azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-17 12:34:44

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-17 12:34:44
This commit is contained in:
Howard Enos
2026-06-17 12:34:53 -07:00
parent 05d5ed83ac
commit cabbc0eb6e
4 changed files with 35 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
clients/cascades-tucson/docs/network/voice-vlan-cutover.md
View File

@@ -1,7 +1,8 @@
# Cascades — Voice VLAN (VLAN 30) Cutover Runbook + Recon
- **Created:** 2026-06-16 (Howard-Home / claude-main)
- **Status:** APPROVED TO EXECUTE — Richard confirmed 2026-06-17 (go for VLAN build + device moves). Maintenance window still to be set for the live port flips.
- **Status:** APPROVED TO EXECUTE — Richard confirmed 2026-06-17. **pfSense PART A BUILT + VERIFIED 2026-06-17** (VLAN 30 iface `igc1.30`/opt241 @ `10.0.30.1/24`; DHCP `10.0.30.100-.250`, DNS `8.8.8.8/1.1.1.1`; 4 isolation rules enforced, verified via `pfctl -sr` to match the Guest VLAN exactly — any-proto quick blocks to 192.168.0.0/22 + 10.0.0.0/8 + 172.16.0.0/12, then pass any). **Remaining:** Part B (UniFi VOICE network + voice PPSK), then the live device moves in a maintenance window.
- **Gotcha caught 2026-06-17:** first GUI build set the rule Protocol to TCP — that leaves UDP (SIP/RTP/DNS) un-blocked to internal (leaks via the floating `pass inet all`). Isolation rules MUST be Protocol=Any. Fixed via the pfSense PHP config API.
## Vendor confirmation (Richard Turner, 2026-06-17) — materially simplifies the plan
Richard replied "we are good to start." Two confirmations change the runbook:
@@ -18,8 +19,9 @@ Consolidate ALL voice gear (Poly WiFi phones + AudioCodes wired phones + Vertica
VOICE network: VLAN 30
Subnet/gateway: 10.0.30.0/24 gw 10.0.30.1 (pfSense igc1.30)
DHCP pool: 10.0.30.100 - 10.0.30.250
Reservations: below .100 (out of pool -> safe on both ISC and Kea)
Desktop: 10.0.30.10 (Vertical-Remote, e4:e7:49:52:3a:06) -> set NIC to DHCP
Reservations: NONE (2026-06-17 — Howard: desktop needs no static IP to connect; it's
a normal DHCP client like the phones; LogMeIn is name/agent-based)
Desktop: dynamic lease from the pool (Vertical-Remote, e4:e7:49:52:3a:06)
```
## Systems
@@ -62,14 +64,15 @@ Probed from CS-SERVER (`192.168.2.254`, same LAN segment) — read-only.
1. **VLAN interface:** Interfaces -> VLANs -> Add: Parent `igc1`, Tag `30`, Desc `VOICE`.
2. **Assign + IP:** Interfaces -> Assignments -> add `igc1.30` -> Enable, Static `10.0.30.1/24`.
3. **DHCP:** Services -> DHCP Server -> VOICE: enable, range `10.0.30.100-.250`, DNS `10.0.30.1`.
4. **Reservation (desktop):** Static Mappings -> `e4:e7:49:52:3a:06` = `10.0.30.10`, hostname `Vertical-Remote`. (Phones optional — see Appendix; they stay reachable from the desktop on-subnet regardless.)
5. **Firewall (VOICE tab), top-to-bottom:**
- Alias `RFC1918` = `10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16`.
- (a) PASS: VOICE net -> This Firewall (10.0.30.1) ports 53, 123.
- (b) **CONDITIONAL** PASS: VOICE net -> `<on-prem PBX IP>` SIP/RTP/provisioning. **Recon says SKIP (cloud PBX); add only if Richard confirms an on-prem PBX.**
- (c) BLOCK: VOICE net -> `RFC1918`. (isolation)
- (d) PASS: VOICE net -> any. (internet)
3. **DHCP:** Services -> DHCP Server -> VOICE: enable, range `10.0.30.100-.250`, **DNS `8.8.8.8, 1.1.1.1`** (PUBLIC resolvers — must NOT be `10.0.30.1`; the isolation rules below block the firewall IP, and this matches how the Guest VLAN already resolves DNS).
