azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3358cecdcc0eaf284dfbd8edcef2376fdc501bbb
claudetools/clients/cascades-tucson/docs/network/firewall.md
Howard Enos 8d975c1b44 import: ingested 160 files from C:\Users\howar\Clients 
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:

Clients (structured MSP docs under clients/<name>/docs/):
- anaise       (NEW)  - 13 files
- cascades-tucson     - 47 files merged (existing had only reports/)
- dataforth           - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa       (NEW)  - 22 files, multi-site (camden, river)
- kittle       (NEW)  - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template    - 13-file scaffold for new clients

MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/         - clean_printer_ports, win11_upgrade,
                       screenconnect-toolbox-commands

Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
  to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
  no other credentials found

Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
  (identical duplicates of msp-audit-scripts versions)

Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)

Session log: session-logs/2026-04-16-howard-client-docs-import.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-16 19:43:58 -07:00

14 KiB
Raw Blame History

Firewall Configuration

Device Info

  • Vendor/Model: Netgate pfSense
  • Firmware Version: 24.0
  • Hostname: pfsense.cascades.local
  • Management IP: 192.168.0.1 (LAN), 184.191.143.62 (WAN)
  • Management URL: https://192.168.0.1
  • HA Pair: No
  • SSH: Enabled
  • Timezone: America/Phoenix
  • System DNS: 8.8.8.8, 1.1.1.1
  • Crypto Hardware: AES-NI + Cryptodev
  • NIC Driver: igc (Intel i225/i226 series)

Physical Interfaces

Interface NIC Zone/Name IP Address Subnet Notes
igc0 WAN WAN 184.191.143.62 /30 Primary Internet (static)
igc1 LAN LAN 192.168.0.1 /22 Management / main LAN
igc1.20 opt238 INTERNAL 10.0.20.1 /24 Infrastructure VLAN 20
igc1.50 GUEST GUEST 10.0.50.1 /24 Guest WiFi VLAN (added 2026-03-06)
igc1.999 opt1 999GuruTestNet 10.0.99.1 /28 Test/lab network
igc3 opt240 WANCOAX DHCP -- Secondary WAN (coax backup)

Gateways

Name Interface Address Protocol Notes
WANGW wan 184.191.143.61 IPv4 DEFAULT GATEWAY
WANCOAX_DHCP opt240 dynamic IPv4 Backup WAN, monitor 8.8.8.8

Gateway Group: WAN_Group

  • Members: WAN_DHCP (Tier 1) + WANCOAX_DHCP (Tier 1)
  • Mode: Load-balance / failover
  • Trigger: Download loss + latency

Room VLAN Scheme

Each room gets its own VLAN and /28 subnet. Pattern: 10.[floor].[room_number].0/28, gateway at .1.

Floor 1 (VLANs 101-149)

Room VLAN Subnet Gateway
101 igc1.101 10.1.1.0/28 10.1.1.1
102 igc1.102 10.1.2.0/28 10.1.2.1
103 igc1.103 10.1.3.0/28 10.1.3.1
104 igc1.104 10.1.4.0/28 10.1.4.1
105 igc1.105 10.1.5.0/28 10.1.5.1
106 igc1.106 10.1.6.0/28 10.1.6.1
107 igc1.107 10.1.7.0/28 10.1.7.1
108 igc1.108 10.1.8.0/28 10.1.8.1
109 igc1.109 10.1.9.0/28 10.1.9.1
110 igc1.110 10.1.10.0/28 10.1.10.1
111 igc1.111 10.1.11.0/28 10.1.11.1
112 igc1.112 10.1.12.0/28 10.1.12.1
115 igc1.115 10.1.15.0/28 10.1.15.1
116 igc1.116 10.1.16.0/28 10.1.16.1
117 igc1.117 10.1.17.0/28 10.1.17.1
118 igc1.118 10.1.18.0/28 10.1.18.1
119 igc1.119 10.1.19.0/28 10.1.19.1
120 igc1.120 10.1.20.0/28 10.1.20.1
121 igc1.121 10.1.21.0/28 10.1.21.1
122 igc1.122 10.1.22.0/28 10.1.22.1
123 igc1.123 10.1.23.0/28 10.1.23.1
124 igc1.124 10.1.24.0/28 10.1.24.1
125 igc1.125 10.1.25.0/28 10.1.25.1
126 igc1.126 10.1.26.0/28 10.1.26.1
127 igc1.127 10.1.27.0/28 10.1.27.1
128 igc1.128 10.1.28.0/28 10.1.28.1
129 igc1.129 10.1.29.0/28 10.1.29.1
130 igc1.130 10.1.30.0/28 10.1.30.1
131 igc1.131 10.1.31.0/28 10.1.31.1
132 igc1.132 10.1.32.0/28 10.1.32.1
133 igc1.133 10.1.33.0/28 10.1.33.1
134 igc1.134 10.1.34.0/28 10.1.34.1
135 igc1.135 10.1.35.0/28 10.1.35.1
136 igc1.136 10.1.36.0/28 10.1.36.1
137 igc1.137 10.1.37.0/28 10.1.37.1
138 igc1.138 10.1.38.0/28 10.1.38.1
140 igc1.140 10.1.40.0/28 10.1.40.1
142 igc1.142 10.1.42.0/28 10.1.42.1
143 igc1.143 10.1.43.0/28 10.1.43.1
144 igc1.144 10.1.44.0/28 10.1.44.1
145 igc1.145 10.1.45.0/28 10.1.45.1
146 igc1.146 10.1.46.0/28 10.1.46.1
147 igc1.147 10.1.47.0/28 10.1.47.1
148 igc1.148 10.1.48.0/28 10.1.48.1
149 igc1.149 10.1.49.0/28 10.1.49.1

