# Step 7: Move Server & Printers to INTERNAL (LAST)

**This is the final network change.** Only after everything is stable on the transitional setup.

---

## 7a — Move printers to INTERNAL

For each printer:

1. Change switch port from native VLAN to VLAN 20 (INTERNAL) in UniFi
2. Set static IP in 10.0.20.x range (or keep LAN IP if reconfiguring server to LAN)
3. Update printer IP in CS-SERVER print server
4. Update pfSense alias `Printer_IPs` with new IPs
5. Test printing from all machines

**Do one printer at a time.** Verify printing works before moving the next one.

---

## 7b — Move CS-SERVER to INTERNAL (or re-address)

Options (decide closer to the time):

### Option A: Change CS-SERVER IP to 10.0.20.254
- Update NIC to 10.0.20.254/24, gateway 10.0.20.1
- Update DNS records (cascades.local zone)
- Update all GPOs referencing \\CS-SERVER (drive maps, printers, folder redirection)
- Update pfSense domain overrides
- Update DHCP DNS settings
- Most disruptive, but cleanest result

### Option B: Dual-home CS-SERVER
- Add a second NIC on INTERNAL (10.0.20.254)
- Keep existing LAN NIC (192.168.2.254)
- Less disruption, but dual-homed DCs can cause issues
- Need to configure DNS binding order correctly

### Option C: Leave as-is
- Server stays on LAN (192.168.2.254) permanently
- Firewall bridging continues to work
- Simplest, no disruption
- Fine if firewall performance is adequate

---

## 7c — Clean up firewall rules

After server/printers move (if choosing Option A or B):

- Remove INTERNAL → LAN bridging rules (no longer needed if everything is on INTERNAL)
- Remove NAS_IP alias rule (if Synology is backup-only and on LAN)
- Simplify to standard default-deny with internet access

If choosing Option C, keep the bridging rules as-is.

---

## Rollback

- Revert printer switch ports to native VLAN
- Revert printer static IPs to LAN addresses
- Update print server ports back to LAN IPs
- Revert CS-SERVER NIC configuration (if changed)
- Restore pfSense aliases