azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(session): 2026-05-27 — RMM Phase 2 deploy, Autotask integration, Tohono DoIT #32328

Browse Source 
- Root log: GuruRMM Phase 2 authz/IDOR deployed (v0.3.31); Autotask creds verified + vaulted; /autotask scaffolded (kept local)
- Client log (new): Tohono O'odham DoIT — Starlink static IP / site-to-site research, ticket #32328
- Memory: Syncro is default PSA, Autotask opt-in (feedback_psa_default_syncro.md)

Note: .claude/commands/autotask.md intentionally left local/uncommitted per Mike.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-27 10:39:53 -07:00
parent 9d08f4d97d
commit bb9b962269
4 changed files with 135 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
clients/tohono-oodham-doit/session-logs/2026-05-27-session.md Normal file
View File

@@ -0,0 +1,62 @@
# Session Log: 2026-05-27 — Tohono O'odham Nation DoIT
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-5070
- **Role:** admin
## Session Summary
Created Syncro ticket **#32328** for Tohono O'odham Nation - Department of Information & Technology (DoIT) — "Request for Starlink Static IP options" — to track a site-to-site VPN design question. The client runs **2× Check Point 1550** appliances, each behind its own **Starlink Roam Unlimited** connection (Starlink in **bypass mode**, so each 1550 pulls the WAN IP directly). They asked about getting a Starlink static IP to enable a site-to-site VPN between field sites and the main office.
Researched the design (web-verified). Findings: Starlink **Roam offers no static IP on any plan** and is **CGNAT by default**; bypass mode removes Starlink's own NAT but still hands the 1550 a **CGNAT `100.64.x.x`** address, not a public IP. The **Check Point 1550 (Gaia Embedded)** supports native IPsec site-to-site but **cannot run Tailscale/ZeroTier** (closed appliance; doing so is unsupported and voids support) and has no built-in overlay/relay for CGNAT traversal.
Mid-session Mike clarified two facts that reframed the design: the field Starlinks are in **bypass mode** (no Starlink NAT), and the **main office is NOT on Starlink — it has public static IP(s)** (office gateway hardware unconfirmed, assumed Check Point). That makes this **not** a dual-CGNAT problem — it's CGNAT field spokes dialing into a **reachable public hub**, which is solvable cleanly.
Posted a **customer-visible, emailed** note (comment `413414183`) to #32328 presenting **two options**: (A) native Check Point IPsec hub-and-spoke — field 1550s initiate IPsec outbound to the office public IP, using existing hardware, no overlay; cleanest if the office gateway is also Check Point; and (B) Tailscale overlay — a subnet-router node behind the office firewall plus a small node (GL.iNet Beryl AX/Flint 2, or pfSense/Linux) at each field site, traversing CGNAT via NAT-traversal + DERP relays. Both avoid the expensive Starlink High Performance / Priority upgrade. Documented the dependency: office internal IT must approve/build the entrypoint, and the office gateway make/model must be confirmed.
## Key Decisions
- **Posted both options rather than committing to one** — Mike's call; lets DoIT's IT weigh the lighter-touch native IPsec path vs. the more flexible Tailscale overlay.
- **Customer-visible + emailed** (not internal) — Mike chose to send the options directly to DoIT (technical audience; primary contact Shannon Ramon).
- **Recommended skipping the Starlink HP/Priority upgrade** — a reachable office hub means a static Starlink IP isn't needed for either option.
- **`do_not_email: true` on ticket creation** but **email on the options comment** — avoided notifying the customer at create time while we formulated the response, then emailed the substantive note once ready.
## Problems Encountered
- **Initial assumption was dual-CGNAT** (both ends behind Starlink), which would have forced an overlay-only (Tailscale/ZeroTier) answer. Mike's clarification that the office has public static IPs reframed it to CGNAT-spoke → public-hub, which also enables a native IPsec hub-and-spoke option. Note rewritten to present both.
## Configuration Changes
- No repo code changes for this client. This session log seeds the new `clients/tohono-oodham-doit/` folder (no prior client folder or wiki article existed).
## Credentials & Secrets
- No new client credentials. Syncro API used Mike's per-user key (already vaulted at `msp-tools/syncro.sops.yaml`).
## Infrastructure & Servers
- **Customer:** Tohono O'odham Nation - Department of Information & Technology (DoIT). Syncro `customer_id 33069069`. Primary contact: Shannon Ramon (shannon.ramon@tonation-nsn.gov). No prepaid block.
- **Field sites (x2):** Check Point 1550 appliance each, behind Starlink **Roam Unlimited**, Starlink in **bypass mode** → 1550 holds the WAN IP directly, but it's **CGNAT `100.64.0.0/10`** (no public/static IP on Roam). Verify on-site: each 1550's WAN IP should read `100.64.x.x`.
- **Main office:** NOT Starlink — **public static IP(s)**. Gateway hardware unconfirmed (assumed Check Point, model TBD). This is the reachable VPN hub.
- **Other Tohono O'odham Syncro accounts (do not confuse):** Legislative Branch (35323240), Farming Authority (33405788), Sif-oidak District (7694718). This work is the **DoIT** account only.
- **Design building blocks:** Tailscale traverses CGNAT via NAT-traversal + DERP relays (443). Candidate field nodes: GL.iNet Beryl AX (GL-MT3000) / Flint 2 (GL-MT6000) with native Tailscale, or pfSense/OPNsense (Tailscale package + subnet routing).
## Commands & Outputs
- Customer lookup: `GET /customers?query=Tohono` → DoIT = id 33069069.
- Ticket create: `POST /tickets` (customer_id 33069069, problem_type "Service Request", priority "2 Normal", user_id 1735, do_not_email true) → `#32328`, id `111209848`, status New.
- Options note: `POST /tickets/111209848/comment` (hidden false, do_not_email false) → comment id `413414183`. Bot alert posted.
## Pending / Incomplete Tasks
- **Ticket #32328 left in status New** — asked Mike whether to set "Waiting on Customer" (pending his answer).
- **Awaiting DoIT internal IT:** approve and build the VPN entrypoint — either configure the office gateway as the IPsec hub (Option A) or stand up/permit the Tailscale node (Option B).
- **Confirm office gateway make/model.**
- **On-site verification:** confirm each field 1550's WAN IP is `100.64.x.x` (CGNAT). If a 1550 shows a real public IP, they may already have a Starlink public-IP add-on, which changes the calculus.
## Reference Information
- Ticket: #32328 (id 111209848) — https://computerguru.syncromsp.com/tickets/111209848 — comment id 413414183.
- Research sources: CheckMates "Tailscale on GAiA" thread; Starlink CGNAT / static-IP explainers (StarlinkInsider, HostiFi); Tailscale NAT-traversal + DERP + site-to-site docs; pfSense/OPNsense Tailscale subnet-router docs.
- Skill used: `/syncro` (`.claude/commands/syncro.md`).