Missing rooms on Floor 1: 113, 114, 139, 141

Floor 2 (VLANs 201-249)

Same pattern: 10.2.[room].0/28 Rooms: 201-212, 215-238, 240-249 Missing: 213, 214, 239

Floor 3 (VLANs 301-350)

Pattern: 10.3.[room].0/28 Rooms: 301-312, 315-350 Missing: 313, 314 Note: Room339 interface exists but may NOT be enabled

Floor 4 (VLANs 401-449)

Pattern: 10.4.[room].0/28 Rooms: 401-412, 415-449 Missing: 413, 414

Floor 5 (VLANs 501-522)

Pattern: 10.5.[room].0/28 Rooms: 501-512, 514-522 Missing: 513

Floor 6 (VLANs 603-631)

Pattern: 10.6.[room].0/28 Rooms: 603-631 Missing: 601, 602

Firewall Rules

Floating Rules (apply to all/multiple interfaces)

# Action Interface Protocol Source Destination Description
1 PASS openvpn IPv4 any any OpenVPN pass-all
2 PASS any ICMP any any Allow all ICMP
3 PASS All_Networks TCP/UDP any any:53 All Networks DNS Allow
4 PASS any IPv4 any any Allow all IPv4 (permissive)
5 BLOCK wan IPv4+IPv6 NOT lanip (self) Block external access to firewall

WAN Rules

# Action Protocol Source Destination Port Description
1 PASS UDP any wanip 1194 OpenVPN IT Staff
2 BLOCK IPv4 NOT All_Networks (self) any Block ext access to FW

LAN Rules

# Action Protocol Source Destination Gateway Description
1 PASS IPv4 INTERNAL net LAN net WAN_Group INTERNAL to LAN via WAN_Group
2 PASS IPv4 LAN net any WAN_Group Default LAN to any
3 PASS IPv6 LAN net any -- Default LAN IPv6 to any

INTERNAL (VLAN 20) Rules

# Action Protocol Source Destination Description
1 PASS IPv4 INTERNAL net LAN net INTERNAL to LAN access

GUEST (VLAN 50) Rules — ADDED 2026-03-06

# Action Protocol Source Destination Description
1 BLOCK IPv4 GUEST subnet 192.168.0.0/22 Block Guest to LAN
2 BLOCK IPv4 GUEST subnet 10.0.0.0/8 Block Guest to private 10.x
3 BLOCK IPv4 GUEST subnet 172.16.0.0/12 Block Guest to private 172.x
4 PASS IPv4 GUEST subnet any Guest internet access

Room130 Rules

# Action Protocol Notes
1 PASS TCP DISABLED

NAT

  • Port Forwards: None
  • Outbound NAT: Automatic mode (480 auto-generated rules covering all subnets)

VPN - OpenVPN Server

Setting Value
Description IT Staff
Mode TLS + User Auth (server_tls_user)
Auth Backend Local Database
Protocol UDP4
Listen Port 1194
Interface WAN
Tunnel Network 192.168.10.0/28
Pushed Local Network 192.168.0.0/22
Pushed DNS Server 192.168.0.1
CA CascadesVPN 25
Ciphers AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305
DH Length 2048
Digest SHA256
Topology Subnet
Client-to-Client Yes
Compression Not allowed
Keepalive 10s / 60s timeout
Inactive Timeout 300s

Interface Groups

Group Name Members Purpose
ResidentsGroup All room interfaces (opt2-opt237) All resident room VLANs
All_Networks LAN + opt1-opt238 Every internal interface
Wan_Group_Inter wan + opt240 Both WAN interfaces

pfSense Users

Username Role Group
admin System Admin admins
Howard User admins
sysadmin User admins
rturner User --

Migration Plan — Firewall Changes (Phase 1.3)

See migration/phase1-network.md for full runbook.

