azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-16 18:09:18

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-16 18:09:18
This commit is contained in:
Howard Enos
2026-06-16 18:09:27 -07:00
parent d6cbfb3e50
commit 08fcafa0a4
2 changed files with 204 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

130
clients/cascades-tucson/docs/network/voice-vlan-cutover.md Normal file
View File

@@ -0,0 +1,130 @@
# Cascades — Voice VLAN (VLAN 30) Cutover Runbook + Recon
- **Created:** 2026-06-16 (Howard-Home / claude-main)
- **Status:** PLANNED — not yet executed. Vendor email sent 2026-06-16; awaiting Richard's confirm + maintenance window.
- **Driver:** Vertical (VoIP vendor, Richard Turner <RTurner@vertical.com>) cannot reach the phones from the remote-management desktop, and phone IPs drift. Root cause: when the network was segmented into VLANs, the Vertical remote desktop and the wired phones were left on the original LAN while the wireless phones landed on VLAN 20 — so the desktop has no path to the wireless phones (main-LAN -> VLAN 20 is blocked at pfSense).
## Goal
Consolidate ALL voice gear (Poly WiFi phones + AudioCodes wired phones + Vertical-Remote desktop) onto a dedicated, isolated voice network. Voice reaches the internet; blocked from main LAN / VLAN 20 / PHI. Vertical's pfSense OpenVPN scoped to the voice subnet only.
```
VOICE network: VLAN 30
Subnet/gateway: 10.0.30.0/24 gw 10.0.30.1 (pfSense igc1.30)
DHCP pool: 10.0.30.100 - 10.0.30.250
Reservations: below .100 (out of pool -> safe on both ISC and Kea)
Desktop: 10.0.30.10 (Vertical-Remote, e4:e7:49:52:3a:06) -> set NIC to DHCP
```
## Systems
pfSense `192.168.0.1` does ALL routing + DHCP. UniFi (UOS controller `172.16.3.29`, Cascades site `685f39068e65331c46ef6dd2`) is L2 only here — every UniFi network is `purpose: vlan-only` (no subnets in UniFi). So building VLAN 30 touches BOTH systems.
---
## Confirmed architecture (UOS controller, 2026-06-16)
| Device class | Count | Attach | Currently lands on |
|---|---|---|---|
| Poly phones | 22 active (~29 historical) | **WiFi**, SSID **CSCNet**, APs building-wide | VLAN 20 "Internal" (`10.0.20.x`) |
| AudioCodes phones | 8 | **Wired**, USW-16-PoE **ports 1-8** | "Default" / main LAN (`192.168.2/3.x`) |
| Vertical-Remote desktop | 1 | **Wired**, USW-16-PoE **port 16** | "Default" / main LAN (`192.168.2.180`, static) |
**CSCNet is a shared PPSK SSID** (`wlanconf 685f39078e65331c46ef7ee5`, `private_preshared_keys_enabled:true`, base networkconf = Default, `vlan_enabled:false`). ~230 per-key->network mappings: most keys map to per-room resident VLANs (101-631), a few to Default, and one phone key maps to "Internal"/VLAN 20 (`networkconf 69405ba36db796548c947130`). Historical CSCNet clients: 1,190 (residents' IoT/TVs/phones/laptops + staff + the phones). **=> Do NOT repoint the CSCNet SSID itself** — that would move every resident/staff device. Move the phones at the PPSK level instead.
Networks of interest:
- Default (main LAN): `685f39078e65331c46ef8ac4`, `192.168.0.0/22`
- Internal (VLAN 20): `69405ba36db796548c947130`, `10.0.20.0/24`
- Guest (VLAN 50): `10.0.50.0/24`
- OpenVPN Server: `192.168.8.1/24` (purpose remote-user-vpn) — Vertical comes in here.
