azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7bb683a3eddd19e84f18abd6a25b00a1ece107bf
claudetools/clients/cascades-tucson/docs/network/firewall.md
Howard Enos 8d975c1b44 import: ingested 160 files from C:\Users\howar\Clients 
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:

Clients (structured MSP docs under clients/<name>/docs/):
- anaise       (NEW)  - 13 files
- cascades-tucson     - 47 files merged (existing had only reports/)
- dataforth           - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa       (NEW)  - 22 files, multi-site (camden, river)
- kittle       (NEW)  - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template    - 13-file scaffold for new clients

MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/         - clean_printer_ports, win11_upgrade,
                       screenconnect-toolbox-commands

Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
  to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
  no other credentials found

Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
  (identical duplicates of msp-audit-scripts versions)

Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)

Session log: session-logs/2026-04-16-howard-client-docs-import.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-16 19:43:58 -07:00

280 lines
14 KiB
Markdown
Raw Blame History

# Firewall Configuration
## Device Info
- Vendor/Model: Netgate pfSense
- Firmware Version: 24.0
- Hostname: pfsense.cascades.local
- Management IP: 192.168.0.1 (LAN), 184.191.143.62 (WAN)
- Management URL: https://192.168.0.1
- HA Pair: No
- SSH: Enabled
- Timezone: America/Phoenix
- System DNS: 8.8.8.8, 1.1.1.1
- Crypto Hardware: AES-NI + Cryptodev
- NIC Driver: igc (Intel i225/i226 series)
## Physical Interfaces
| Interface | NIC | Zone/Name | IP Address | Subnet | Notes |
|-----------|--------|----------------|--------------------|--------|--------------------------------|
| igc0 | WAN | WAN | 184.191.143.62 | /30 | Primary Internet (static) |
| igc1 | LAN | LAN | 192.168.0.1 | /22 | Management / main LAN |
| igc1.20 | opt238 | INTERNAL | 10.0.20.1 | /24 | Infrastructure VLAN 20 |
| igc1.50 | GUEST | GUEST | 10.0.50.1 | /24 | Guest WiFi VLAN (added 2026-03-06) |
| igc1.999 | opt1 | 999GuruTestNet | 10.0.99.1 | /28 | Test/lab network |
| igc3 | opt240 | WANCOAX | DHCP | -- | Secondary WAN (coax backup) |
## Gateways
| Name | Interface | Address | Protocol | Notes |
|--------------|-----------|-----------------|----------|---------------------------|
| WANGW | wan | 184.191.143.61 | IPv4 | **DEFAULT GATEWAY** |
| WANCOAX_DHCP | opt240 | dynamic | IPv4 | Backup WAN, monitor 8.8.8.8 |
## Gateway Group: WAN_Group
- Members: WAN_DHCP (Tier 1) + WANCOAX_DHCP (Tier 1)
- Mode: Load-balance / failover
- Trigger: Download loss + latency
## Room VLAN Scheme
Each room gets its own VLAN and /28 subnet. Pattern: `10.[floor].[room_number].0/28`, gateway at `.1`.
### Floor 1 (VLANs 101-149)
| Room | VLAN | Subnet | Gateway |
|------|----------|--------------------|---------------|
| 101 | igc1.101 | 10.1.1.0/28 | 10.1.1.1 |
| 102 | igc1.102 | 10.1.2.0/28 | 10.1.2.1 |
| 103 | igc1.103 | 10.1.3.0/28 | 10.1.3.1 |
| 104 | igc1.104 | 10.1.4.0/28 | 10.1.4.1 |
| 105 | igc1.105 | 10.1.5.0/28 | 10.1.5.1 |
| 106 | igc1.106 | 10.1.6.0/28 | 10.1.6.1 |
| 107 | igc1.107 | 10.1.7.0/28 | 10.1.7.1 |
| 108 | igc1.108 | 10.1.8.0/28 | 10.1.8.1 |
