azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-17 13:26:13

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-17 13:26:13
This commit is contained in:
Howard Enos
2026-06-17 13:26:21 -07:00
parent ba1f962974
commit 23e2493082
2 changed files with 32 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
clients/cascades-tucson/docs/network/voice-vlan-cutover.md
View File

@@ -2,6 +2,7 @@
- **Created:** 2026-06-16 (Howard-Home / claude-main)
- **Status:** APPROVED TO EXECUTE — Richard confirmed 2026-06-17. **pfSense PART A BUILT + VERIFIED 2026-06-17** (VLAN 30 iface `igc1.30`/opt241 @ `10.0.30.1/24`; DHCP `10.0.30.100-.250`, DNS `8.8.8.8/1.1.1.1`; 4 isolation rules enforced, verified via `pfctl -sr` to match the Guest VLAN exactly — any-proto quick blocks to 192.168.0.0/22 + 10.0.0.0/8 + 172.16.0.0/12, then pass any). **Remaining:** Part B (UniFi VOICE network + voice PPSK), then the live device moves in a maintenance window.
- **PART B BUILT 2026-06-17 (build-only):** UniFi VOICE network created (VLAN Only, VLAN 30, Cascades site). Voice PPSK key DEFINED on the CSCNet SSID -> VOICE network (configured in UniFi only; NOT yet entered on any handset, so no device is on VLAN 30 — pure build). Key vaulted at `clients/cascades-tucson/wifi-voice-ppsk.sops.yaml` (do NOT paste it here). Remaining = the live device moves (USW-16-PoE ports 1-8 + 16 -> VOICE; re-point 22 Poly phones to the voice key) in a maintenance window with Richard.
- **Gotcha caught 2026-06-17:** first GUI build set the rule Protocol to TCP — that leaves UDP (SIP/RTP/DNS) un-blocked to internal (leaks via the floating `pass inet all`). Isolation rules MUST be Protocol=Any. Fixed via the pfSense PHP config API.
## Vendor confirmation (Richard Turner, 2026-06-17) — materially simplifies the plan
@@ -78,28 +79,45 @@ Probed from CS-SERVER (`192.168.2.254`, same LAN segment) — read-only.
## PART B — UniFi (UOS controller)
7. **Network:** Settings -> Networks -> Add: `VOICE`, purpose `VLAN Only`, VLAN `30`.
8. **Wired ports (USW-16-PoE):** set Native Network = VOICE (untagged) on **ports 1-8** (AudioCodes) and **port 16** (desktop). AudioCodes re-DHCP automatically; desktop needs Vertical's NIC change.
8. **Wired ports (USW-16-PoE):** set Native Network = VOICE (untagged) on **ports 1-8** (AudioCodes) and **port 16** (desktop). **Then bounce each moved port** (PoE Power-Cycle for the AudioCodes; disable/enable for the desktop) — see the CRITICAL note in the Cutover sequence. No NIC change needed (desktop is DHCP).
9. **Wireless Poly (PPSK):** Settings -> Profiles -> Private Pre-Shared Keys (CSCNet) -> **add a new key -> Network VOICE** (vault the key). Re-point each Poly phone's WiFi to the voice key (by hand / Vertical provisioning). Also fixes the 2 currently mis-keyed phones (one on VLAN 422, one on Default). [Alt zero-touch: remap the existing phone key VLAN 20 -> VOICE, ONLY if that key is confirmed phone-exclusive — ~70 non-phone devices also showed on VLAN 20, so default to the dedicated key.]
- Confirm inter-switch / AP uplinks + the pfSense trunk carry VLAN 30 (default "All" port profile auto-includes it).
---
## Cutover sequence (avoid stranding anything)
1. Build everything with no live impact: pfSense VLAN/DHCP/firewall, OpenVPN CSO+rules, UniFi network, create the voice PPSK.
2. **AudioCodes:** flip USW-16-PoE ports 1-8 -> VOICE. Re-DHCP + re-register (brief blip).
3. **Poly:** re-key to voice PPSK. Roam onto VOICE.
4. **Desktop (zero-touch — DHCP, LogMeIn):** flip port 16 -> VOICE. Desktop re-DHCPs to a `10.0.30.x` pool lease. LogMeIn re-homes over internet egress automatically (no NIC change, no static IP, no Vertical action needed). Brief blip only.
5. Confirm with Richard: LogMeIn reconnects to the desktop, and from the desktop he can reach the phones on `10.0.30.x`.
> **CRITICAL — re-VLANing a wired port does NOT force a new IP.** Changing a switch port's
> native VLAN leaves the device's NIC link UP, so the OS keeps its OLD DHCP lease and never
> sends a fresh DISCOVER on the new VLAN (its unicast renewal to the old DHCP server is then
> blocked by the VOICE isolation rules, so it just holds the stale IP until lease expiry).
> A UniFi **client block/unblock does NOT fix this** — that's a MAC filter, not a link bounce.
> **After every wired port move you MUST bounce the link to force re-DHCP** (proven on the
> Vertical desktop 2026-06-17: stuck on `192.168.2.180` until port 16 was bounced -> pulled
> `10.0.30.201`). Methods:
> - **AudioCodes (PoE-powered):** UniFi -> the switch -> port -> **Power Cycle** (cycles PoE,
> reboots the phone, forces fresh DHCP). Cleanest for ports 1-8.
> - **Non-PoE device (the desktop):** toggle the port admin state (disable -> re-enable), or
> on the device `ipconfig /release && /renew`, or reboot it. (Scripted bounce = PUT
> `rest/device/<id>` `port_overrides` with port's `forward:disabled`, then restore — needs
> the `X-CSRF-Token` from login header `x-updated-csrf-token`.)
1. Build everything with no live impact: pfSense VLAN/DHCP/firewall, UniFi network, create the voice PPSK. **[DONE 2026-06-17]**
2. **AudioCodes:** flip USW-16-PoE ports 1-8 -> VOICE, **then Power Cycle each of ports 1-8** so the phones re-DHCP onto `10.0.30.x` + re-register (brief blip).
3. **Poly:** re-key to voice PPSK -> they re-associate (a WiFi re-auth IS a fresh DHCP, no separate bounce needed) and roam onto VOICE.
4. **Desktop (DHCP, LogMeIn):** flip port 16 -> VOICE, **then bounce port 16** (disable/re-enable) so it re-DHCPs to a `10.0.30.x` lease. LogMeIn re-homes over internet egress automatically (no NIC change, no static IP, no Vertical action needed). Brief blip only.
5. **Verify each move on pfSense** (`/var/dhcpd/var/db/dhcpd.leases` + `arp -an | grep igc1.30`) — a device still on its old IP means the bounce didn't take; bounce again.
6. Confirm with Richard: LogMeIn reconnects to the desktop, and from the desktop he can reach the phones on `10.0.30.x`.
## Validation
- VOICE DHCP leases show phones AND the desktop on `10.0.30.x` (all dynamic).
- From desktop: reach several phones (Poly + AudioCodes).
- Isolation negative test: from VOICE, CANNOT reach CS-SERVER `192.168.2.254` or `10.0.20.x`.
- Phones registered / dial tone on a sample handset.
- Richard: VPN -> `10.0.30.10` -> phone web UI.
- Richard: LogMeIn -> desktop -> reach a phone's web UI on `10.0.30.x`.
## Rollback
Revert UniFi port native VLAN (1-8, 16) + the PPSK key to prior networks; AudioCodes/desktop re-DHCP onto old segments. pfSense VOICE iface/DHCP/rules + OpenVPN CSO can stay inert or be removed. Desktop: Vertical reverts NIC to static `192.168.2.180` if needed.
Revert the UniFi port native VLAN (1-8, 16) + the PPSK key to their prior networks, **then bounce the ports** so devices re-DHCP back onto the old segments. pfSense VOICE iface/DHCP/rules can stay inert or be removed. Desktop is DHCP (no NIC revert needed) — it just re-leases on the old VLAN after the bounce.
---

