From 40ff8accd3d053854e2efed4b3f3faa7388fec98 Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Wed, 17 Jun 2026 13:53:49 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-17 13:53:40 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-17 13:53:40 --- .../2026-06-17-howard-voice-vlan30-build.md | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 clients/cascades-tucson/session-logs/2026-06/2026-06-17-howard-voice-vlan30-build.md diff --git a/clients/cascades-tucson/session-logs/2026-06/2026-06-17-howard-voice-vlan30-build.md b/clients/cascades-tucson/session-logs/2026-06/2026-06-17-howard-voice-vlan30-build.md new file mode 100644 index 00000000..29c246ad --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-06/2026-06-17-howard-voice-vlan30-build.md @@ -0,0 +1,68 @@ +# Cascades — VOICE VLAN 30 build + desktop cutover (Part A/B) + +- **Date:** 2026-06-17 +- **Machine:** Howard-Home +- **Client:** Cascades of Tucson +- **Runbook:** `clients/cascades-tucson/docs/network/voice-vlan-cutover.md` + +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Context +Richard Turner (Vertical, VoIP vendor) replied "we are good to start" on the voice-VLAN +consolidation. Goal: move all voice gear (8 AudioCodes wired, 22 Poly WiFi, Vertical-Remote +desktop) onto a dedicated, isolated VLAN 30 — internet/cloud-PBX reachable, blocked from +PHI/LAN/VLAN20/mgmt (HIPAA). Session = build the VLAN + move the first device. + +## Vendor confirmations (changed the plan) +- **Desktop = DHCP** (not static as recon assumed). Verified on pfSense (active lease, no static + mapping; `192.168.2.180` is inside the main pool). => zero-touch desktop cutover. +- **Remote access = LogMeIn, not the pfSense OpenVPN.** => dropped the entire OpenVPN + Client-Specific-Override piece; desktop only needs internet egress (LogMeIn is outbound). +- **DHCP backend = ISC dhcpd** (Kea dormant). + +## What was built (verified) +**pfSense Part A (igc1.30 / opt241, 10.0.30.0/24):** +- VLAN 30 iface @ `10.0.30.1/24`; DHCP `10.0.30.100-.250`, DNS `8.8.8.8/1.1.1.1` (public). +- Isolation rules = **clone of the GUEST VLAN** (the only actually-isolated net), all + Protocol=Any + quick: block -> `192.168.0.0/22`, block -> `10.0.0.0/8`, block -> + `172.16.0.0/12`, then pass -> any. Verified via `pfctl -sr` (matches igc1.50 exactly). +- The 4 rules were first built in the GUI as Protocol=TCP (leaks UDP/SIP/RTP/DNS); fixed to + Any via the pfSense PHP config API (`write_config` + `filter_configure` + dry-run first). + +**UniFi Part B (Cascades site va6iba3v):** +- VOICE network created (VLAN Only, VLAN 30, id `...d161e6`). +- Voice PPSK key on CSCNet -> VOICE. Key `V0!c38863171` **vaulted** at + `clients/cascades-tucson/wifi-voice-ppsk.sops.yaml` (encrypted, pushed). + +## First device moved (Vertical-Remote desktop) +- Howard set USW-16-PoE **port 16** native = VOICE; UniFi showed client on vlan=30, but the + desktop kept `192.168.2.180`. Root cause: re-VLANing a wired port doesn't bounce the NIC + link, so Windows held its old lease (renewal unicast to old DHCP server blocked by VOICE + rules). A UniFi client block/unblock is a MAC filter, not a link bounce — no effect. +- **Fix:** bounced port 16 via controller API (PUT `rest/device/` port_overrides + `forward:disabled` then restore; needs `X-CSRF-Token` from login header + `x-updated-csrf-token`). Ports 1-8 untouched. Desktop re-DHCP'd to **`10.0.30.201`**, + confirmed in `dhcpd.leases` + ARP on igc1.30. DONE + isolated. + +## Key learnings (also in errorlog + memory) +- **Verify pfSense with `pfctl -sr`, not config.xml** — config.xml had mismapped/inactive + rules; VLAN 20 is NOT isolated (only opt238net->lan + floating `pass inet all`). +- **Isolated-VLAN template = GUEST VLAN (VLAN50/igc1.50).** Memory: + `project_cascades_isolated_vlan_pattern.md`. +- **Re-VLAN a wired port => MUST bounce the link to force re-DHCP** (PoE power-cycle for + PoE phones; disable/enable or release/renew for non-PoE). Now in the runbook. +- UniFi-OS controller writes need a CSRF token; Git-Bash `/tmp` path mismatch (write API + JSON to CWD-relative files). + +## Status / next +- **VOICE VLAN fully built + verified; desktop live on 10.0.30.201.** Pure build otherwise — + no phones moved yet. +- **Howard will move the AudioCodes (ports 1-8) + Poly phones later tonight.** Per the runbook: + flip the port -> **PoE Power-Cycle each of ports 1-8** so the AudioCodes re-DHCP; Poly re-key + to the voice PPSK (a WiFi re-auth is itself a fresh DHCP). Verify each on pfSense + (`dhcpd.leases` + `arp -an | grep igc1.30`). +- Cloud-PBX assumption still unconfirmed (low risk; add Part A 5b pinhole only if a phone fails + to register). Schedule remains flexible (Richard available).