# Dataforth — AOI / XP Optical-Tester VLAN + SMB1 Backup Share

**Date:** 2026-06-01
**Todo:** `37543f7f` (still OPEN — network isolation incomplete)
**Mode:** infra

## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech

---

## Objective

Mike's request (relayed via Howard): the **AOI** machine (Automated Optical Inspection — photographs
circuit boards for SMT production defects) dumps data to an **external drive on a Windows XP PC**.
Isolate that XP PC on a VLAN and give it — and only it — a backup share on **D2TESTNAS**. XP is
SMB1-only, so the target must speak SMB1; do **not** enable SMB1 on any modern server (security).

## What got done

### Backup share on D2TESTNAS (192.168.0.9) — COMPLETE
- D2TESTNAS verified to be **Debian 13 (trixie), Samba 4.22.6** (it was a Netgear ReadyNAS, since
  repurposed; wiki said CachyOS and vault said Netgear — both were stale, both corrected).
- SMB1 already enabled **globally** for the 64 DOS 6.22 stations (`server min protocol = CORE`,
  `ntlm auth = ntlmv1-permitted`), so the XP needed **no new SMB1 surface** — just a new share.
- Created `/data/aoi-backup` + share `[aoibackup]`:
  - `valid users = admin`, `hosts allow = 192.168.1.175`, `hosts deny = 0.0.0.0/0`, `browseable = no`,
    `force user = root`, writable.
  - Samba account `admin` / password matches the XP's local login (set by Howard, per user request).
  - Credentials stored in vault: `clients/dataforth/d2testnas.sops.yaml → credentials.smb.aoi-user`
    (= `admin`) and `.aoi-password`. (Password is weak — acceptable only because the share is
    IP-locked + the account is shell-less and NAS-only. Revisit if the box ever leaves the segment.)
- **Verified:** XP mapped `Z: \\192.168.0.9\aoibackup` successfully (read/write works).

### Lateral-movement hardening on the NAS — COMPLETE
- The NAS's other shares (`test`, `datasheets`, `snapshots`) are wide-open **guest, writable**.
  The XP can reach the NAS, so it could also have written into the DOS `test` share → potential
  virus jump to the 64 DOS stations.
- Added `hosts deny = 192.168.1.175` to `test`, `datasheets`, `snapshots`. Blocks **only** the XP;
  DOS stations (192.168.0.x) unaffected. rsync daemon (873) already excludes the XP
  (`hosts allow = 192.168.0.0/24 172.16.0.0/12`).
- Net effect on the NAS: the XP can touch **only** `aoibackup`, and **only** the XP can write
  `aoibackup`. Containment is bidirectional at the NAS layer.

### VLAN — PARTIAL
- Decision changed mid-session: instead of a new isolated VLAN 50, the XP was placed on the
  **existing VLAN 2 "mydata"** (`192.168.1.0/24`). Howard moved **D2-Breakroom switch port 12** to
  mydata and rebooted; XP now at **192.168.1.175** (static, DNS = gateway 192.168.1.1).

## Network isolation — Mike's decision (2026-06-01)

Howard asked Mike about adding firewall rules. **Mike:** *"It's part of SMT, so it can see anything
in SMT as far as I'm concerned."* → The AOI PC is a full SMT-VLAN citizen; **do NOT restrict it within
mydata/SMT.** This also removes the risk of breaking the other SMT devices with VLAN-wide rules.

Observed before the decision: from the XP, `ping 192.168.0.27` (AD1) **succeeded** → mydata has open
inter-VLAN routing to the main LAN. Mike's call covers SMT-internal exposure but does **not** explicitly
bless the XP reaching the **company core** (192.168.0.0/24 servers) or the **internet**.

