sync: auto-sync from HOWARD-HOME at 2026-06-17 12:34:44

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-17 12:34:44

.claude/memory/MEMORY.md

@@ -119,6 +119,7 @@
 - [Howard-Home LAN shadow (RESOLVED)](howard-home-lan-shadow.md) — Howard-Home renumbered 2026-06-16 to **10.137.42.0/24** (gw 10.137.42.1, UniFi — NOT pfSense), off the old 192.168.0.0/24 that shadowed Cascades pfSense .0.x over the VPN. Cascades .0.x should now route via the tunnel; this machine is 10.137.42.x now (not 192.168.0.x).
 - [Cascades](project_cascades.md) — Active state: Syncro ticket #110680053 + plan file (machine-specific path on Howard's box), admin accounts (sysadmin@=Howard, admin@=Mike — daily-driver, NOT break-glass), Phase-B caregiver CA pilot (SG-Caregivers-Pilot, group-scoped never tenant-wide), prepaid block ~37.5h (rate TBD), pilot cleanup checklist.
 - [Cascades history](project_cascades_history.md) — fdeploy 502/ACL root cause (Flags=1211→187 fix), 2026-04-29 CA-rescoping decision (Howard pulled the brakes on tenant-wide), 2026-05-14 per-user-security-group decision rationale.
+- [Cascades isolated-VLAN pattern](project_cascades_isolated_vlan_pattern.md) — pfSense: the GUEST VLAN (VLAN50/igc1.50) is the isolation template (4 any-proto quick rules: block 192.168.0.0/22 + 10.0.0.0/8 + 172.16.0.0/12, then pass any; public DNS via DHCP). VLAN20 is NOT isolated. Verify with `pfctl -sr`, not config.xml. Protocol MUST be Any (TCP-only leaks UDP). VOICE VLAN30 built to this 2026-06-17.
 - [Cascades KPI dashboard (parked)](project_cascades_kpi_dashboard.md) — Ashley Jensen wants one dashboard across their reporting SaaS (ALIS/QuickBooks/Bill.com/Relias/You've Got Leads/TELS/Focus HR/Helpany/POS). Power BI Gateway is the WRONG frame (on-prem only). Recommended Tier1→Tier2: scheduled exports → SharePoint → Power BI Pro, automate API-capable systems (Bill.com/QBO) via Power Automate later. Full notes: `clients/cascades-tucson/docs/proposals/kpi-dashboard.md`. Next: draft client one-pager.
 - [Sync script bug — untracked files (RESOLVED)](project_sync_script_bug.md) — FIXED 2026-05-21: sync.sh now uses `git status --porcelain` for change detection (repo + vault).
 - [MasterBooter Side Project](project_masterbooter.md) — Howard's Rust+Slint Windows deployment toolkit at C:\MasterBooter, separate from client work. Do not log to clients/.

.claude/memory/project_cascades_isolated_vlan_pattern.md

@@ -0,0 +1,16 @@
+---
+name: project_cascades_isolated_vlan_pattern
+description: Cascades pfSense — the only isolated-VLAN template is the GUEST VLAN (VLAN50/igc1.50); VLAN20 is NOT isolated; verify with pfctl -sr not config.xml
+metadata:
+  type: project
+---
+
+On the Cascades pfSense (`192.168.0.1`, Plus 25.07), the **template for an isolated VLAN is the GUEST VLAN (VLAN 50 / `igc1.50`)** — four `quick`, **Protocol=Any** interface rules: block -> `192.168.0.0/22`, block -> `10.0.0.0/8`, block -> `172.16.0.0/12`, then pass -> `any`; DHCP hands out **public DNS `8.8.8.8, 1.1.1.1`** (DNS resolves over the internet egress, NOT to the firewall — the 10.0.0.0/8 block would kill firewall DNS). No `RFC1918` alias exists; isolation uses literal CIDRs.
+
+**VLAN 20 (Internal / `igc1.20`) is NOT isolated** — its only user rule is `opt238net -> lan`; all other traffic (incl. to internal) rides a floating `pass inet all` catch-all. Do not use VLAN 20 as an isolation template.
+
+**Two traps, both burned time 2026-06-17:**
+1. **config.xml lies** — it showed RFC1918 block rules on a friendly "opt239" that are NOT in the enforced ruleset (friendly-name/macro offset + inactive rules). **Always verify against the live enforced ruleset: `pfctl -sr | grep igc1.<vlan>`**, never trust the config-file rule dump alone.
+2. **Protocol=Any is mandatory** on the block rules. A GUI build that sets Protocol=TCP leaves UDP (SIP/RTP/DNS) un-blocked to internal — it leaks via the floating `pass inet all`. pf prints port 53 as `domain`, not `53`.
+
+**VOICE VLAN 30 (`igc1.30`/opt241, `10.0.30.0/24`)** was built 2026-06-17 to this exact pattern (cloud-PBX phones + Vertical LogMeIn desktop, HIPAA isolation). Scripted changes go via the pfSense PHP config API (`require config.inc; write_config(); filter_configure(); services_dhcpd_configure()`) — supported path, not config.xml surgery. Full runbook: `clients/cascades-tucson/docs/network/voice-vlan-cutover.md`. See [[howard-home-lan-shadow]] for VPN reach.

