From 08fcafa0a40288e22a52e586868931c7fc05d220 Mon Sep 17 00:00:00 2001
From: Howard Enos <howard@azcomputerguru.com>
Date: Tue, 16 Jun 2026 18:09:27 -0700
Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-16 18:09:18

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-16 18:09:18
---
 .../docs/network/voice-vlan-cutover.md        | 130 ++++++++++++++++++
 ...6-06-16-howard-vertical-voice-vlan-plan.md |  74 ++++++++++
 2 files changed, 204 insertions(+)
 create mode 100644 clients/cascades-tucson/docs/network/voice-vlan-cutover.md
 create mode 100644 clients/cascades-tucson/session-logs/2026-06/2026-06-16-howard-vertical-voice-vlan-plan.md

diff --git a/clients/cascades-tucson/docs/network/voice-vlan-cutover.md b/clients/cascades-tucson/docs/network/voice-vlan-cutover.md
new file mode 100644
index 0000000..cb1dc6e
--- /dev/null
+++ b/clients/cascades-tucson/docs/network/voice-vlan-cutover.md
@@ -0,0 +1,130 @@
+# Cascades — Voice VLAN (VLAN 30) Cutover Runbook + Recon
+
+- **Created:** 2026-06-16 (Howard-Home / claude-main)
+- **Status:** PLANNED — not yet executed. Vendor email sent 2026-06-16; awaiting Richard's confirm + maintenance window.
+- **Driver:** Vertical (VoIP vendor, Richard Turner <RTurner@vertical.com>) cannot reach the phones from the remote-management desktop, and phone IPs drift. Root cause: when the network was segmented into VLANs, the Vertical remote desktop and the wired phones were left on the original LAN while the wireless phones landed on VLAN 20 — so the desktop has no path to the wireless phones (main-LAN -> VLAN 20 is blocked at pfSense).
+
+## Goal
+Consolidate ALL voice gear (Poly WiFi phones + AudioCodes wired phones + Vertical-Remote desktop) onto a dedicated, isolated voice network. Voice reaches the internet; blocked from main LAN / VLAN 20 / PHI. Vertical's pfSense OpenVPN scoped to the voice subnet only.
+
+```
+VOICE network:   VLAN 30
+Subnet/gateway:  10.0.30.0/24   gw 10.0.30.1   (pfSense igc1.30)
+DHCP pool:       10.0.30.100 - 10.0.30.250
+Reservations:    below .100 (out of pool -> safe on both ISC and Kea)
+Desktop:         10.0.30.10  (Vertical-Remote, e4:e7:49:52:3a:06) -> set NIC to DHCP
+```
+
+## Systems
+pfSense `192.168.0.1` does ALL routing + DHCP. UniFi (UOS controller `172.16.3.29`, Cascades site `685f39068e65331c46ef6dd2`) is L2 only here — every UniFi network is `purpose: vlan-only` (no subnets in UniFi). So building VLAN 30 touches BOTH systems.
+
+---
+
+## Confirmed architecture (UOS controller, 2026-06-16)
+
+| Device class | Count | Attach | Currently lands on |
+|---|---|---|---|
+| Poly phones | 22 active (~29 historical) | **WiFi**, SSID **CSCNet**, APs building-wide | VLAN 20 "Internal" (`10.0.20.x`) |
+| AudioCodes phones | 8 | **Wired**, USW-16-PoE **ports 1-8** | "Default" / main LAN (`192.168.2/3.x`) |
+| Vertical-Remote desktop | 1 | **Wired**, USW-16-PoE **port 16** | "Default" / main LAN (`192.168.2.180`, static) |
+
+**CSCNet is a shared PPSK SSID** (`wlanconf 685f39078e65331c46ef7ee5`, `private_preshared_keys_enabled:true`, base networkconf = Default, `vlan_enabled:false`). ~230 per-key->network mappings: most keys map to per-room resident VLANs (101-631), a few to Default, and one phone key maps to "Internal"/VLAN 20 (`networkconf 69405ba36db796548c947130`). Historical CSCNet clients: 1,190 (residents' IoT/TVs/phones/laptops + staff + the phones). **=> Do NOT repoint the CSCNet SSID itself** — that would move every resident/staff device. Move the phones at the PPSK level instead.
+
+Networks of interest:
+- Default (main LAN): `685f39078e65331c46ef8ac4`, `192.168.0.0/22`
+- Internal (VLAN 20): `69405ba36db796548c947130`, `10.0.20.0/24`
+- Guest (VLAN 50): `10.0.50.0/24`
+- OpenVPN Server: `192.168.8.1/24` (purpose remote-user-vpn) — Vertical comes in here.