6
errorlog.md
View File

@@ -17,6 +17,12 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
<!-- Append entries below this line -->
2026-06-17 | Howard-Home | wiki-compile/coord | [friction] skill doc Phase 6 shows 'lock release claudetools wiki/<type>/<slug>' but coord.py takes 'lock release <id>'; wasted a round-trip. Capture the lock id from claim output and release by id. [ctx: ref=wiki-compile-skill]
2026-06-17 | Howard-Home | unifi/controller-write | [friction] UniFi OS controller PUT (rest/device port_overrides) returned 403 without CSRF. Fix: login with -D headers, read 'x-updated-csrf-token' (or decode csrfToken from TOKEN cookie JWT), send as X-CSRF-Token on PUT/POST/DELETE
2026-06-17 | Howard-Home | bash/env | [friction] Git-Bash /tmp path mismatch again: msys curl -o /tmp/x.json wrote where Windows python could not read it (FileNotFoundError). Fix: write API JSON to CWD-relative ./.x.json so curl+python share the path [ctx: ref=howard-home known /tmp friction]
2026-06-17 | Howard-Home | pfsense/cascades-voice-vlan | [correction] assumed new RFC1918 alias + DNS-to-firewall:53/123 rules + clone VLAN20 for VOICE isolation; correct is clone the GUEST VLAN (VLAN50/igc1.50, the only actually-isolated net: 3x literal-CIDR quick blocks + pass any) and hand out PUBLIC DNS 8.8.8.8/1.1.1.1 via DHCP. VLAN20 is NOT isolated; config.xml rules were mismapped/not matching live pfctl -sr [ctx: ref=voice-vlan-cutover.md; lesson=read pfctl -sr not just config.xml]
2026-06-17 | GURU-5070 | agy | gemini returned no response (empty after 3 attempts) [ctx: mode=search err=Attempt 1 failed: You have exhausted your capacity on this model. Your quota wil]