sync: auto-sync from HOWARD-HOME at 2026-06-17 13:53:40

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-17 13:53:40

clients/cascades-tucson/session-logs/2026-06/2026-06-17-howard-voice-vlan30-build.md

@@ -0,0 +1,68 @@
+# Cascades — VOICE VLAN 30 build + desktop cutover (Part A/B)
+
+- **Date:** 2026-06-17
+- **Machine:** Howard-Home
+- **Client:** Cascades of Tucson
+- **Runbook:** `clients/cascades-tucson/docs/network/voice-vlan-cutover.md`
+
+## User
+- **User:** Howard Enos (howard)
+- **Machine:** Howard-Home
+- **Role:** tech
+
+## Context
+Richard Turner (Vertical, VoIP vendor) replied "we are good to start" on the voice-VLAN
+consolidation. Goal: move all voice gear (8 AudioCodes wired, 22 Poly WiFi, Vertical-Remote
+desktop) onto a dedicated, isolated VLAN 30 — internet/cloud-PBX reachable, blocked from
+PHI/LAN/VLAN20/mgmt (HIPAA). Session = build the VLAN + move the first device.
+
+## Vendor confirmations (changed the plan)
+- **Desktop = DHCP** (not static as recon assumed). Verified on pfSense (active lease, no static
+  mapping; `192.168.2.180` is inside the main pool). => zero-touch desktop cutover.
+- **Remote access = LogMeIn, not the pfSense OpenVPN.** => dropped the entire OpenVPN
+  Client-Specific-Override piece; desktop only needs internet egress (LogMeIn is outbound).
+- **DHCP backend = ISC dhcpd** (Kea dormant).
+
+## What was built (verified)
+**pfSense Part A (igc1.30 / opt241, 10.0.30.0/24):**
+- VLAN 30 iface @ `10.0.30.1/24`; DHCP `10.0.30.100-.250`, DNS `8.8.8.8/1.1.1.1` (public).
+- Isolation rules = **clone of the GUEST VLAN** (the only actually-isolated net), all
+  Protocol=Any + quick: block -> `192.168.0.0/22`, block -> `10.0.0.0/8`, block ->
+  `172.16.0.0/12`, then pass -> any. Verified via `pfctl -sr` (matches igc1.50 exactly).
+- The 4 rules were first built in the GUI as Protocol=TCP (leaks UDP/SIP/RTP/DNS); fixed to
+  Any via the pfSense PHP config API (`write_config` + `filter_configure` + dry-run first).
+
+**UniFi Part B (Cascades site va6iba3v):**
+- VOICE network created (VLAN Only, VLAN 30, id `...d161e6`).
+- Voice PPSK key on CSCNet -> VOICE. Key `V0!c38863171` **vaulted** at
+  `clients/cascades-tucson/wifi-voice-ppsk.sops.yaml` (encrypted, pushed).
+
+## First device moved (Vertical-Remote desktop)
+- Howard set USW-16-PoE **port 16** native = VOICE; UniFi showed client on vlan=30, but the
+  desktop kept `192.168.2.180`. Root cause: re-VLANing a wired port doesn't bounce the NIC
+  link, so Windows held its old lease (renewal unicast to old DHCP server blocked by VOICE
+  rules). A UniFi client block/unblock is a MAC filter, not a link bounce — no effect.
+- **Fix:** bounced port 16 via controller API (PUT `rest/device/<id>` port_overrides
+  `forward:disabled` then restore; needs `X-CSRF-Token` from login header
+  `x-updated-csrf-token`). Ports 1-8 untouched. Desktop re-DHCP'd to **`10.0.30.201`**,
+  confirmed in `dhcpd.leases` + ARP on igc1.30. DONE + isolated.
+
+## Key learnings (also in errorlog + memory)
+- **Verify pfSense with `pfctl -sr`, not config.xml** — config.xml had mismapped/inactive
+  rules; VLAN 20 is NOT isolated (only opt238net->lan + floating `pass inet all`).
+- **Isolated-VLAN template = GUEST VLAN (VLAN50/igc1.50).** Memory:
+  `project_cascades_isolated_vlan_pattern.md`.
+- **Re-VLAN a wired port => MUST bounce the link to force re-DHCP** (PoE power-cycle for
+  PoE phones; disable/enable or release/renew for non-PoE). Now in the runbook.
+- UniFi-OS controller writes need a CSRF token; Git-Bash `/tmp` path mismatch (write API
+  JSON to CWD-relative files).
+
+## Status / next
+- **VOICE VLAN fully built + verified; desktop live on 10.0.30.201.** Pure build otherwise —
+  no phones moved yet.
+- **Howard will move the AudioCodes (ports 1-8) + Poly phones later tonight.** Per the runbook:
+  flip the port -> **PoE Power-Cycle each of ports 1-8** so the AudioCodes re-DHCP; Poly re-key
+  to the voice PPSK (a WiFi re-auth is itself a fresh DHCP). Verify each on pfSense
+  (`dhcpd.leases` + `arp -an | grep igc1.30`).
+- Cloud-PBX assumption still unconfirmed (low risk; add Part A 5b pinhole only if a phone fails
+  to register). Schedule remains flexible (Richard available).