+
+---
+
+## PBX recon (CS-SERVER via GuruRMM, 2026-06-16)
+
+Probed from CS-SERVER (`192.168.2.254`, same LAN segment) — read-only.
+
+| Target | TCP open | SIP UDP 5060 | Conclusion |
+|---|---|---|---|
+| `192.168.2.180` (desktop) | 3389 (RDP) only | no reply | **Not a PBX** — RDP management/jump box |
+| `192.168.2.228` (CS-QB, labeled "VoIP server") | 445 (SMB) only | no reply | **Not a live SIP PBX** — behaves like an SMB box despite the label |
+
+**Implication:** no on-prem SIP PBX detected -> phones almost certainly register to a **cloud/hosted PBX** (Vertical). If confirmed, the voice VLAN only needs internet egress and the on-prem PBX pinhole (Part A step 5b) is **NOT needed**. Caveat: external port view only — a non-standard port / known-peer-only / host-firewalled PBX can't be 100% excluded, so Richard's confirm is the authority.
+
+---
+
+## PART A — pfSense (`https://192.168.0.1`)
+
+1. **VLAN interface:** Interfaces -> VLANs -> Add: Parent `igc1`, Tag `30`, Desc `VOICE`.
+2. **Assign + IP:** Interfaces -> Assignments -> add `igc1.30` -> Enable, Static `10.0.30.1/24`.
+3. **DHCP:** Services -> DHCP Server -> VOICE: enable, range `10.0.30.100-.250`, DNS `10.0.30.1`.
+4. **Reservation (desktop):** Static Mappings -> `e4:e7:49:52:3a:06` = `10.0.30.10`, hostname `Vertical-Remote`. (Phones optional — see Appendix; they stay reachable from the desktop on-subnet regardless.)
+5. **Firewall (VOICE tab), top-to-bottom:**
+   - Alias `RFC1918` = `10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16`.
+   - (a) PASS: VOICE net -> This Firewall (10.0.30.1) ports 53, 123.
+   - (b) **CONDITIONAL** PASS: VOICE net -> `<on-prem PBX IP>` SIP/RTP/provisioning. **Recon says SKIP (cloud PBX); add only if Richard confirms an on-prem PBX.**
+   - (c) BLOCK: VOICE net -> `RFC1918`. (isolation)
+   - (d) PASS: VOICE net -> any. (internet)
+6. **OpenVPN — reach desktop on VOICE, scoped to voice only:**
+   - His `.ovpn` does NOT need re-export (routes are server-pushed; same host/port/cert) — he just reconnects.
+   - Preferred: VPN -> OpenVPN -> **Client Specific Overrides** for **Richard's CN**: IPv4 Local Network/s = `10.0.30.0/24` only; give him a fixed tunnel IP.
+   - Firewall -> Rules -> OpenVPN: PASS `<Richard tunnel IP>` -> `10.0.30.0/24`; BLOCK `<Richard tunnel IP>` -> `RFC1918`.
+   - If the VPN server is shared, use the CSO + per-tunnel-IP rules (do NOT widen the server's global Local Networks). If Vertical-only, may edit the server in place.
+
+## PART B — UniFi (UOS controller)
+
+7. **Network:** Settings -> Networks -> Add: `VOICE`, purpose `VLAN Only`, VLAN `30`.
+8. **Wired ports (USW-16-PoE):** set Native Network = VOICE (untagged) on **ports 1-8** (AudioCodes) and **port 16** (desktop). AudioCodes re-DHCP automatically; desktop needs Vertical's NIC change.
+9. **Wireless Poly (PPSK):** Settings -> Profiles -> Private Pre-Shared Keys (CSCNet) -> **add a new key -> Network VOICE** (vault the key). Re-point each Poly phone's WiFi to the voice key (by hand / Vertical provisioning). Also fixes the 2 currently mis-keyed phones (one on VLAN 422, one on Default). [Alt zero-touch: remap the existing phone key VLAN 20 -> VOICE, ONLY if that key is confirmed phone-exclusive — ~70 non-phone devices also showed on VLAN 20, so default to the dedicated key.]
+   - Confirm inter-switch / AP uplinks + the pfSense trunk carry VLAN 30 (default "All" port profile auto-includes it).
+
+---
+
+## Cutover sequence (avoid stranding anything)
+1. Build everything with no live impact: pfSense VLAN/DHCP/firewall, OpenVPN CSO+rules, UniFi network, create the voice PPSK.
+2. **AudioCodes:** flip USW-16-PoE ports 1-8 -> VOICE. Re-DHCP + re-register (brief blip).