clients/cascades-tucson/docs/network/voice-vlan-cutover.md

@@ -1,7 +1,8 @@
 # Cascades — Voice VLAN (VLAN 30) Cutover Runbook + Recon
 
 - **Created:** 2026-06-16 (Howard-Home / claude-main)
-- **Status:** APPROVED TO EXECUTE — Richard confirmed 2026-06-17 (go for VLAN build + device moves). Maintenance window still to be set for the live port flips.
+- **Status:** APPROVED TO EXECUTE — Richard confirmed 2026-06-17. **pfSense PART A BUILT + VERIFIED 2026-06-17** (VLAN 30 iface `igc1.30`/opt241 @ `10.0.30.1/24`; DHCP `10.0.30.100-.250`, DNS `8.8.8.8/1.1.1.1`; 4 isolation rules enforced, verified via `pfctl -sr` to match the Guest VLAN exactly — any-proto quick blocks to 192.168.0.0/22 + 10.0.0.0/8 + 172.16.0.0/12, then pass any). **Remaining:** Part B (UniFi VOICE network + voice PPSK), then the live device moves in a maintenance window.
+- **Gotcha caught 2026-06-17:** first GUI build set the rule Protocol to TCP — that leaves UDP (SIP/RTP/DNS) un-blocked to internal (leaks via the floating `pass inet all`). Isolation rules MUST be Protocol=Any. Fixed via the pfSense PHP config API.
 
