3.3 KiB
3.3 KiB
Network Migration Remaining Checklist
Current intent: only safe, low-drama follow-up work remains. The easy-value client cleanup already completed should not be re-run.
Already completed
- Servers network/profile exists in UniFi
- Protect WiFi Chime
upstairs landingmoved from Management -> Camera - Protect WiFi Chime
Living Roommoved from Management -> Camera LG_Smart_Laundry2_openmoved from Trusted -> IoTMyQ-29Bmoved from Old IoT -> IoTLG_Smart_Dryer2_openmoved from Old IoT -> IoTSamsung-FamilyHubmoved from Old IoT -> IoTMain-Floorecobee moved from Old IoT -> IoTUpstairsecobee moved from Old IoT -> IoT- These 8 client moves were verified live from UniFi
stat/sta - Firewall object/group scaffolding exists
- Basic custom outbound policy scaffolding exists (
Allow Internal to Untrusted)
Safe to do now
-
Documentation cleanup
- treat older pre-move docs as historical snapshots, not live next-step instructions
- use this file as the current remaining-work reference
-
Finalize remaining task list
- keep Google/cast pilot explicitly deferred until John is on the laptop
- keep unknown Legacy CIA devices explicitly quarantine-first
- keep Intellirocks-in-Trusted explicitly flagged for later identification/move decision
-
Non-disruptive firewall planning cleanup
- compare staged firewall objects/policies against desired rule order
- produce a precise missing-rules gap list before any live rule apply
Still pending before the migration is truly finished
A. Google/cast validation batch
Do later, with user present on laptop:
- pilot one Google/cast-class device only
- validate Plex playback
- validate Plex discovery/casting
- validate Dispatcharr once relevant
- if ugly, revert that one device and defer the rest
Likely candidates still needing that treatment:
dc:e5:5b:8f:57:d2(Google client currently in Trusted)Google-Home-Mini3c:8d:20:f3:92:3690:ca:fa:b6:7f:6e
B. Remaining Trusted-lane cleanup
d4:ad:fc:f2:df:d2likely does not belong in Trusted- decide: identify better, move to IoT, or quarantine later
C. Legacy CIA quarantine closeout
Leave quarantined unless identified better:
5c:61:99:41:73:4060:74:f4:54:fd:ec60:74:f4:7b:6a:11c0:f5:35:20:5d:94d4:ad:fc:60:90:6ad4:ad:fc:ea:7f:65
D. Real firewall enforcement
Still needed if the design is to be truly enforced rather than just staged:
- stateful baseline rules
- management shield
- explicit Trusted admin -> Management allows
- Trusted -> Servers allow
- Guest internet-only enforcement
- IoT narrow internal access only
- Camera narrow internal access only
- Legacy CIA quarantine-only posture
- broad deny structure for restricted lanes
Important distinction:
- groups/objects exist
- at least one custom outbound policy exists
- the full inter-VLAN segmentation matrix is not yet fully enforced
E. Final cleanup
- SSID simplification once Google/cast behavior is understood
- final validation sweep
- confirm no temporary panic exceptions remain
- document any intentionally deferred weird devices
Suggested execution order from here
- Produce firewall gap list
- Wait for laptop session
- Run one-device Google/cast pilot
- Decide on Trusted Intellirocks device
- Finish firewall enforcement carefully
- Do final SSID simplification and closeout