+3. **Poly:** re-key to voice PPSK. Roam onto VOICE.
+4. **Desktop (coordinated with Vertical — static, no login):**
+   - Confirm OpenVPN pushes `10.0.30.0/24` to Richard.
+   - Remote path: Vertical sets NIC -> DHCP FIRST (pulls a temp main-LAN lease, stays reachable) -> confirm reconnect -> THEN flip port 16 -> VOICE -> desktop renews to `10.0.30.10` -> Vertical reconnects via VPN.
+   - Onsite path (cleaner): set DHCP + flip port together at the keyboard.
+5. Hand Richard `10.0.30.10`; confirm VPN reach + phone reach from the desktop.
+
+## Validation
+- VOICE DHCP leases show phones on `10.0.30.x`; desktop on `10.0.30.10`.
+- From desktop: reach several phones (Poly + AudioCodes).
+- Isolation negative test: from VOICE, CANNOT reach CS-SERVER `192.168.2.254` or `10.0.20.x`.
+- Phones registered / dial tone on a sample handset.
+- Richard: VPN -> `10.0.30.10` -> phone web UI.
+
+## Rollback
+Revert UniFi port native VLAN (1-8, 16) + the PPSK key to prior networks; AudioCodes/desktop re-DHCP onto old segments. pfSense VOICE iface/DHCP/rules + OpenVPN CSO can stay inert or be removed. Desktop: Vertical reverts NIC to static `192.168.2.180` if needed.
+
+---
+
+## Open items (pending Richard)
+- Confirm phones register to **cloud/hosted PBX** (recon says yes) -> if so, Part A step 5b pinhole is skipped.
+- Confirm desktop is **static** (asked in the email) and arrange NIC change or temp access at cutover.
+- Get **Richard's VPN certificate CN** for the scoped Client-Specific-Override.
+- Confirm pfSense **DHCP backend** (ISC vs Kea) when connected (reservations placed out-of-pool either way).
+- Schedule the maintenance window.
+
+## Appendix — device inventory (MACs)
+**AudioCodes (wired, USW-16-PoE):**
+```
+port1 00:90:8f:da:98:05   port5 00:90:8f:e1:3d:90
+port2 00:90:8f:e2:40:5e   port6 00:90:8f:e1:3d:5e
+port3 00:90:8f:e2:d2:a4   port7 00:90:8f:e1:3d:a9
+port4 00:90:8f:e1:3d:de   port8 00:90:8f:e1:3e:17
+```
+**Poly (wireless, CSCNet -> voice PPSK):**
+```
+48:25:67:d0:af:10  48:25:67:64:8a:88  48:25:67:64:95:6b
+48:25:67:d0:b4:26  48:25:67:64:93:34  48:25:67:64:8e:ae
+48:25:67:64:81:8e  48:25:67:64:93:25  48:25:67:64:92:6b
+48:25:67:d0:ae:3e  48:25:67:64:95:62  48:25:67:64:93:d3
+48:25:67:d0:b8:ac  48:25:67:64:94:84  48:25:67:64:94:ba
+48:25:67:64:8f:14  48:25:67:64:95:74  48:25:67:64:8f:0b
+48:25:67:d0:b1:83  48:25:67:64:92:89  48:25:67:64:8f:1d
+48:25:67:a3:f8:3b
+(22 total — source: Richard's 2026-06-16 scan list)
+```
+**Desktop:** `e4:e7:49:52:3a:06` (Vertical-Remote) -> reserve `10.0.30.10`.
diff --git a/clients/cascades-tucson/session-logs/2026-06/2026-06-16-howard-vertical-voice-vlan-plan.md b/clients/cascades-tucson/session-logs/2026-06/2026-06-16-howard-vertical-voice-vlan-plan.md
new file mode 100644
index 0000000..eb14d56
--- /dev/null
+++ b/clients/cascades-tucson/session-logs/2026-06/2026-06-16-howard-vertical-voice-vlan-plan.md
@@ -0,0 +1,74 @@
+## User
+- **User:** Howard Enos (howard)
+- **Machine:** Howard-Home
+- **Role:** tech
+
+## Session Summary
+
+Vertical's VoIP tech (Richard Turner, RTurner@vertical.com) reported two problems at Cascades: phone IP addresses drift after reboots, and he cannot reach any phones from the Vertical remote-management desktop (192.168.2.180) to troubleshoot. The session diagnosed the cause, designed a fix, ran live controller + endpoint recon to validate it, produced a cutover runbook, and drafted/sent a vendor email.
