assigned here intentionally
6. Baseline Capture Before First Change
Capture all of this before changing anything:
- Screenshot/export all existing networks
- Screenshot/export all SSIDs
- Screenshot/export firewall rules in current order
- Screenshot/export port profiles
- Screenshot/export AP settings
- Screenshot/export switch port assignments
- Record current IP/gateway/subnet for:
- PD
- Serenity
- Nomad
- Rocinante
- UDM Pro
- U7 Pro
- U6 LR if present
- Record current MAC/IP list for important Old IoT devices:
- Google Home Mini / cast devices
- both ecobees
- MyQ
- Samsung Family Hub
- LG dryer
- known legacy bulbs/plugs
- doorbell
- Protect chimes
- Confirm current DHCP reservations/static mappings that may break when VLANs move
7. Validation Tests To Run Repeatedly
Trusted validation:
- Trusted Wi‑Fi client gets correct subnet/gateway
- internet works
- can reach UniFi admin
- can reach PD/NOMAD/Serenity services expected from user lane
Management validation:
- UDM, switches, APs remain visible/manageable in UniFi
- no unexpected client endpoints remain in Management
Servers validation:
- PD/Serenity/Nomad/Rocinante get correct subnet/gateway after move
- critical services respond from Trusted
- outbound internet works if required
IoT validation:
- device rejoins expected SSID/VLAN
- vendor app control still works
- local control still works only if intentionally allowed
Guest validation:
- guest device gets internet
- cannot reach local subnets
Security validation:
- doorbell/chimes/camera devices stay online
- admin/Protect access works if expected
- no reachability into unrelated lanes
Legacy CIA validation:
- quarantined devices still work at the minimum acceptable level
- no new devices are added there
8. Change Sequence For Tomorrow
Phase A: Safety setup
- Confirm one wired or strongly stable Trusted admin client is connected.
- Open UniFi in one session and keep Doris artifacts open in another.
- Capture all baseline screenshots/exports.
- Confirm rollback path into UniFi if Wi‑Fi changes go bad.
- Confirm whether U6 LR participates tomorrow or stays out of scope.
Exit criteria:
- baseline captured
- management reachability stable
- rollback path confirmed
Phase B: Create or normalize objects without moving clients
- Create any missing target networks.
- Create any missing port profiles.
- Create/stage SSIDs:
- Trusted
- Trusted-Compat if needed
- IoT
- Guest
- Security
- Create/stage Legacy CIA quarantine policy object naming.
- Create staged firewall rules with comments.
Exit criteria:
- all objects exist
- nothing has moved yet
- no current connectivity loss
Phase C: Management cleanup first
- Ensure UDM, switches, and AP management surfaces are on VLAN 10 intent.
- Remove obvious non-infrastructure devices from Management.
- Move Protect chimes out of Management as top cleanup item if Security lane is ready.
- Re-validate UniFi visibility of gateway, switches, APs.
Rollback if:
- UniFi loses management of gateway/switch/APs
- admin client can no longer reach management plane
Exit criteria:
- Management is infrastructure-only or very close to it
- no human endpoints or smart accessories remain there except known temporary exceptions tracked in writing
Phase D: Build/activate Cameras lane
- Activate/validate
NET-CAMERAS. - Activate
SecuritySSID if used. - Move doorbell and Protect chimes to Cameras/Security.
- Validate app/admin behavior.
Rollback if:
- security devices fall offline and cannot be recovered quickly
Exit criteria:
- doorbell/chimes are no longer polluting Management
- Camera lane exists for future growth
Phase E: Move core servers to Servers VLAN 30
- Move one least-scary server first.
- Validate from Trusted.
- Update any reservation/DNS/profile dependency if needed.
- Move remaining core hosts one by one:
- PD
- Serenity
- Nomad
- Rocinante
- After each move, validate service reachability and outbound needs.
Rollback if:
- critical service path breaks and root cause is not obvious within a few minutes
Exit criteria:
- core hosts reside in Servers lane
- Trusted still reaches intended services
Phase F: Move easy IoT first
- Activate/validate
IoTSSID and VLAN 40. - Move easiest/least-fragile devices first:
- MyQ
- Samsung Family Hub
- LG dryer
- ecobees if confidence is high
- Validate each class before moving the next.
- Leave Google/cast pain until the end of IoT work.
Rollback if:
- essential household function breaks and app recovery is not immediate
Exit criteria:
- easy-value devices are out of Legacy CIA
- no unnecessary broad allow rules were added
Phase G: Legacy CIA quarantine handling
- Rename/reclassify CIA Via mentally and operationally as quarantine, not production IoT.
- Leave orphaned bulbs/plugs/mystery devices there.
- Apply strict quarantine firewall posture.
- Build a written list of remaining MACs/devices with disposition:
- migrate later
- quarantine indefinitely for now
- kill/remove when safe
Exit criteria:
- Legacy CIA contains only leftovers and quarantined junk
- its policy is harsh and explicit
Phase H: Google / discovery problem children
- Move one Google/cast-class device only if time and energy remain.
- Test discovery/casting behavior from Trusted.
- Add only narrow exceptions if evidence proves a need.
- If messy, stop. Leave the rest in Legacy CIA quarantine for a later targeted session.
Exit criteria:
- either one known-good pattern exists, or the problem is intentionally deferred
Phase I: Guest and SSID cleanup
- Validate Guest SSID maps to VLAN 50.
- Confirm internet-only behavior.
- Disable/retire any stale SSIDs not still needed for migration.
- Keep
Trusted-Compatonly if it earns its keep. - Keep
CIA Viaonly as temporary quarantine SSID if required for remaining devices.
Exit criteria:
- SSIDs reflect policy, not history
- only necessary temporary migration SSIDs remain
9. Explicit Device Triage
Move tomorrow if practical:
- Protect chimes
- doorbell
- PD
- Serenity
- Nomad
- Rocinante
- MyQ
- Samsung Family Hub
- LG dryer
- both ecobees if low risk
Probably defer or treat carefully:
- Google Home / cast ecosystem
- any device requiring odd mDNS/broadcast behavior
Quarantine in Legacy CIA:
- legacy lights
- legacy plugs
- mystery old smart devices
- anything no longer controllable but still physically present
Kill candidates after observation:
- unknown inactive MACs
- devices nobody misses after blocking
- duplicate/orphaned historical entries
10. Rollback Rules
Immediate rollback triggers:
- loss of UniFi management-plane access
- APs/switches vanish or go isolated unexpectedly
- Trusted admin client cannot reach controller/gateway
- critical household function breaks with no quick diagnosis
Rollback scope:
- revert last moved device first
- revert last SSID mapping change second
- revert last firewall rule addition/position third
- revert network object only if the object itself is wrong
- never stack more changes onto a broken state
11. Definition Of Done For Tomorrow
Minimum successful tomorrow outcome:
- Management is cleaned up
- Cameras/Security lane exists
- Servers lane exists and at least core hosts are moved or staged with confidence
- IoT lane exists and at least easy-value devices are moved
- Legacy CIA is converted into explicit quarantine/sunset lane
- no broad insecure exceptions were added out of fatigue
Nice-to-have, not mandatory tomorrow:
- U6 LR restored and tuned
- Google/cast fully migrated
- Legacy CIA emptied completely
- perfect final SSID simplification
12. Follow-up Work After Tomorrow
- Build exact firewall rule matrix page/artifact
- Commit/push dashboard docs and artifacts into repo properly
- Review remaining Legacy CIA devices one by one
- Decide whether U6 LR returns based on actual coverage evidence
- Remove stale SSIDs, port profiles, and rules once migration dust settles