**Recommended (optional) hardening — scoped to the XP only, does NOT touch any other SMT device:**
1. ALLOW `192.168.1.175` → `192.168.0.9` TCP 445,139 (the backup path)
2. BLOCK `192.168.1.175` → `192.168.0.0/24` (company servers/workstations) — keeps an EOL XP off the
   domain controllers while leaving all of SMT open per Mike
3. BLOCK `192.168.1.175` → Internet/WAN (EOL box shouldn't browse)
(DNS still works — pointed at gateway 192.168.1.1, intra-VLAN.) These are leave-or-take; if Mike wants
zero restrictions, skip them. They will NOT affect goldstar19 / DESKTOP-FT0T4MK / My9-PC / the SMT
machines, since they target only 192.168.1.175.

## Why scope to the XP, not the VLAN — mydata is the live SMT line

VLAN 2 "mydata" is the **SMT production network**, not a spare. Active devices:

| Switch / Port | Device | MAC | Role |
|---|---|---|---|
| D2-Breakroom 12 | WinXPBE-724667 | …0f:17 | AOI PC (XP) 192.168.1.175 |
| D2-SMT 1 | (unnamed) | 00:90:fb:80:f0:c6 | SMT equipment (industrial) |
| D2-SMT 2 | goldstar19 | …68:9a | PC |
| D2-SMT 3 | (unnamed) | 00:80:79:05:23:f2 | SMT equipment |
| D2-SMT 5 | DESKTOP-FT0T4MK | …b6:ee | Windows desktop (GbE) |
| D2-SMT 7 | (unnamed) | 00:80:79:04:47:e7 | SMT equipment |
| D2-SMT 8 | My9-PC | …75:e0 | PC |
| D2-SMT 4 / SFP+1 / SFP+2 | — | — | empty |

A blanket mydata→LAN block could break the SMT PCs' access to servers (Sage, file shares) and the SMT
machines' data flows. Hence: scope firewall rules to `192.168.1.175` only, and discuss broader SMT
segmentation with Mike before touching VLAN-wide policy.

## Vault changes
- `clients/dataforth/d2testnas.sops.yaml`:
  - `os` corrected → "Debian 13 (trixie), Samba 4.22.6 — repurposed from Netgear ReadyNAS"
  - added `credentials.smb.aoi-user` = `admin`, `credentials.smb.aoi-password`, `credentials.smb.aoi-share`

## Open / Next
1. **DONE — Mike consulted.** Decision: XP stays open within SMT (no intra-SMT firewall rules).
2. **Optional, Howard/Mike to decide:** apply the 2 protective rules that don't affect SMT —
   block `192.168.1.175` → `192.168.0.0/24` (except the NAS) and → Internet. If approved, add on UDM,
   then verify `ping 192.168.0.27` FAILs while `net use Z: \\192.168.0.9\aoibackup` still WORKs.
3. Confirm the share deny worked: `net use Q: \\192.168.0.9\test` should be DENIED (the earlier test
   used T:, which was already mapped — inconclusive).
4. Samba verbose auth logging lowered back to `log level = 1` on D2TESTNAS (done this session).
5. Todo `37543f7f`: core ask (VLAN placement + locked XP-only SMB1 share) COMPLETE. Left open only
   pending the optional company-LAN/internet hardening decision; close once decided.

## Billing
- Syncro ticket **#32361** (Dataforth Corp) created + invoiced. 1.0 hr **onsite** (`26118` @ $175)
  drawn from the prepaid block (40.0 -> **39.0**). Invoice **#67754** = $0.00 (prepaid applied).
  Customer-visible "Work Performed" note added. https://computerguru.syncromsp.com/tickets/111892822
- Todos `37543f7f` + follow-up `b52cc87e` both **closed** (Mike waved off the optional
  company-LAN/internet hardening — "it's part of SMT, so it can see anything in SMT").

## Reference
- Runbook: `clients/dataforth/docs/aoi-xp-vlan-backup-runbook.md`
- D2TESTNAS smb.conf backups: `/etc/samba/smb.conf.bak.*` (timestamped, per change)