+
+Root cause confirmed from the wiki and the UOS controller: when the Cascades network was segmented into VLANs, the voice gear was left split. The wireless Poly phones (OUI 48:25:67) land on VLAN 20 "Internal" (10.0.20.0/24) via the CSCNet SSID, while the wired AudioCodes phones (OUI 00:90:8f, USW-16-PoE ports 1-8) and the Vertical desktop (USW-16-PoE port 16) stayed on the original Default/main LAN (192.168.0.0/22). pfSense blocks main-LAN -> VLAN 20, so the desktop has no path to the wireless phones.
+
+The agreed fix (Mike's direction, refined with Howard) is a dedicated, isolated voice VLAN (VLAN 30, 10.0.30.0/24) holding all phones plus the Vertical desktop: voice gets internet egress but is firewalled off from VLAN 20 / main LAN / PHI, and Vertical's pfSense OpenVPN is scoped to the voice subnet only. A key constraint surfaced: the desktop is statically addressed and ACG has no login to it, so the NIC change to DHCP must be done by Vertical (or via temp access) at cutover.
+
+Controller recon (uos-mongo.sh) revealed CSCNet is a shared PPSK SSID (~230 per-key->network mappings: resident room VLANs, Default, and one phone key -> VLAN 20; 1,190 historical clients). This means the SSID itself must NOT be repointed; phones move at the PPSK level (dedicated voice key recommended over remapping the existing key, since ~70 non-phone devices also appear on VLAN 20). Endpoint recon via GuruRMM (port + SIP probe from CS-SERVER) showed the desktop is RDP-only (not a PBX) and CS-QB (192.168.2.228, labeled "VoIP server") is SMB-only with no SIP response — strongly indicating the phones register to a cloud/hosted PBX, which means no on-prem firewall pinhole is needed.
+
+Deliverables: a full cutover runbook saved to the client docs, and a vendor email (apology + plan + static-IP question) which Howard sent. Execution is pending Richard's confirmation (cloud PBX, desktop static, VPN cert CN) and a scheduled maintenance window.
+
+## Key Decisions
+
+- Dedicated voice VLAN (VLAN 30) instead of a pfSense firewall exception from 192.168.2.180 -> 10.0.20.0/24. Rationale: puts the desktop on the same L2 as the phones (direct reach, no routing rule), and isolates vendor-accessible voice gear from PHI (HIPAA) in one move. Howard's framing.
+- All voice gear consolidated, including the wired AudioCodes — moving the desktop to VLAN 30 while leaving AudioCodes on the main LAN would break the desktop's current reach to them.
+- Move the WiFi Poly phones via a NEW dedicated voice PPSK (not by repointing CSCNet, and not by remapping the existing phone key) because CSCNet is shared by residents/staff and ~70 non-phone devices share VLAN 20.
+- Desktop set to DHCP with a reservation (10.0.30.10) rather than a new static, since Vertical (not ACG) must make the in-Windows change and DHCP+reservation is simpler for them.
+- Phone IP "locking" was deliberately NOT promised to the vendor (Mike's call) — emphasis is "all on one voice network, reachable from the desktop," since the desktop on-subnet can find a phone even if its IP shifts.
+- Scope Vertical's VPN via an OpenVPN Client-Specific-Override (push only 10.0.30.0/24) + per-tunnel-IP firewall rules, rather than widening the shared server, so other VPN users are unaffected. His .ovpn needs no re-export (routes are server-pushed).
+- Verify PBX location by asking the vendor AND by our own recon, rather than relying on either alone.
+
+## Problems Encountered
+
+- Mike's original "set the desktop to DHCP" step assumed login access; Howard corrected that the desktop is static and ACG has no login. Resolved by making the NIC change a coordinated vendor step (or temp access) and adjusting the email/runbook.
+- Initial assumption that the AudioCodes were legacy/out-of-scope was wrong — Richard's follow-up list (00:90:8f MACs) showed they are in scope and must move too. Corrected scope.
+- uos-mongo.sh `.forEach(printjson)` chained after a `Type "it" for more` pager emitted a harmless `SyntaxError` tail on large result sets; output was complete and usable, ignored.
+- TCP port scan could not see SIP (UDP); added a follow-up UDP SIP OPTIONS probe to close the blind spot. Both desktop and CS-QB returned no SIP reply.
+
+## Configuration Changes
+
+No production changes were made this session (planning + read-only recon only). Files created in the repo:
+- `clients/cascades-tucson/docs/network/voice-vlan-cutover.md` — full cutover runbook + recon.
+- `clients/cascades-tucson/session-logs/2026-06/2026-06-16-howard-vertical-voice-vlan-plan.md` — this log.