| 109 | igc1.109 | 10.1.9.0/28 | 10.1.9.1 |
| 110 | igc1.110 | 10.1.10.0/28 | 10.1.10.1 |
| 111 | igc1.111 | 10.1.11.0/28 | 10.1.11.1 |
| 112 | igc1.112 | 10.1.12.0/28 | 10.1.12.1 |
| 115 | igc1.115 | 10.1.15.0/28 | 10.1.15.1 |
| 116 | igc1.116 | 10.1.16.0/28 | 10.1.16.1 |
| 117 | igc1.117 | 10.1.17.0/28 | 10.1.17.1 |
| 118 | igc1.118 | 10.1.18.0/28 | 10.1.18.1 |
| 119 | igc1.119 | 10.1.19.0/28 | 10.1.19.1 |
| 120 | igc1.120 | 10.1.20.0/28 | 10.1.20.1 |
| 121 | igc1.121 | 10.1.21.0/28 | 10.1.21.1 |
| 122 | igc1.122 | 10.1.22.0/28 | 10.1.22.1 |
| 123 | igc1.123 | 10.1.23.0/28 | 10.1.23.1 |
| 124 | igc1.124 | 10.1.24.0/28 | 10.1.24.1 |
| 125 | igc1.125 | 10.1.25.0/28 | 10.1.25.1 |
| 126 | igc1.126 | 10.1.26.0/28 | 10.1.26.1 |
| 127 | igc1.127 | 10.1.27.0/28 | 10.1.27.1 |
| 128 | igc1.128 | 10.1.28.0/28 | 10.1.28.1 |
| 129 | igc1.129 | 10.1.29.0/28 | 10.1.29.1 |
| 130 | igc1.130 | 10.1.30.0/28 | 10.1.30.1 |
| 131 | igc1.131 | 10.1.31.0/28 | 10.1.31.1 |
| 132 | igc1.132 | 10.1.32.0/28 | 10.1.32.1 |
| 133 | igc1.133 | 10.1.33.0/28 | 10.1.33.1 |
| 134 | igc1.134 | 10.1.34.0/28 | 10.1.34.1 |
| 135 | igc1.135 | 10.1.35.0/28 | 10.1.35.1 |
| 136 | igc1.136 | 10.1.36.0/28 | 10.1.36.1 |
| 137 | igc1.137 | 10.1.37.0/28 | 10.1.37.1 |
| 138 | igc1.138 | 10.1.38.0/28 | 10.1.38.1 |
| 140 | igc1.140 | 10.1.40.0/28 | 10.1.40.1 |
| 142 | igc1.142 | 10.1.42.0/28 | 10.1.42.1 |
| 143 | igc1.143 | 10.1.43.0/28 | 10.1.43.1 |
| 144 | igc1.144 | 10.1.44.0/28 | 10.1.44.1 |
| 145 | igc1.145 | 10.1.45.0/28 | 10.1.45.1 |
| 146 | igc1.146 | 10.1.46.0/28 | 10.1.46.1 |
| 147 | igc1.147 | 10.1.47.0/28 | 10.1.47.1 |
| 148 | igc1.148 | 10.1.48.0/28 | 10.1.48.1 |
| 149 | igc1.149 | 10.1.49.0/28 | 10.1.49.1 |
Missing rooms on Floor 1: 113, 114, 139, 141
### Floor 2 (VLANs 201-249)
Same pattern: `10.2.[room].0/28`
Rooms: 201-212, 215-238, 240-249
Missing: 213, 214, 239
### Floor 3 (VLANs 301-350)
Pattern: `10.3.[room].0/28`
Rooms: 301-312, 315-350
Missing: 313, 314
Note: Room339 interface exists but may NOT be enabled
### Floor 4 (VLANs 401-449)
Pattern: `10.4.[room].0/28`
Rooms: 401-412, 415-449
Missing: 413, 414
### Floor 5 (VLANs 501-522)
Pattern: `10.5.[room].0/28`
Rooms: 501-512, 514-522
Missing: 513
### Floor 6 (VLANs 603-631)
Pattern: `10.6.[room].0/28`
Rooms: 603-631
Missing: 601, 602
## Firewall Rules
### Floating Rules (apply to all/multiple interfaces)
| # | Action | Interface | Protocol | Source | Destination | Description |
|---|--------|----------------|-----------|---------------|-------------|----------------------------------|
| 1 | PASS | openvpn | IPv4 | any | any | OpenVPN pass-all |
| 2 | PASS | any | ICMP | any | any | Allow all ICMP |
| 3 | PASS | All_Networks | TCP/UDP | any | any:53 | All Networks DNS Allow |
| 4 | PASS | any | IPv4 | any | any | Allow all IPv4 (permissive) |
| 5 | BLOCK | wan | IPv4+IPv6 | NOT lanip | (self) | Block external access to firewall|
### WAN Rules
| # | Action | Protocol | Source | Destination | Port | Description |
|---|--------|----------|-----------------|-------------|------|--------------------------|
| 1 | PASS | UDP | any | wanip | 1194 | OpenVPN IT Staff |
| 2 | BLOCK | IPv4 | NOT All_Networks| (self) | any | Block ext access to FW |
### LAN Rules
| # | Action | Protocol | Source | Destination | Gateway | Description |
|---|--------|----------|-------------|-------------|-----------|--------------------------|
