139 lines
5.2 KiB
Markdown
139 lines
5.2 KiB
Markdown
# UniFi Read-Only Recon Notes
|
||
|
||
Date: 2026-05-22
|
||
Mode: read-only only
|
||
Auth status: verified working with upgraded Doris admin login
|
||
|
||
## Scope completed
|
||
- authenticated login verified
|
||
- network object inventory read
|
||
- SSID inventory read
|
||
- port profile inventory read
|
||
- client inventory read
|
||
- AP/client mapping read
|
||
- wired switch-port/client mapping read
|
||
- firewall/policy endpoint probes read
|
||
|
||
## High-value findings
|
||
|
||
### 1. Firewall model / current policy state
|
||
- `firewallrule`: 200, count 0
|
||
- `firewallgroup`: 200, count 0
|
||
- `firewallzone`: 400
|
||
- `trafficrule`: 400
|
||
- `routing`: 200, count 0
|
||
|
||
Interpretation:
|
||
- there are currently no custom classic firewall rules in the Network app dataset returned by the API
|
||
- no custom firewall groups are defined there either
|
||
- zone/traffic-rule endpoints are not active in the way this API helper expected
|
||
- practical implication: tomorrow’s segmentation policy work is largely greenfield, not cleanup of a big custom ruleset
|
||
|
||
### 2. Current network objects
|
||
- Management -> corporate -> untagged -> `10.5.0.1/24`
|
||
- Trusted -> corporate -> VLAN 51 -> `10.5.1.1/24`
|
||
- Old IoT -> corporate -> VLAN 2 -> `192.168.1.1/24`
|
||
- IoT -> corporate -> VLAN 510 -> `10.5.10.1/24`
|
||
- Camera -> corporate -> VLAN 520 -> `10.5.20.1/24`
|
||
- Guest -> guest -> VLAN 590 -> `10.5.90.1/24`
|
||
|
||
### 3. Current SSIDs
|
||
- `CIA Via` -> Old IoT
|
||
- `UNEF's Playhouse` -> Camera
|
||
- `Whiskey Neat Fuck Ice` -> Trusted
|
||
- `Yer a Wifi Harry` -> Trusted
|
||
|
||
### 4. Management offenders
|
||
Both Management-lane clients are Wi‑Fi clients on the U7 Pro and both are unnamed `espressif` devices on the default `UniFi Wireless` SSID.
|
||
|
||
- `espressif` -> `10.5.0.123` -> U7 Pro -> SSID `UniFi Wireless`
|
||
- `espressif` -> `10.5.0.189` -> U7 Pro -> SSID `UniFi Wireless`
|
||
|
||
Interpretation:
|
||
- these are almost certainly stray ESP-class smart devices and exactly the kind of junk that should not live on Management
|
||
- tomorrow we should either identify and move them, or quarantine them if they are brittle
|
||
|
||
### 5. Old IoT live inventory
|
||
All are currently on SSID `CIA Via` via the U7 Pro.
|
||
|
||
Likely migrate-first / easy-value:
|
||
- `MyQ-29B` -> `192.168.1.130`
|
||
- `Main-Floor` ecobee -> `192.168.1.102`
|
||
- `Upstairs` ecobee -> `192.168.1.131`
|
||
- `LG_Smart_Dryer2_open` -> `192.168.1.186`
|
||
- `Samsung-FamilyHub` -> `192.168.1.149`
|
||
|
||
Likely migrate-later / discovery pain:
|
||
- `Google-Home-Mini` -> `192.168.1.185`
|
||
- `3c:8d:20:f3:92:36` -> Google -> `192.168.1.192`
|
||
- `90:ca:fa:b6:7f:6e` -> Google -> `192.168.1.129`
|
||
|
||
Likely quarantine until identified better:
|
||
- `5c:61:99:41:73:40` -> Cloud Network Technology Singapore -> `192.168.1.172`
|
||
- `60:74:f4:54:fd:ec` -> Private -> `192.168.1.136`
|
||
- `60:74:f4:7b:6a:11` -> Private -> `192.168.1.117`
|
||
- `c0:f5:35:20:5d:94` -> AMPAK -> `192.168.1.183`
|
||
- `d4:ad:fc:60:90:6a` -> Shenzhen Intellirocks -> `192.168.1.100`
|
||
- `d4:ad:fc:ea:7f:65` -> Shenzhen Intellirocks -> `192.168.1.101`
|
||
|
||
### 6. Camera lane live state
|
||
- `front-doorbell` is already on Camera network at `10.5.20.217`
|
||
|
||
Interpretation:
|
||
- the doorbell is already where it belongs logically
|
||
- tomorrow’s security cleanup work is mainly about chimes and future policy tightening
|
||
|
||
### 7. Trusted lane still carrying infrastructure-class hosts
|
||
Trusted currently includes:
|
||
- `PlausibleDeniability` -> `10.5.1.6`
|
||
- `Serenity` -> `10.5.1.5`
|
||
- `Nomad` -> `10.5.1.16`
|
||
- `Rocinante` -> `10.5.1.112`
|
||
- `FlyingDutchman` -> `10.5.1.111`
|
||
|
||
Interpretation:
|
||
- tomorrow’s server-lane work is real and necessary
|
||
- these should not stay blended into the human client lane long-term
|
||
|
||
### 8. AP/client mapping
|
||
- `U7 Pro`: 26 clients
|
||
- `wired/unknown`: 5 clients
|
||
|
||
Interpretation:
|
||
- almost all current active wireless load is concentrated on the U7 Pro
|
||
- the U6 LR is presently not carrying client load
|
||
|
||
### 9. Wired client to switch-port mapping
|
||
On `USW Pro HD 24`:
|
||
- port 2 -> `Rocinante`
|
||
- port 3 -> `FlyingDutchman`
|
||
- port 22 -> `Nomad`
|
||
- port 23 -> `PlausibleDeniability`
|
||
- port 24 -> `Serenity`
|
||
|
||
### 10. Important switch-port assignments
|
||
On `USW Pro HD 24`:
|
||
- port 1 -> profile `Management` -> `U7 Pro (Upstairs)`
|
||
- port 22 -> profile `Trusted` -> `Nomad`
|
||
- port 23 -> profile `Trusted` -> `Docker Server` / PD
|
||
- port 24 -> profile `Trusted` -> `Serenity 10G (1)`
|
||
- port 27 -> profile `Management` -> up at 10G
|
||
- port 3 -> profile `Trusted` -> `FlyingDutchman`
|
||
- port 2 -> up at 2.5G with no explicit profile shown -> `Rocinante`
|
||
|
||
On `USW-24-PoE`:
|
||
- port 24 -> profile `Management` -> up at 1G
|
||
- many inactive preassigned ports exist for `IoT`, `Old IoT`, and `Management`
|
||
|
||
Interpretation:
|
||
- the core server moves tomorrow are mechanically straightforward because their live ports are visible
|
||
- PD / Serenity / Nomad / FlyingDutchman are explicitly sitting on Trusted access profiles today
|
||
- Rocinante needs a quick extra look because the client is live on port 2 but that port did not show an explicit profile name in the returned record
|
||
|
||
## Recommended next actions for tomorrow
|
||
1. identify the two Management `espressif` devices before or during the window
|
||
2. move/changeprofile for server ports on the USW Pro HD 24 one at a time
|
||
3. treat Google devices as late-batch or defer
|
||
4. treat unknown Old IoT clients as quarantine by default, not migration by default
|
||
5. keep Camera cleanup focused on chimes and policy, because the doorbell is already in the correct lane
|