---
## PBX recon (CS-SERVER via GuruRMM, 2026-06-16)
Probed from CS-SERVER (`192.168.2.254`, same LAN segment) — read-only.
| Target | TCP open | SIP UDP 5060 | Conclusion |
|---|---|---|---|
| `192.168.2.180` (desktop) | 3389 (RDP) only | no reply | **Not a PBX** — RDP management/jump box |
| `192.168.2.228` (CS-QB, labeled "VoIP server") | 445 (SMB) only | no reply | **Not a live SIP PBX** — behaves like an SMB box despite the label |
**Implication:** no on-prem SIP PBX detected -> phones almost certainly register to a **cloud/hosted PBX** (Vertical). If confirmed, the voice VLAN only needs internet egress and the on-prem PBX pinhole (Part A step 5b) is **NOT needed**. Caveat: external port view only — a non-standard port / known-peer-only / host-firewalled PBX can't be 100% excluded, so Richard's confirm is the authority.
---
## PART A — pfSense (`https://192.168.0.1`)
1. **VLAN interface:** Interfaces -> VLANs -> Add: Parent `igc1`, Tag `30`, Desc `VOICE`.
2. **Assign + IP:** Interfaces -> Assignments -> add `igc1.30` -> Enable, Static `10.0.30.1/24`.
3. **DHCP:** Services -> DHCP Server -> VOICE: enable, range `10.0.30.100-.250`, DNS `10.0.30.1`.
4. **Reservation (desktop):** Static Mappings -> `e4:e7:49:52:3a:06` = `10.0.30.10`, hostname `Vertical-Remote`. (Phones optional — see Appendix; they stay reachable from the desktop on-subnet regardless.)
5. **Firewall (VOICE tab), top-to-bottom:**
- Alias `RFC1918` = `10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16`.
- (a) PASS: VOICE net -> This Firewall (10.0.30.1) ports 53, 123.
- (b) **CONDITIONAL** PASS: VOICE net -> `<on-prem PBX IP>` SIP/RTP/provisioning. **Recon says SKIP (cloud PBX); add only if Richard confirms an on-prem PBX.**
- (c) BLOCK: VOICE net -> `RFC1918`. (isolation)
- (d) PASS: VOICE net -> any. (internet)
6. **OpenVPN — reach desktop on VOICE, scoped to voice only:**
- His `.ovpn` does NOT need re-export (routes are server-pushed; same host/port/cert) — he just reconnects.
- Preferred: VPN -> OpenVPN -> **Client Specific Overrides** for **Richard's CN**: IPv4 Local Network/s = `10.0.30.0/24` only; give him a fixed tunnel IP.
- Firewall -> Rules -> OpenVPN: PASS `<Richard tunnel IP>` -> `10.0.30.0/24`; BLOCK `<Richard tunnel IP>` -> `RFC1918`.
- If the VPN server is shared, use the CSO + per-tunnel-IP rules (do NOT widen the server's global Local Networks). If Vertical-only, may edit the server in place.
## PART B — UniFi (UOS controller)
7. **Network:** Settings -> Networks -> Add: `VOICE`, purpose `VLAN Only`, VLAN `30`.
8. **Wired ports (USW-16-PoE):** set Native Network = VOICE (untagged) on **ports 1-8** (AudioCodes) and **port 16** (desktop). AudioCodes re-DHCP automatically; desktop needs Vertical's NIC change.
9. **Wireless Poly (PPSK):** Settings -> Profiles -> Private Pre-Shared Keys (CSCNet) -> **add a new key -> Network VOICE** (vault the key). Re-point each Poly phone's WiFi to the voice key (by hand / Vertical provisioning). Also fixes the 2 currently mis-keyed phones (one on VLAN 422, one on Default). [Alt zero-touch: remap the existing phone key VLAN 20 -> VOICE, ONLY if that key is confirmed phone-exclusive — ~70 non-phone devices also showed on VLAN 20, so default to the dedicated key.]
- Confirm inter-switch / AP uplinks + the pfSense trunk carry VLAN 30 (default "All" port profile auto-includes it).
---
## Cutover sequence (avoid stranding anything)
1. Build everything with no live impact: pfSense VLAN/DHCP/firewall, OpenVPN CSO+rules, UniFi network, create the voice PPSK.
2. **AudioCodes:** flip USW-16-PoE ports 1-8 -> VOICE. Re-DHCP + re-register (brief blip).
3. **Poly:** re-key to voice PPSK. Roam onto VOICE.
4. **Desktop (coordinated with Vertical — static, no login):**
- Confirm OpenVPN pushes `10.0.30.0/24` to Richard.
