From e3bb7d3f95829452fb615e1da435c2ecd057c419 Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Tue, 16 Jun 2026 14:11:33 -0700 Subject: [PATCH] =?UTF-8?q?unifi-wifi:=20pfSense=20compat=20layer=20ON=20H?= =?UTF-8?q?OLD=20=E2=80=94=20Cascades=20pfSense=20too=20old=20for=20RESTAP?= =?UTF-8?q?I=20pkg,=20needs=20upgrade=20first?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.8 (1M context) --- .claude/skills/unifi-wifi/SKILL.md | 4 +++- .../skills/unifi-wifi/references/ROADMAP.md | 22 ++++++++++++++----- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/.claude/skills/unifi-wifi/SKILL.md b/.claude/skills/unifi-wifi/SKILL.md index 3205ce1..5d0f60c 100644 --- a/.claude/skills/unifi-wifi/SKILL.md +++ b/.claude/skills/unifi-wifi/SKILL.md @@ -43,7 +43,9 @@ path is Cascades — override with the script's vault-path arg per client. to ride out transient VPN flaps without wasting a sweep. - **[WIP] Client DHCP/DNS policy, deeper VPN (server) config, adoption *remediation* depth** — port-forward + WAN firewall is now covered (gw-control); remaining gateway config (VPN server stand-up, DHCP/DNS) is future. -- **[SCAFFOLDED] pfSense gateway compatibility layer** — `scripts/pfsense-backend.sh` (REST API pkg backend). +- **[SCAFFOLDED — ON HOLD] pfSense gateway compatibility layer** — `scripts/pfsense-backend.sh` (REST API pkg backend). + ON HOLD (Howard 2026-06-16): the RESTAPI package needs a newer pfSense than Cascades runs — **blocked on a + pfSense upgrade** before any live use. Code is complete; see ROADMAP §E "BLOCKER / Resume trigger". `gw-audit.sh`/`gw-control.sh` now **auto-dispatch** to it when a site has no UniFi gateway (num_gw=0) AND a pfSense API cred is vaulted at `clients//pfsense-api` (or pass `--pfsense ` when the UOS site name differs from the client slug) — the SAME verbs (`gw-audit`, `pf-list/disable/enable/set-ports`, diff --git a/.claude/skills/unifi-wifi/references/ROADMAP.md b/.claude/skills/unifi-wifi/references/ROADMAP.md index be78dce..4ae90f6 100644 --- a/.claude/skills/unifi-wifi/references/ROADMAP.md +++ b/.claude/skills/unifi-wifi/references/ROADMAP.md @@ -119,12 +119,22 @@ exists for at least two sites; per-client pfSense cred vaulting mirrors the AP-S collectors). DONE: writes are `--apply`-gated and save a per-object rollback to `.claude/tmp/`, and pfSense `firewall/apply` is called after each change. config.xml backup-first is the SSH-fallback's job. -**STATUS: SCAFFOLDED — live validation pending.** Build complete (backend + dispatch + setup helper); -the BLOCKED/setup/no-cred-hint paths are tested. The live REST calls (audit/pf-*/fw-*/block-ips) need a -reachable pfSense with the API pkg installed + a key vaulted; REST endpoint paths follow the v2 schema and -must be verified against the installed API version on first live run. Cascades + ACG office have pfSense -web creds vaulted (`clients/cascades-tucson/pfsense-firewall`, `infrastructure/pfsense-firewall`) — still -need the API key added at `clients//pfsense-api`. +**STATUS: SCAFFOLDED — ON HOLD (blocked on pfSense upgrade).** Build complete (backend + dispatch + +setup helper); the BLOCKED/setup/no-cred-hint paths are tested. The live REST calls +(audit/pf-*/fw-*/block-ips) need a reachable pfSense with the API pkg installed + a key vaulted; REST +endpoint paths follow the v2 schema and must be verified against the installed API version on first live run. + +**[BLOCKER — Howard 2026-06-16]** `pfSense-pkg-RESTAPI` is third-party and the **Cascades pfSense is too +old to install it**. PREREQUISITE: **upgrade the Cascades pfSense** (firmware) before the package will +install. Work is ON HOLD until that upgrade is done. After the upgrade: install RESTAPI → mint a read-only +key (write-capable for control) → `pfsense-backend.sh clients/cascades-tucson/pfsense-api setup` → +vault url+apikey at `clients/cascades-tucson/pfsense-api` → first live `gw-audit cascades` to verify +v2 endpoints. (Also blocked from Howard-Home by the `.0.0/24` home-LAN shadow over pfSense `192.168.0.1` — +run the first live validation from/through the Cascades network.) ACG office pfSense (`infrastructure/ +pfsense-firewall`) may be a newer box usable as the first live test once it has the pkg + a vaulted key. + +**Resume trigger:** Cascades (or another client) pfSense upgraded + RESTAPI installable. The code is done; +resuming = the setup/vault steps above + endpoint verification, no further build expected unless v2 paths differ. - [ ] **Site→gateway map:** record per-site gateway type + access (UOS site_id ↔ pfSense host/cred) so the driver auto-selects. Could live alongside `sites.sh` output. - [ ] **VPN convergence:** the "Deeper VPN — gateway-hosted VPN server" item (C) is *easier and better* on