+
+## Credentials & Secrets
+
+- No new credentials created. CSCNet PPSK list (incl. the VLAN-20 phone key) was viewed in the controller config during recon; not exported here. When the voice PPSK is created at cutover, vault it under `clients/cascades-tucson/`. Existing CSCNet wifi entry: `clients/cascades-tucson/wifi-cscnet.sops.yaml`.
+- Controller/RMM access used existing vaulted creds: `infrastructure/uos-server-ssh-key`, `infrastructure/gururmm-server.sops.yaml`.
+
+## Infrastructure & Servers
+
+- pfSense `192.168.0.1` (igc1 trunk; routes + ALL DHCP). Native LAN/Default `192.168.0.0/22`; VLAN 20 Internal `10.0.20.0/24` (igc1.20); Guest VLAN 50 `10.0.50.0/24`; OpenVPN Server `192.168.8.0/24`.
+- Planned: VLAN 30 VOICE `10.0.30.0/24` gw `10.0.30.1` (igc1.30); DHCP `10.0.30.100-.250`; desktop reservation `10.0.30.10`.
+- UOS controller `172.16.3.29`, Cascades site `685f39068e65331c46ef6dd2`. CSCNet wlanconf `685f39078e65331c46ef7ee5`. Networks: Default `685f39078e65331c46ef8ac4`, Internal/VLAN20 `69405ba36db796548c947130`.
+- CS-SERVER `192.168.2.254` (GuruRMM agent `c39f1de7-d5b6-45ae-b132-e06977ab1713`, online) — used as the recon vantage point.
+- Vertical-Remote desktop `192.168.2.180`, MAC `e4:e7:49:52:3a:06`, USW-16-PoE port 16 — RDP (3389) only; not a PBX.
+- CS-QB `192.168.2.228` (cs-qb.cascades.local), MAC `00:15:5d:02:3b:02` — SMB (445) only, no SIP; labeled "VoIP server" but not a live SIP PBX.
+- AudioCodes phones (8): USW-16-PoE ports 1-8, OUI 00:90:8f, currently on Default LAN. Poly phones (22): WiFi via CSCNet, OUI 48:25:67, currently VLAN 20. Full MAC inventory in the runbook appendix.
+
+## Commands & Outputs
+
+- `bash .claude/scripts/uos-mongo.sh` — enumerated phones (user collection: is_wired, last_uplink_name/port, wlanconf_id, network), wlanconf (CSCNet PPSK), networkconf (VLAN list). Confirmed Poly=WiFi/CSCNet/VLAN20, AudioCodes=wired USW-16-PoE/Default.
+- GuruRMM dispatch to CS-SERVER (cmd 50eac6c8): TCP probe -> 192.168.2.180 OPEN 3389; 192.168.2.228 OPEN 445; ARP confirmed both live.
+- GuruRMM dispatch to CS-SERVER (cmd 37522673): UDP SIP OPTIONS -> SIP-NOREPLY from both 192.168.2.180 and 192.168.2.228.
+
+## Pending / Incomplete Tasks
+
+- Awaiting Richard's reply: confirm phones are cloud/hosted PBX (recon says yes); confirm desktop is static + arrange NIC change or temp access; provide his VPN certificate CN for the scoped CSO; agree a maintenance window.
+- At execution: build VLAN 30 on pfSense (interface/DHCP/reservations/firewall) + UniFi (network, ports 1-8 + 16 to VOICE, voice PPSK); confirm pfSense DHCP backend (ISC vs Kea); re-key WiFi phones; coordinated desktop move; validate isolation + reachability.
+- If Richard reports an on-prem PBX after all, add the Part A step-5b SIP/RTP/provisioning pinhole.
+- Note CS-QB "VoIP server" label looks stale (SMB-only) — revisit/clean the topology doc entry.
+
+## Reference Information
+
+- Runbook: `clients/cascades-tucson/docs/network/voice-vlan-cutover.md`
+- Vendor: Richard Turner, RTurner@vertical.com (Vertical Communications).
+- Wiki article: `wiki/clients/cascades-tucson.md`. Topology/VLAN docs: `clients/cascades-tucson/docs/network/{topology.md,vlans.md}` — the "CSCNet = staff/VLAN 20" note is now incomplete (CSCNet is a shared PPSK SSID); flag for /wiki-compile.
+- GuruRMM cmd IDs: 50eac6c8-e125-4bb7-b8fb-6d7f05a53c7f (TCP probe), 37522673-514c-43db-a4fc-ea7e52adfb33 (SIP probe).