sync: auto-sync from HOWARD-HOME at 2026-06-30 10:37:25
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-30 10:37:25
This commit is contained in:
@@ -153,6 +153,7 @@
|
||||
- [Cascades](project_cascades.md) — Active state: Syncro ticket #110680053 + plan file (machine-specific path on Howard's box), admin accounts (sysadmin@=Howard, admin@=Mike — daily-driver, NOT break-glass), Phase-B caregiver CA pilot (SG-Caregivers-Pilot, group-scoped never tenant-wide), prepaid block ~37.5h (rate TBD), pilot cleanup checklist.
|
||||
- [Cascades history](project_cascades_history.md) — fdeploy 502/ACL root cause (Flags=1211→187 fix), 2026-04-29 CA-rescoping decision (Howard pulled the brakes on tenant-wide), 2026-05-14 per-user-security-group decision rationale.
|
||||
- [Cascades isolated-VLAN pattern](project_cascades_isolated_vlan_pattern.md) — pfSense: the GUEST VLAN (VLAN50/igc1.50) is the isolation template (4 any-proto quick rules: block 192.168.0.0/22 + 10.0.0.0/8 + 172.16.0.0/12, then pass any; public DNS via DHCP). VLAN20 is NOT isolated. Verify with `pfctl -sr`, not config.xml. Protocol MUST be Any (TCP-only leaks UDP). VOICE VLAN30 built to this 2026-06-17.
|
||||
- [Cascades VLAN20 migration + routing](project_cascades_vlan20_migration_routing.md) — Staff machines/printers moving to VLAN20 (10.0.20.0/24). CS-SERVER couldn't reach VLAN20 printers because the LAN "allow LAN to any" rule policy-routes via WAN_Group → add a top LAN pass rule (src CS-SERVER 192.168.2.248, dst 10.0.20.0/24, gw=default) to bypass. pfSense SSH from VPN is blocked (do firewall in GUI). Printer client-map via GPO or SYSTEM `printui /ga` to dodge the 0x800702e4 PrintNightmare prompt; build UNC with [char]92.
|
||||
- [Cascades KPI dashboard (parked)](project_cascades_kpi_dashboard.md) — Ashley Jensen wants one dashboard across their reporting SaaS (ALIS/QuickBooks/Bill.com/Relias/You've Got Leads/TELS/Focus HR/Helpany/POS). Power BI Gateway is the WRONG frame (on-prem only). Recommended Tier1→Tier2: scheduled exports → SharePoint → Power BI Pro, automate API-capable systems (Bill.com/QBO) via Power Automate later. Full notes: `clients/cascades-tucson/docs/proposals/kpi-dashboard.md`. Next: draft client one-pager.
|
||||
- [Sync script bug — untracked files (RESOLVED)](project_sync_script_bug.md) — FIXED 2026-05-21: sync.sh now uses `git status --porcelain` for change detection (repo + vault).
|
||||
- [MasterBooter Side Project](project_masterbooter.md) — Howard's Rust+Slint Windows deployment toolkit at C:\MasterBooter, separate from client work. Do not log to clients/.
|
||||
|
||||
73
.claude/memory/project_cascades_vlan20_migration_routing.md
Normal file
73
.claude/memory/project_cascades_vlan20_migration_routing.md
Normal file
@@ -0,0 +1,73 @@
|
||||
---
|
||||
name: project_cascades_vlan20_migration_routing
|
||||
description: Cascades CSC ENT->VLAN20 migration — pfSense WAN_Group policy-route breaks LAN<->VLAN20; fix + printer-migration mechanics
|
||||
metadata:
|
||||
type: project
|
||||
---
|
||||
|
||||
Cascades is migrating staff machines + printers off the flat old LAN (192.168.0.0/22,
|
||||
"CSC ENT") onto the isolated **Staff VLAN 20 (10.0.20.0/24, gw 10.0.20.1)** ("CSCNET").
|
||||
Printers are being re-IP'd to 10.0.20.x (static) and re-shared on the CS-SERVER print
|
||||
server. Key operational facts learned 2026-06-30 (Howard, front-desk ET-5800 + Life
|
||||
Enrichment Canon MF741CDW):
|
||||
|
||||
**pfSense gotcha (the big one):** CS-SERVER (on the old LAN) could not reach ANY VLAN 20
|
||||
printer (.221/.220/.94/.78:9100) even though it pinged the VLAN20 gateway 10.0.20.1. Root
|
||||
cause was NOT a block — the LAN "Default allow LAN to any" rule has **Gateway = WAN_Group**
|
||||
(dual-WAN policy routing), so LAN->internal-VLAN traffic gets shoved out the WAN and dies.
|
||||
**Fix = a pass rule at the TOP of the LAN interface** (Firewall/Rules/LAN), Source =
|
||||
CS-SERVER 192.168.2.248, Dest = 10.0.20.0/24, protocol any, **Gateway = default** (do NOT
|
||||
set WAN). This bypasses the policy route so internal traffic routes normally. Scoped to the
|
||||
server's source IP => residents (own /28 VLANs) + guests (VLAN 50) can't match it (rule is
|
||||
on the LAN interface, sourced from the server only). This also un-broke the already-migrated
|
||||
Business Office/Life Enrichment/MC Reception shares. VLAN20->server (SMB) was already fine.