- Remote path: Vertical sets NIC -> DHCP FIRST (pulls a temp main-LAN lease, stays reachable) -> confirm reconnect -> THEN flip port 16 -> VOICE -> desktop renews to `10.0.30.10` -> Vertical reconnects via VPN.
- Onsite path (cleaner): set DHCP + flip port together at the keyboard.
5. Hand Richard `10.0.30.10`; confirm VPN reach + phone reach from the desktop.
## Validation
- VOICE DHCP leases show phones on `10.0.30.x`; desktop on `10.0.30.10`.
- From desktop: reach several phones (Poly + AudioCodes).
- Isolation negative test: from VOICE, CANNOT reach CS-SERVER `192.168.2.254` or `10.0.20.x`.
- Phones registered / dial tone on a sample handset.
- Richard: VPN -> `10.0.30.10` -> phone web UI.
## Rollback
Revert UniFi port native VLAN (1-8, 16) + the PPSK key to prior networks; AudioCodes/desktop re-DHCP onto old segments. pfSense VOICE iface/DHCP/rules + OpenVPN CSO can stay inert or be removed. Desktop: Vertical reverts NIC to static `192.168.2.180` if needed.
---
## Open items (pending Richard)
- Confirm phones register to **cloud/hosted PBX** (recon says yes) -> if so, Part A step 5b pinhole is skipped.
- Confirm desktop is **static** (asked in the email) and arrange NIC change or temp access at cutover.
- Get **Richard's VPN certificate CN** for the scoped Client-Specific-Override.
- Confirm pfSense **DHCP backend** (ISC vs Kea) when connected (reservations placed out-of-pool either way).
- Schedule the maintenance window.
## Appendix — device inventory (MACs)
**AudioCodes (wired, USW-16-PoE):**
```
port1 00:90:8f:da:98:05 port5 00:90:8f:e1:3d:90
port2 00:90:8f:e2:40:5e port6 00:90:8f:e1:3d:5e
port3 00:90:8f:e2:d2:a4 port7 00:90:8f:e1:3d:a9
port4 00:90:8f:e1:3d:de port8 00:90:8f:e1:3e:17
```
**Poly (wireless, CSCNet -> voice PPSK):**
```
48:25:67:d0:af:10 48:25:67:64:8a:88 48:25:67:64:95:6b
48:25:67:d0:b4:26 48:25:67:64:93:34 48:25:67:64:8e:ae
48:25:67:64:81:8e 48:25:67:64:93:25 48:25:67:64:92:6b
48:25:67:d0:ae:3e 48:25:67:64:95:62 48:25:67:64:93:d3
48:25:67:d0:b8:ac 48:25:67:64:94:84 48:25:67:64:94:ba
48:25:67:64:8f:14 48:25:67:64:95:74 48:25:67:64:8f:0b
48:25:67:d0:b1:83 48:25:67:64:92:89 48:25:67:64:8f:1d
48:25:67:a3:f8:3b
(22 total — source: Richard's 2026-06-16 scan list)
```
**Desktop:** `e4:e7:49:52:3a:06` (Vertical-Remote) -> reserve `10.0.30.10`.

74
clients/cascades-tucson/session-logs/2026-06/2026-06-16-howard-vertical-voice-vlan-plan.md Normal file
View File

@@ -0,0 +1,74 @@
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Vertical's VoIP tech (Richard Turner, RTurner@vertical.com) reported two problems at Cascades: phone IP addresses drift after reboots, and he cannot reach any phones from the Vertical remote-management desktop (192.168.2.180) to troubleshoot. The session diagnosed the cause, designed a fix, ran live controller + endpoint recon to validate it, produced a cutover runbook, and drafted/sent a vendor email.
Root cause confirmed from the wiki and the UOS controller: when the Cascades network was segmented into VLANs, the voice gear was left split. The wireless Poly phones (OUI 48:25:67) land on VLAN 20 "Internal" (10.0.20.0/24) via the CSCNet SSID, while the wired AudioCodes phones (OUI 00:90:8f, USW-16-PoE ports 1-8) and the Vertical desktop (USW-16-PoE port 16) stayed on the original Default/main LAN (192.168.0.0/22). pfSense blocks main-LAN -> VLAN 20, so the desktop has no path to the wireless phones.