Aliases Created (on pfSense as of 2026-03-09)

Alias Type Members Status
Server_IPs Host(s) 192.168.2.254 CREATED
NAS_IP Host(s) 192.168.0.120 CREATED

Deleted (not needed): Printer_IPs, AD_Ports, Print_Ports — printers moving to INTERNAL VLAN (same subnet as PCs, no firewall rules needed between them). RFC1918 not created — using built-in _private4_ alias instead.

Migration Approach (revised 2026-03-09)

Instead of building scoped INTERNAL→LAN rules for a transitional state, the plan is:

  1. Move staff PCs to CSCNet WiFi (INTERNAL VLAN 20, 10.0.20.x)
  2. Move printer switch ports to VLAN 20 — printers get new 10.0.20.x IPs
  3. During migration, old permissive rules keep both networks talking freely
  4. After all devices migrated: create scoped INTERNAL → server-only rules, then lock down

Post-Migration INTERNAL Rules (to create after all devices on VLAN 20)

# Action Protocol Source Destination Dest Port Description
1 PASS TCP/UDP INTERNAL net Server_IPs 53,88,135,389,445,464,636,3268,3269,5985,9389 AD/DNS/SMB to DC
2 PASS TCP INTERNAL net Server_IPs 3389 RDP to server
3 PASS TCP INTERNAL net NAS_IP 445,5000,5001 Synology access
4 PASS ICMP INTERNAL net LAN net any Ping diagnostics
5 BLOCK IPv4 INTERNAL net private4 any Block other private (LOG)
6 PASS IPv4 INTERNAL net any any Internet access

New GUEST VLAN Rules (Phase 1.1)

# Action Source Destination Description
1 BLOCK GUEST net 192.168.0.0/22 Block Guest to LAN
2 BLOCK GUEST net 10.0.0.0/8 Block Guest to private
3 BLOCK GUEST net 172.16.0.0/12 Block Guest to private
4 PASS GUEST net any Guest internet

Floating Rule #4 Change

Replace "PASS any/any on ANY interface" with:

  • PASS | ResidentsGroup | IPv4 | any → ! private4 | "Rooms internet only"

Rollback: Re-enable old floating rule #4 (disable first, don't delete).

Kitchen iPad Isolation (Phase 1.1b — after thermal printer inventory)

Kitchen iPads (9 units) are food-service only — NOT medical. Restrict to kitchen thermal printers only to prevent lateral movement into PHI networks.

# Action Source Dest Description
1 BLOCK Kitchen_iPads Server_IPs Block kitchen to servers
2 BLOCK Kitchen_iPads NAS_IP Block kitchen to NAS
3 PASS Kitchen_iPads Kitchen_Printers Allow kitchen to thermal printers
4 PASS Kitchen_iPads any (80,443) Allow internet for app updates

Blocked on: Kitchen thermal printer inventory (need IPs/MACs from onsite visit). Kitchen_iPads alias needs MAC addresses of all 9 iPads.

CSC ENT → CSCNet Migration (LAN → INTERNAL coexistence)

Many staff machines are still on CSC ENT (native LAN, 192.168.0.0/22). During migration, devices on LAN must be able to reach devices on INTERNAL (10.0.20.0/24) by name and IP, and vice versa. The existing LAN rule "INTERNAL to LAN" handles INTERNAL→LAN. Need to verify LAN→INTERNAL routing works (LAN devices reaching 10.0.20.x). Once all devices are migrated to CSCNet/INTERNAL, CSC ENT SSID can be removed.

Quick Fixes

  • Delete Room 130 disabled rule
  • Delete "INTERNAL net to LAN net PASS" from LAN rules

Notes

  • This is a large multi-tenant residential property (6 floors, ~236 rooms)
  • Each room is isolated on its own /28 VLAN (14 usable IPs per room)
  • Floating rule #4 passes ALL IPv4 on any interface - very permissive (to be replaced)
  • No port forwards configured
  • No IPsec VPN
  • No static routes
  • RFC1918 alias was NOT created (documented in error). Using built-in _private4_ alias instead.
  • Server_IPs and NAS_IP aliases created 2026-03-09. Printer_IPs, AD_Ports, Print_Ports created then deleted — not needed since printers are moving to INTERNAL VLAN.
  • Room339 may not be enabled (missing enable tag)
  • Room218 DHCP scope misconfigured FIXED 2026-03-07 — range end changed to 10.2.18.14
Reference in New Issue View Git Blame Copy Permalink