| 1 | PASS | IPv4 | INTERNAL net| LAN net | WAN_Group | INTERNAL to LAN via WAN_Group |
| 2 | PASS | IPv4 | LAN net | any | WAN_Group | Default LAN to any |
| 3 | PASS | IPv6 | LAN net | any | -- | Default LAN IPv6 to any |
### INTERNAL (VLAN 20) Rules
| # | Action | Protocol | Source | Destination | Description |
|---|--------|----------|---------------|-------------|--------------------------|
| 1 | PASS | IPv4 | INTERNAL net | LAN net | INTERNAL to LAN access |
### GUEST (VLAN 50) Rules — ADDED 2026-03-06
| # | Action | Protocol | Source | Destination | Description |
|---|--------|----------|--------|-------------|-------------|
| 1 | BLOCK | IPv4 | GUEST subnet | 192.168.0.0/22 | Block Guest to LAN |
| 2 | BLOCK | IPv4 | GUEST subnet | 10.0.0.0/8 | Block Guest to private 10.x |
| 3 | BLOCK | IPv4 | GUEST subnet | 172.16.0.0/12 | Block Guest to private 172.x |
| 4 | PASS | IPv4 | GUEST subnet | any | Guest internet access |
### Room130 Rules
| # | Action | Protocol | Notes |
|---|----------|----------|--------------------|
| 1 | PASS | TCP | **DISABLED** |
## NAT
- Port Forwards: None
- Outbound NAT: Automatic mode (480 auto-generated rules covering all subnets)
## VPN - OpenVPN Server
| Setting | Value |
|----------------------|------------------------------------|
| Description | IT Staff |
| Mode | TLS + User Auth (server_tls_user) |
| Auth Backend | Local Database |
| Protocol | UDP4 |
| Listen Port | 1194 |
| Interface | WAN |
| Tunnel Network | 192.168.10.0/28 |
| Pushed Local Network | 192.168.0.0/22 |
| Pushed DNS Server | 192.168.0.1 |
| CA | CascadesVPN 25 |
| Ciphers | AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305 |
| DH Length | 2048 |
| Digest | SHA256 |
| Topology | Subnet |
| Client-to-Client | Yes |
| Compression | Not allowed |
| Keepalive | 10s / 60s timeout |
| Inactive Timeout | 300s |
## Interface Groups
| Group Name | Members | Purpose |
|-------------------|-----------------------------------------|----------------------------|
| ResidentsGroup | All room interfaces (opt2-opt237) | All resident room VLANs |
| All_Networks | LAN + opt1-opt238 | Every internal interface |
| Wan_Group_Inter | wan + opt240 | Both WAN interfaces |
## pfSense Users
| Username | Role | Group |
|-----------|---------|--------|
| admin | System Admin | admins |
| Howard | User | admins |
| sysadmin | User | admins |
| rturner | User | -- |
## Migration Plan — Firewall Changes (Phase 1.3)
See `migration/phase1-network.md` for full runbook.
### Aliases Created (on pfSense as of 2026-03-09)
| Alias | Type | Members | Status |
|-------|------|---------|--------|
| `Server_IPs` | Host(s) | 192.168.2.254 | **CREATED** |
| `NAS_IP` | Host(s) | 192.168.0.120 | **CREATED** |
**Deleted (not needed):** `Printer_IPs`, `AD_Ports`, `Print_Ports` — printers moving to INTERNAL VLAN (same subnet as PCs, no firewall rules needed between them). `RFC1918` not created — using built-in `_private4_` alias instead.
### Migration Approach (revised 2026-03-09)
Instead of building scoped INTERNAL→LAN rules for a transitional state, the plan is:
1. Move staff PCs to CSCNet WiFi (INTERNAL VLAN 20, 10.0.20.x)
2. Move printer switch ports to VLAN 20 — printers get new 10.0.20.x IPs
3. During migration, old permissive rules keep both networks talking freely
4. After all devices migrated: create scoped INTERNAL → server-only rules, then lock down