|
||||
|
||||
**pfSense SSH from the VPN is BLOCKED** (tcp/22 dropped; GUI 443 open). The `unifi-wifi`
|
||||
skill's `pfsense-ssh.sh` therefore returns empty (it sends ssh stderr to /dev/null). Did the
|
||||
rule via the GUI instead. To use the skill remotely later, add an OpenVPN-side allow for 22.
|
||||
|
||||
**Printer migration mechanics:**
|
||||
- CS-SERVER side: repoint the share's port to TCP_10.0.20.<x>:9100 (Set-Printer -PortName),
|
||||
drop the old 192.168.2.x port; keep the same ShareName so client mappings survive.
|
||||
- Client side: mapping `\\CS-SERVER\<share>` as a standard domain user triggers a
|
||||
PrintNightmare elevation prompt (HRESULT 0x800702e4) EVEN when the driver is already local
|
||||
— see [[feedback_rmm_printer_elevation]] / errorlog. Promptless options: GPO printer
|
||||
deployment (they already do this for caregivers — the scalable answer), or push as SYSTEM
|
||||
via `rundll32 printui.dll,PrintUIEntry /ga /n"\\CS-SERVER\<share>"` (per-machine, appears
|
||||
at the user's NEXT logon), or set Point-and-Print "Approved server = CS-SERVER" so user-
|
||||
context maps are promptless+immediate.
|
||||
- Old room-named shares (e.g. `1F-132-RecRoom-Canon`) were renamed on the server during
|
||||
migration, leaving ORPHANED per-user client mappings; a spooler restart auto-drops them.
|
||||
- Build UNC paths in RMM PowerShell with `[char]92`, not literal `\\` (jq/agent pipeline
|
||||
mangles literal backslashes — [[feedback_windows_quote_stripping]]).
|
||||
|
||||
**Point-and-Print is the REAL promptless fix (proven 2026-06-30 on the LE machines).** The
|
||||
0x800702e4 prompt AND the `/ga` per-machine path silently failing at logon (PrintService
|
||||
event 513, error 0xBCB) are BOTH the same default `RestrictDriverInstallationToAdministrators`
|
||||
(ON when unset) blocking the standard user from pulling the driver. We're domain admin, but
|
||||
the *end user* isn't — so apply admin rights via the Point-and-Print policy:
|
||||
`HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers` `RestrictDriverInstallationToAdministrators=0`
|
||||
+ subkey `PointAndPrint` `Restricted=1,TrustedServers=1,ServerList=CS-SERVER,InForest=0,`
|
||||
`NoWarningNoElevationOnInstall=1,UpdatePromptSettings=2` (scopes silent install to CS-SERVER
|
||||
only). After that, `WScript.Network.AddWindowsPrinterConnection` in the user session is
|
||||
promptless+immediate. **Correct durable fix = put this in a computer GPO fleet-wide** (the
|
||||
caregiver machines already have it; that's why their printer GPO works), then deploy printers
|
||||
via GPO. Existing GPOs: `CSC - Life Enrichment Printers`, `CSC - Printer Deployment`,
|
||||
`CSC - Caregiver Workstation`, `CSC - Reception Workstation Policy` (the LE one likely still
|
||||
pushes the OLD share name — repoint it to the new share).
|
||||
|
||||
**Driver/PDL trap — Canon MF741/743 = UFR II ONLY (not PCL).** The rebuilt `LifeEnrichment`
|
||||
share was created with **Canon Generic Plus PCL6**; the MF741 can't parse PCL → spools OK,
|
||||
nothing prints, panel shows **Error #822** (unsupported/corrupt data). Fix = use the **UFR II**
|
||||
driver (`Canon Generic Plus UFR II V250`, INF cnlb0ma64.inf). CS-SERVER only had PCL6/PS3/XPS
|
||||
staged; pulled UFR II from a client's DriverStore (`C:\Windows\System32\DriverStore\
|
||||
FileRepository\cnlb0ma64.inf_amd64_*`) using the vaulted `cs-server` `sysadmin` domain-admin
|
||||
cred. **Transfer direction matters:** CS-SERVER (192.168.2.x) CANNOT reach a client's C$
|
||||
(client host-firewall scopes File/Print sharing to LocalSubnet, and CS-SERVER is off-subnet)
|
||||
-> have the CLIENT push to `\\CS-SERVER\C$` instead (client->server SMB works). Then
|
||||
`pnputil /add-driver <inf> /install`, `Add-PrinterDriver -Name "<exact INF model name>"`,
|
||||
`Set-Printer -DriverName`. Get the exact driver name from the INF's quoted strings, not a guess.
|
||||
When the server driver changes, refresh each client connection (Remove+AddWindowsPrinterConnection)
|
||||
so it drops the stale cached PCL6 driver.
|
||||
|
||||
Related: wiki clients/cascades-tucson (network/VLANs), [[project-cascades-migration-plan]].
|
||||
Reference in New Issue
Block a user