4. **Reservation: SKIP (2026-06-17).** Desktop needs no static IP to connect (LogMeIn is name/agent-based) — it takes a normal pool lease like the phones, and reaches all phones on-subnet regardless. No static mappings needed for anything.
5. **Firewall (VOICE tab) — CLONE THE GUEST VLAN (VLAN 50 / igc1.50), verified 2026-06-17 as the only properly-isolated template.** Four interface rules, top-to-bottom (GUI interface rules are `quick` -> first match wins, so blocks bite before the internet pass). **No RFC1918 alias** — use literal CIDRs, matching the Guest convention:
- (1) BLOCK: VOICE subnets -> `192.168.0.0/22` (Block VOICE to LAN)
- (2) BLOCK: VOICE subnets -> `10.0.0.0/8` (Block VOICE to private 10.x — includes own subnet, but intra-subnet is L2-switched so desktop<->phones still work)
- (3) BLOCK: VOICE subnets -> `172.16.0.0/12` (Block VOICE to ACG mgmt)
- (4) PASS: VOICE subnets -> `any` (internet egress — cloud PBX + LogMeIn + public DNS)
- **No DNS/NTP-to-firewall rule** (would be blocked by rule 2 and isn't needed — DNS is public via DHCP). **No on-prem PBX pinhole** (cloud PBX). **DO NOT add VOICE to the `All_Networks` interface group** (Guest isn't in it; isolation depends on staying out).
- Corrects the earlier draft (DNS-to-firewall + RFC1918 alias) and the earlier wrong idea of cloning VLAN 20 — VLAN 20 is NOT isolated (only rule = opt238net->lan; everything else rides a floating `pass inet all`).
6. ~~**OpenVPN — reach desktop on VOICE, scoped to voice only**~~**NOT NEEDED (2026-06-17).** Vertical uses **LogMeIn** (outbound agent), not the pfSense OpenVPN, to reach the desktop. The desktop's internet egress on VOICE (rule (d)) is all LogMeIn requires. No CSO, no cert CN, no OpenVPN firewall rules for Vertical. (Howard's own OpenVPN access is unaffected.)
## PART B — UniFi (UOS controller)
@@ -85,11 +88,11 @@ Probed from CS-SERVER (`192.168.2.254`, same LAN segment) — read-only.
1. Build everything with no live impact: pfSense VLAN/DHCP/firewall, OpenVPN CSO+rules, UniFi network, create the voice PPSK.
2. **AudioCodes:** flip USW-16-PoE ports 1-8 -> VOICE. Re-DHCP + re-register (brief blip).
3. **Poly:** re-key to voice PPSK. Roam onto VOICE.
4. **Desktop (zero-touch — DHCP, LogMeIn):** flip port 16 -> VOICE. Desktop re-DHCPs to `10.0.30.10` (its reservation). LogMeIn re-homes over internet egress automatically (no NIC change, no Vertical action needed). Brief blip only.
4. **Desktop (zero-touch — DHCP, LogMeIn):** flip port 16 -> VOICE. Desktop re-DHCPs to a `10.0.30.x` pool lease. LogMeIn re-homes over internet egress automatically (no NIC change, no static IP, no Vertical action needed). Brief blip only.
5. Confirm with Richard: LogMeIn reconnects to the desktop, and from the desktop he can reach the phones on `10.0.30.x`.
## Validation
- VOICE DHCP leases show phones on `10.0.30.x`; desktop on `10.0.30.10`.
- VOICE DHCP leases show phones AND the desktop on `10.0.30.x` (all dynamic).
- From desktop: reach several phones (Poly + AudioCodes).
- Isolation negative test: from VOICE, CANNOT reach CS-SERVER `192.168.2.254` or `10.0.20.x`.
- Phones registered / dial tone on a sample handset.