sync: auto-sync from HOWARD-HOME at 2026-06-17 12:34:44
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-17 12:34:44
This commit is contained in:
@@ -119,6 +119,7 @@
|
||||
- [Howard-Home LAN shadow (RESOLVED)](howard-home-lan-shadow.md) — Howard-Home renumbered 2026-06-16 to **10.137.42.0/24** (gw 10.137.42.1, UniFi — NOT pfSense), off the old 192.168.0.0/24 that shadowed Cascades pfSense .0.x over the VPN. Cascades .0.x should now route via the tunnel; this machine is 10.137.42.x now (not 192.168.0.x).
|
||||
- [Cascades](project_cascades.md) — Active state: Syncro ticket #110680053 + plan file (machine-specific path on Howard's box), admin accounts (sysadmin@=Howard, admin@=Mike — daily-driver, NOT break-glass), Phase-B caregiver CA pilot (SG-Caregivers-Pilot, group-scoped never tenant-wide), prepaid block ~37.5h (rate TBD), pilot cleanup checklist.
|
||||
- [Cascades history](project_cascades_history.md) — fdeploy 502/ACL root cause (Flags=1211→187 fix), 2026-04-29 CA-rescoping decision (Howard pulled the brakes on tenant-wide), 2026-05-14 per-user-security-group decision rationale.
|
||||
- [Cascades isolated-VLAN pattern](project_cascades_isolated_vlan_pattern.md) — pfSense: the GUEST VLAN (VLAN50/igc1.50) is the isolation template (4 any-proto quick rules: block 192.168.0.0/22 + 10.0.0.0/8 + 172.16.0.0/12, then pass any; public DNS via DHCP). VLAN20 is NOT isolated. Verify with `pfctl -sr`, not config.xml. Protocol MUST be Any (TCP-only leaks UDP). VOICE VLAN30 built to this 2026-06-17.
|
||||
- [Cascades KPI dashboard (parked)](project_cascades_kpi_dashboard.md) — Ashley Jensen wants one dashboard across their reporting SaaS (ALIS/QuickBooks/Bill.com/Relias/You've Got Leads/TELS/Focus HR/Helpany/POS). Power BI Gateway is the WRONG frame (on-prem only). Recommended Tier1→Tier2: scheduled exports → SharePoint → Power BI Pro, automate API-capable systems (Bill.com/QBO) via Power Automate later. Full notes: `clients/cascades-tucson/docs/proposals/kpi-dashboard.md`. Next: draft client one-pager.
|
||||
- [Sync script bug — untracked files (RESOLVED)](project_sync_script_bug.md) — FIXED 2026-05-21: sync.sh now uses `git status --porcelain` for change detection (repo + vault).
|
||||
- [MasterBooter Side Project](project_masterbooter.md) — Howard's Rust+Slint Windows deployment toolkit at C:\MasterBooter, separate from client work. Do not log to clients/.
|
||||
|
||||
16
.claude/memory/project_cascades_isolated_vlan_pattern.md
Normal file
16
.claude/memory/project_cascades_isolated_vlan_pattern.md
Normal file
@@ -0,0 +1,16 @@
|
||||
---
|
||||
name: project_cascades_isolated_vlan_pattern
|
||||
description: Cascades pfSense — the only isolated-VLAN template is the GUEST VLAN (VLAN50/igc1.50); VLAN20 is NOT isolated; verify with pfctl -sr not config.xml
|
||||
metadata:
|
||||
type: project
|
||||
---
|
||||
|
||||
On the Cascades pfSense (`192.168.0.1`, Plus 25.07), the **template for an isolated VLAN is the GUEST VLAN (VLAN 50 / `igc1.50`)** — four `quick`, **Protocol=Any** interface rules: block -> `192.168.0.0/22`, block -> `10.0.0.0/8`, block -> `172.16.0.0/12`, then pass -> `any`; DHCP hands out **public DNS `8.8.8.8, 1.1.1.1`** (DNS resolves over the internet egress, NOT to the firewall — the 10.0.0.0/8 block would kill firewall DNS). No `RFC1918` alias exists; isolation uses literal CIDRs.
|
||||
|
||||
**VLAN 20 (Internal / `igc1.20`) is NOT isolated** — its only user rule is `opt238net -> lan`; all other traffic (incl. to internal) rides a floating `pass inet all` catch-all. Do not use VLAN 20 as an isolation template.
|
||||
|
||||
**Two traps, both burned time 2026-06-17:**
|
||||
1. **config.xml lies** — it showed RFC1918 block rules on a friendly "opt239" that are NOT in the enforced ruleset (friendly-name/macro offset + inactive rules). **Always verify against the live enforced ruleset: `pfctl -sr | grep igc1.<vlan>`**, never trust the config-file rule dump alone.
|
||||
2. **Protocol=Any is mandatory** on the block rules. A GUI build that sets Protocol=TCP leaves UDP (SIP/RTP/DNS) un-blocked to internal — it leaks via the floating `pass inet all`. pf prints port 53 as `domain`, not `53`.
|
||||
|
||||
**VOICE VLAN 30 (`igc1.30`/opt241, `10.0.30.0/24`)** was built 2026-06-17 to this exact pattern (cloud-PBX phones + Vertical LogMeIn desktop, HIPAA isolation). Scripted changes go via the pfSense PHP config API (`require config.inc; write_config(); filter_configure(); services_dhcpd_configure()`) — supported path, not config.xml surgery. Full runbook: `clients/cascades-tucson/docs/network/voice-vlan-cutover.md`. See [[howard-home-lan-shadow]] for VPN reach.
|
||||
Reference in New Issue
Block a user