The agreed fix (Mike's direction, refined with Howard) is a dedicated, isolated voice VLAN (VLAN 30, 10.0.30.0/24) holding all phones plus the Vertical desktop: voice gets internet egress but is firewalled off from VLAN 20 / main LAN / PHI, and Vertical's pfSense OpenVPN is scoped to the voice subnet only. A key constraint surfaced: the desktop is statically addressed and ACG has no login to it, so the NIC change to DHCP must be done by Vertical (or via temp access) at cutover.
Controller recon (uos-mongo.sh) revealed CSCNet is a shared PPSK SSID (~230 per-key->network mappings: resident room VLANs, Default, and one phone key -> VLAN 20; 1,190 historical clients). This means the SSID itself must NOT be repointed; phones move at the PPSK level (dedicated voice key recommended over remapping the existing key, since ~70 non-phone devices also appear on VLAN 20). Endpoint recon via GuruRMM (port + SIP probe from CS-SERVER) showed the desktop is RDP-only (not a PBX) and CS-QB (192.168.2.228, labeled "VoIP server") is SMB-only with no SIP response — strongly indicating the phones register to a cloud/hosted PBX, which means no on-prem firewall pinhole is needed.
Deliverables: a full cutover runbook saved to the client docs, and a vendor email (apology + plan + static-IP question) which Howard sent. Execution is pending Richard's confirmation (cloud PBX, desktop static, VPN cert CN) and a scheduled maintenance window.
## Key Decisions
- Dedicated voice VLAN (VLAN 30) instead of a pfSense firewall exception from 192.168.2.180 -> 10.0.20.0/24. Rationale: puts the desktop on the same L2 as the phones (direct reach, no routing rule), and isolates vendor-accessible voice gear from PHI (HIPAA) in one move. Howard's framing.
- All voice gear consolidated, including the wired AudioCodes — moving the desktop to VLAN 30 while leaving AudioCodes on the main LAN would break the desktop's current reach to them.
- Move the WiFi Poly phones via a NEW dedicated voice PPSK (not by repointing CSCNet, and not by remapping the existing phone key) because CSCNet is shared by residents/staff and ~70 non-phone devices share VLAN 20.
- Desktop set to DHCP with a reservation (10.0.30.10) rather than a new static, since Vertical (not ACG) must make the in-Windows change and DHCP+reservation is simpler for them.
- Phone IP "locking" was deliberately NOT promised to the vendor (Mike's call) — emphasis is "all on one voice network, reachable from the desktop," since the desktop on-subnet can find a phone even if its IP shifts.
- Scope Vertical's VPN via an OpenVPN Client-Specific-Override (push only 10.0.30.0/24) + per-tunnel-IP firewall rules, rather than widening the shared server, so other VPN users are unaffected. His .ovpn needs no re-export (routes are server-pushed).
- Verify PBX location by asking the vendor AND by our own recon, rather than relying on either alone.
## Problems Encountered
- Mike's original "set the desktop to DHCP" step assumed login access; Howard corrected that the desktop is static and ACG has no login. Resolved by making the NIC change a coordinated vendor step (or temp access) and adjusting the email/runbook.
- Initial assumption that the AudioCodes were legacy/out-of-scope was wrong — Richard's follow-up list (00:90:8f MACs) showed they are in scope and must move too. Corrected scope.
- uos-mongo.sh `.forEach(printjson)` chained after a `Type "it" for more` pager emitted a harmless `SyntaxError` tail on large result sets; output was complete and usable, ignored.
- TCP port scan could not see SIP (UDP); added a follow-up UDP SIP OPTIONS probe to close the blind spot. Both desktop and CS-QB returned no SIP reply.
## Configuration Changes
No production changes were made this session (planning + read-only recon only). Files created in the repo:
- `clients/cascades-tucson/docs/network/voice-vlan-cutover.md` — full cutover runbook + recon.
- `clients/cascades-tucson/session-logs/2026-06/2026-06-16-howard-vertical-voice-vlan-plan.md` — this log.
## Credentials & Secrets
- No new credentials created. CSCNet PPSK list (incl. the VLAN-20 phone key) was viewed in the controller config during recon; not exported here. When the voice PPSK is created at cutover, vault it under `clients/cascades-tucson/`. Existing CSCNet wifi entry: `clients/cascades-tucson/wifi-cscnet.sops.yaml`.