### Post-Migration INTERNAL Rules (to create after all devices on VLAN 20)
| # | Action | Protocol | Source | Destination | Dest Port | Description |
|---|--------|----------|--------|-------------|-----------|-------------|
| 1 | PASS | TCP/UDP | INTERNAL net | Server_IPs | 53,88,135,389,445,464,636,3268,3269,5985,9389 | AD/DNS/SMB to DC |
| 2 | PASS | TCP | INTERNAL net | Server_IPs | 3389 | RDP to server |
| 3 | PASS | TCP | INTERNAL net | NAS_IP | 445,5000,5001 | Synology access |
| 4 | PASS | ICMP | INTERNAL net | LAN net | any | Ping diagnostics |
| 5 | BLOCK | IPv4 | INTERNAL net | _private4_ | any | Block other private (LOG) |
| 6 | PASS | IPv4 | INTERNAL net | any | any | Internet access |
### New GUEST VLAN Rules (Phase 1.1)
| # | Action | Source | Destination | Description |
|---|--------|--------|-------------|-------------|
| 1 | BLOCK | GUEST net | 192.168.0.0/22 | Block Guest to LAN |
| 2 | BLOCK | GUEST net | 10.0.0.0/8 | Block Guest to private |
| 3 | BLOCK | GUEST net | 172.16.0.0/12 | Block Guest to private |
| 4 | PASS | GUEST net | any | Guest internet |
### Floating Rule #4 Change
Replace "PASS any/any on ANY interface" with:
- PASS | ResidentsGroup | IPv4 | any → ! _private4_ | "Rooms internet only"
**Rollback:** Re-enable old floating rule #4 (disable first, don't delete).
### Kitchen iPad Isolation (Phase 1.1b — after thermal printer inventory)
Kitchen iPads (9 units) are food-service only — NOT medical. Restrict to kitchen thermal printers only to prevent lateral movement into PHI networks.
| # | Action | Source | Dest | Description |
|---|--------|--------|------|-------------|
| 1 | BLOCK | Kitchen_iPads | Server_IPs | Block kitchen to servers |
| 2 | BLOCK | Kitchen_iPads | NAS_IP | Block kitchen to NAS |
| 3 | PASS | Kitchen_iPads | Kitchen_Printers | Allow kitchen to thermal printers |
| 4 | PASS | Kitchen_iPads | any (80,443) | Allow internet for app updates |
**Blocked on:** Kitchen thermal printer inventory (need IPs/MACs from onsite visit). Kitchen_iPads alias needs MAC addresses of all 9 iPads.
### CSC ENT → CSCNet Migration (LAN → INTERNAL coexistence)
Many staff machines are still on CSC ENT (native LAN, 192.168.0.0/22). During migration, devices on LAN must be able to reach devices on INTERNAL (10.0.20.0/24) by name and IP, and vice versa. The existing LAN rule "INTERNAL to LAN" handles INTERNAL→LAN. Need to verify LAN→INTERNAL routing works (LAN devices reaching 10.0.20.x). Once all devices are migrated to CSCNet/INTERNAL, CSC ENT SSID can be removed.
### Quick Fixes
- Delete Room 130 disabled rule
- Delete "INTERNAL net to LAN net PASS" from LAN rules
## Notes
- This is a large multi-tenant residential property (6 floors, ~236 rooms)
- Each room is isolated on its own /28 VLAN (14 usable IPs per room)
- Floating rule #4 passes ALL IPv4 on any interface - very permissive (to be replaced)
- No port forwards configured
- No IPsec VPN
- No static routes
- `RFC1918` alias was NOT created (documented in error). Using built-in `_private4_` alias instead.
- `Server_IPs` and `NAS_IP` aliases created 2026-03-09. `Printer_IPs`, `AD_Ports`, `Print_Ports` created then deleted — not needed since printers are moving to INTERNAL VLAN.
- Room339 may not be enabled (missing enable tag)
- ~~Room218 DHCP scope misconfigured~~ **FIXED 2026-03-07** — range end changed to 10.2.18.14
Reference in New Issue View Git Blame Copy Permalink