Files
truenas-stacks/home/doris-dashboard/docs/network-migration-remaining-checklist-2026-05-22.md
Fizzlepoof bec21292de
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled
homelab: sync post-migration repo and n8n runtime audit
2026-05-22 23:05:41 +00:00

3.3 KiB

Network Migration Remaining Checklist

Current intent: only safe, low-drama follow-up work remains. The easy-value client cleanup already completed should not be re-run.

Already completed

  • Servers network/profile exists in UniFi
  • Protect WiFi Chime upstairs landing moved from Management -> Camera
  • Protect WiFi Chime Living Room moved from Management -> Camera
  • LG_Smart_Laundry2_open moved from Trusted -> IoT
  • MyQ-29B moved from Old IoT -> IoT
  • LG_Smart_Dryer2_open moved from Old IoT -> IoT
  • Samsung-FamilyHub moved from Old IoT -> IoT
  • Main-Floor ecobee moved from Old IoT -> IoT
  • Upstairs ecobee moved from Old IoT -> IoT
  • These 8 client moves were verified live from UniFi stat/sta
  • Firewall object/group scaffolding exists
  • Basic custom outbound policy scaffolding exists (Allow Internal to Untrusted)

Safe to do now

  1. Documentation cleanup

    • treat older pre-move docs as historical snapshots, not live next-step instructions
    • use this file as the current remaining-work reference
  2. Finalize remaining task list

    • keep Google/cast pilot explicitly deferred until John is on the laptop
    • keep unknown Legacy CIA devices explicitly quarantine-first
    • keep Intellirocks-in-Trusted explicitly flagged for later identification/move decision
  3. Non-disruptive firewall planning cleanup

    • compare staged firewall objects/policies against desired rule order
    • produce a precise missing-rules gap list before any live rule apply

Still pending before the migration is truly finished

A. Google/cast validation batch

Do later, with user present on laptop:

  • pilot one Google/cast-class device only
  • validate Plex playback
  • validate Plex discovery/casting
  • validate Dispatcharr once relevant
  • if ugly, revert that one device and defer the rest

Likely candidates still needing that treatment:

  • dc:e5:5b:8f:57:d2 (Google client currently in Trusted)
  • Google-Home-Mini
  • 3c:8d:20:f3:92:36
  • 90:ca:fa:b6:7f:6e

B. Remaining Trusted-lane cleanup

  • d4:ad:fc:f2:df:d2 likely does not belong in Trusted
  • decide: identify better, move to IoT, or quarantine later

C. Legacy CIA quarantine closeout

Leave quarantined unless identified better:

  • 5c:61:99:41:73:40
  • 60:74:f4:54:fd:ec
  • 60:74:f4:7b:6a:11
  • c0:f5:35:20:5d:94
  • d4:ad:fc:60:90:6a
  • d4:ad:fc:ea:7f:65

D. Real firewall enforcement

Still needed if the design is to be truly enforced rather than just staged:

  • stateful baseline rules
  • management shield
  • explicit Trusted admin -> Management allows
  • Trusted -> Servers allow
  • Guest internet-only enforcement
  • IoT narrow internal access only
  • Camera narrow internal access only
  • Legacy CIA quarantine-only posture
  • broad deny structure for restricted lanes

Important distinction:

  • groups/objects exist
  • at least one custom outbound policy exists
  • the full inter-VLAN segmentation matrix is not yet fully enforced

E. Final cleanup

  • SSID simplification once Google/cast behavior is understood
  • final validation sweep
  • confirm no temporary panic exceptions remain
  • document any intentionally deferred weird devices

Suggested execution order from here

  1. Produce firewall gap list
  2. Wait for laptop session
  3. Run one-device Google/cast pilot
  4. Decide on Trusted Intellirocks device
  5. Finish firewall enforcement carefully
  6. Do final SSID simplification and closeout