 ## Vendor confirmation (Richard Turner, 2026-06-17) — materially simplifies the plan
 Richard replied "we are good to start." Two confirmations change the runbook:
@@ -18,8 +19,9 @@ Consolidate ALL voice gear (Poly WiFi phones + AudioCodes wired phones + Vertica
 VOICE network:   VLAN 30
 Subnet/gateway:  10.0.30.0/24   gw 10.0.30.1   (pfSense igc1.30)
 DHCP pool:       10.0.30.100 - 10.0.30.250
-Reservations:    below .100 (out of pool -> safe on both ISC and Kea)
-Desktop:         10.0.30.10  (Vertical-Remote, e4:e7:49:52:3a:06) -> set NIC to DHCP
+Reservations:    NONE (2026-06-17 — Howard: desktop needs no static IP to connect; it's
+                 a normal DHCP client like the phones; LogMeIn is name/agent-based)
+Desktop:         dynamic lease from the pool (Vertical-Remote, e4:e7:49:52:3a:06)
 ```
 
 ## Systems
@@ -62,14 +64,15 @@ Probed from CS-SERVER (`192.168.2.254`, same LAN segment) — read-only.
 
 1. **VLAN interface:** Interfaces -> VLANs -> Add: Parent `igc1`, Tag `30`, Desc `VOICE`.
 2. **Assign + IP:** Interfaces -> Assignments -> add `igc1.30` -> Enable, Static `10.0.30.1/24`.
-3. **DHCP:** Services -> DHCP Server -> VOICE: enable, range `10.0.30.100-.250`, DNS `10.0.30.1`.
-4. **Reservation (desktop):** Static Mappings -> `e4:e7:49:52:3a:06` = `10.0.30.10`, hostname `Vertical-Remote`. (Phones optional — see Appendix; they stay reachable from the desktop on-subnet regardless.)
-5. **Firewall (VOICE tab), top-to-bottom:**
-   - Alias `RFC1918` = `10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16`.
-   - (a) PASS: VOICE net -> This Firewall (10.0.30.1) ports 53, 123.
-   - (b) **CONDITIONAL** PASS: VOICE net -> `<on-prem PBX IP>` SIP/RTP/provisioning. **Recon says SKIP (cloud PBX); add only if Richard confirms an on-prem PBX.**
-   - (c) BLOCK: VOICE net -> `RFC1918`. (isolation)
-   - (d) PASS: VOICE net -> any. (internet)
+3. **DHCP:** Services -> DHCP Server -> VOICE: enable, range `10.0.30.100-.250`, **DNS `8.8.8.8, 1.1.1.1`** (PUBLIC resolvers — must NOT be `10.0.30.1`; the isolation rules below block the firewall IP, and this matches how the Guest VLAN already resolves DNS).
+4. **Reservation: SKIP (2026-06-17).** Desktop needs no static IP to connect (LogMeIn is name/agent-based) — it takes a normal pool lease like the phones, and reaches all phones on-subnet regardless. No static mappings needed for anything.
+5. **Firewall (VOICE tab) — CLONE THE GUEST VLAN (VLAN 50 / igc1.50), verified 2026-06-17 as the only properly-isolated template.** Four interface rules, top-to-bottom (GUI interface rules are `quick` -> first match wins, so blocks bite before the internet pass). **No RFC1918 alias** — use literal CIDRs, matching the Guest convention:
+   - (1) BLOCK: VOICE subnets -> `192.168.0.0/22`  (Block VOICE to LAN)
+   - (2) BLOCK: VOICE subnets -> `10.0.0.0/8`       (Block VOICE to private 10.x — includes own subnet, but intra-subnet is L2-switched so desktop<->phones still work)
+   - (3) BLOCK: VOICE subnets -> `172.16.0.0/12`    (Block VOICE to ACG mgmt)
+   - (4) PASS:  VOICE subnets -> `any`               (internet egress — cloud PBX + LogMeIn + public DNS)
+   - **No DNS/NTP-to-firewall rule** (would be blocked by rule 2 and isn't needed — DNS is public via DHCP). **No on-prem PBX pinhole** (cloud PBX). **DO NOT add VOICE to the `All_Networks` interface group** (Guest isn't in it; isolation depends on staying out).
+   - Corrects the earlier draft (DNS-to-firewall + RFC1918 alias) and the earlier wrong idea of cloning VLAN 20 — VLAN 20 is NOT isolated (only rule = opt238net->lan; everything else rides a floating `pass inet all`).
 6. ~~**OpenVPN — reach desktop on VOICE, scoped to voice only**~~ — **NOT NEEDED (2026-06-17).** Vertical uses **LogMeIn** (outbound agent), not the pfSense OpenVPN, to reach the desktop. The desktop's internet egress on VOICE (rule (d)) is all LogMeIn requires. No CSO, no cert CN, no OpenVPN firewall rules for Vertical. (Howard's own OpenVPN access is unaffected.)
 
 ## PART B — UniFi (UOS controller)
@@ -85,11 +88,11 @@ Probed from CS-SERVER (`192.168.2.254`, same LAN segment) — read-only.
 1. Build everything with no live impact: pfSense VLAN/DHCP/firewall, OpenVPN CSO+rules, UniFi network, create the voice PPSK.
 2. **AudioCodes:** flip USW-16-PoE ports 1-8 -> VOICE. Re-DHCP + re-register (brief blip).
 3. **Poly:** re-key to voice PPSK. Roam onto VOICE.
-4. **Desktop (zero-touch — DHCP, LogMeIn):** flip port 16 -> VOICE. Desktop re-DHCPs to `10.0.30.10` (its reservation). LogMeIn re-homes over internet egress automatically (no NIC change, no Vertical action needed). Brief blip only.
+4. **Desktop (zero-touch — DHCP, LogMeIn):** flip port 16 -> VOICE. Desktop re-DHCPs to a `10.0.30.x` pool lease. LogMeIn re-homes over internet egress automatically (no NIC change, no static IP, no Vertical action needed). Brief blip only.
 5. Confirm with Richard: LogMeIn reconnects to the desktop, and from the desktop he can reach the phones on `10.0.30.x`.
 
 ## Validation
-- VOICE DHCP leases show phones on `10.0.30.x`; desktop on `10.0.30.10`.
+- VOICE DHCP leases show phones AND the desktop on `10.0.30.x` (all dynamic).
 - From desktop: reach several phones (Poly + AudioCodes).
 - Isolation negative test: from VOICE, CANNOT reach CS-SERVER `192.168.2.254` or `10.0.20.x`.
 - Phones registered / dial tone on a sample handset.

errorlog.md

@@ -17,6 +17,8 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
 
 <!-- Append entries below this line -->
 
+2026-06-17 | Howard-Home | pfsense/cascades-voice-vlan | [correction] assumed new RFC1918 alias + DNS-to-firewall:53/123 rules + clone VLAN20 for VOICE isolation; correct is clone the GUEST VLAN (VLAN50/igc1.50, the only actually-isolated net: 3x literal-CIDR quick blocks + pass any) and hand out PUBLIC DNS 8.8.8.8/1.1.1.1 via DHCP. VLAN20 is NOT isolated; config.xml rules were mismapped/not matching live pfctl -sr [ctx: ref=voice-vlan-cutover.md; lesson=read pfctl -sr not just config.xml]
+
 2026-06-17 | GURU-5070 | agy | gemini returned no response (empty after 3 attempts) [ctx: mode=search err=Attempt 1 failed: You have exhausted your capacity on this model. Your quota wil]
 
 2026-06-17 | GURU-5070 | agy | gemini auth/login failure [ctx: mode=search]