- Controller/RMM access used existing vaulted creds: `infrastructure/uos-server-ssh-key`, `infrastructure/gururmm-server.sops.yaml`.
## Infrastructure & Servers
- pfSense `192.168.0.1` (igc1 trunk; routes + ALL DHCP). Native LAN/Default `192.168.0.0/22`; VLAN 20 Internal `10.0.20.0/24` (igc1.20); Guest VLAN 50 `10.0.50.0/24`; OpenVPN Server `192.168.8.0/24`.
- Planned: VLAN 30 VOICE `10.0.30.0/24` gw `10.0.30.1` (igc1.30); DHCP `10.0.30.100-.250`; desktop reservation `10.0.30.10`.
- UOS controller `172.16.3.29`, Cascades site `685f39068e65331c46ef6dd2`. CSCNet wlanconf `685f39078e65331c46ef7ee5`. Networks: Default `685f39078e65331c46ef8ac4`, Internal/VLAN20 `69405ba36db796548c947130`.
- CS-SERVER `192.168.2.254` (GuruRMM agent `c39f1de7-d5b6-45ae-b132-e06977ab1713`, online) — used as the recon vantage point.
- Vertical-Remote desktop `192.168.2.180`, MAC `e4:e7:49:52:3a:06`, USW-16-PoE port 16 — RDP (3389) only; not a PBX.
- CS-QB `192.168.2.228` (cs-qb.cascades.local), MAC `00:15:5d:02:3b:02` — SMB (445) only, no SIP; labeled "VoIP server" but not a live SIP PBX.
- AudioCodes phones (8): USW-16-PoE ports 1-8, OUI 00:90:8f, currently on Default LAN. Poly phones (22): WiFi via CSCNet, OUI 48:25:67, currently VLAN 20. Full MAC inventory in the runbook appendix.
## Commands & Outputs
- `bash .claude/scripts/uos-mongo.sh` — enumerated phones (user collection: is_wired, last_uplink_name/port, wlanconf_id, network), wlanconf (CSCNet PPSK), networkconf (VLAN list). Confirmed Poly=WiFi/CSCNet/VLAN20, AudioCodes=wired USW-16-PoE/Default.
- GuruRMM dispatch to CS-SERVER (cmd 50eac6c8): TCP probe -> 192.168.2.180 OPEN 3389; 192.168.2.228 OPEN 445; ARP confirmed both live.
- GuruRMM dispatch to CS-SERVER (cmd 37522673): UDP SIP OPTIONS -> SIP-NOREPLY from both 192.168.2.180 and 192.168.2.228.
## Pending / Incomplete Tasks
- Awaiting Richard's reply: confirm phones are cloud/hosted PBX (recon says yes); confirm desktop is static + arrange NIC change or temp access; provide his VPN certificate CN for the scoped CSO; agree a maintenance window.
- At execution: build VLAN 30 on pfSense (interface/DHCP/reservations/firewall) + UniFi (network, ports 1-8 + 16 to VOICE, voice PPSK); confirm pfSense DHCP backend (ISC vs Kea); re-key WiFi phones; coordinated desktop move; validate isolation + reachability.
- If Richard reports an on-prem PBX after all, add the Part A step-5b SIP/RTP/provisioning pinhole.
- Note CS-QB "VoIP server" label looks stale (SMB-only) — revisit/clean the topology doc entry.
## Reference Information
- Runbook: `clients/cascades-tucson/docs/network/voice-vlan-cutover.md`
- Vendor: Richard Turner, RTurner@vertical.com (Vertical Communications).
- Wiki article: `wiki/clients/cascades-tucson.md`. Topology/VLAN docs: `clients/cascades-tucson/docs/network/{topology.md,vlans.md}` — the "CSCNet = staff/VLAN 20" note is now incomplete (CSCNet is a shared PPSK SSID); flag for /wiki-compile.
- GuruRMM cmd IDs: 50eac6c8-e125-4bb7-b8fb-6d7f05a53c7f (TCP probe), 37522673-514c-43db-a4fc-ea7e52adfb33 (SIP probe).