Files
claudetools/clients/cascades-tucson/docs/network/wifi.md
Howard Enos 5c77b88654 sync: auto-sync from HOWARD-HOME at 2026-06-24 11:50:01
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-24 11:50:01
2026-06-24 11:50:29 -07:00

4.8 KiB
Raw Blame History

WiFi Configuration (UniFi)

SSIDs (3)

SSID Network Assignment AP Group Bands Security Purpose
CSCNet 238 Networks (per-room VLANs) All APs 2.4 + 5 GHz WPA2 Primary SSID — residents + staff. VLAN assignment handled at UniFi controller level (per-AP network mapping), NOT via RADIUS/NPS. NPS on CS-SERVER has only default deny policies, no RADIUS clients, and no VLAN attributes configured.
CSC ENT Native Network (Default LAN, 192.168.0.0/22) All APs 2.4 + 5 GHz WPA2 Legacy staff WiFi + the WPA2 island for WPA2-only devices (Helpany "Paul" sensors, key Ftfd85710#). PLANNED (2026-06-24): repurpose as the 5 GHz-only WPA2 PPSK device island — phones -> VLAN 30, Helpany -> VLAN 40. Do NOT delete (would orphan the Pauls). See csc-ent-device-island-plan.md.
Guest Guest (VLAN 50, 10.0.50.0/24) All APs 2.4 + 5 GHz WPA2 Guest WiFi — isolated from all internal networks (moved from Default LAN 2026-03-06)

UniFi Network Definitions

Infrastructure Networks

Network Name VLAN ID Gateway Subnet Notes
Default 1 (native) Third-party (pfSense) 192.168.0.0/22 Main LAN — servers, infra, APs
Guest 50 Third-party (pfSense) 10.0.50.0/24 Guest WiFi isolation (added 2026-03-06)
CSC Internal Network 10 Third-party (pfSense) - Mismatch: pfSense has INTERNAL on VLAN 20, not 10
Internal 20 Third-party (pfSense) - Staff VLAN (10.0.20.0/24) — matches pfSense
999 - Test 999 Third-party (pfSense) - GuruTestNet

Room VLANs (238 total)

All room VLANs are defined in UniFi as "Third-party Gateway" networks. VLAN IDs match room numbers.

Floor 1 (44): 101-149 (missing: 113, 114, 139, 141) Floor 2 (46): 201-249 (missing: 213, 214, 239) Floor 3 (48): 301-350 (missing: 313, 314) Floor 4 (47): 401-449 (missing: 413, 414) Floor 5 — MemCare (21): 501-522 (missing: 513) Floor 6 — MemCare (29): 603-631

Issues

1. Guest WiFi on Native LAN — NO ISOLATION (High) FIXED 2026-03-06

Guest SSID moved to VLAN 50 (10.0.50.0/24) with internet-only firewall rules. All RFC1918 ranges blocked. DHCP scope: 10.0.50.5010.0.50.239 (190 addresses). Needs onsite testing to verify isolation.

2. CSC Internal Network VLAN Mismatch (Medium)

UniFi defines "CSC Internal Network" as VLAN 10, but pfSense has the INTERNAL interface on VLAN 20 (igc1.20, 10.0.20.0/24). UniFi also has "Internal" on VLAN 20 (correct). The VLAN 10 network may be unused/orphaned, or it could cause tagging issues if any port or SSID references it.

Fix: Verify if VLAN 10 is used anywhere. If not, delete "CSC Internal Network" from UniFi to avoid confusion.

3. All SSIDs Use WPA2 Only (Low)

WPA3 is not enabled on any SSID. WPA2 is acceptable but WPA3-transitional mode would improve security for newer devices while maintaining compatibility.

4. Kitchen iPads Not Restricted (Medium — Security)

9 kitchen iPads are on INTERNAL VLAN (10.0.20.x) with full access to staff resources. They are food-service only (NOT medical) — used for taking orders and printing to kitchen thermal receipt printers. They should be restricted to kitchen printer access only to prevent lateral movement into PHI networks if a device is compromised.

Fix: Create firewall rules restricting kitchen iPad MACs to kitchen thermal printer IPs only. Block access to staff VLAN, servers, and Synology. Allow internet for app updates. See security/hipaa.md.

5. No Band Steering or Separate SSIDs (Low) — being addressed

Band steering (no2ghz_oui) is in fact ON on CSCNet/CSC ENT/Guest, but it does not reliably hold the Poly voice OUI (48:25:67) or the Helpany sensors on 5 GHz — they land on congested 2.4. Fix in progress (2026-06-24): rather than rely on steering, give the voice + sensor devices a dedicated 5 GHz-only WPA2 SSID by repurposing CSC ENT (PPSK -> VLAN 30 phones / VLAN 40 Helpany). Full plan: csc-ent-device-island-plan.md.

Migration Plan — WiFi Changes (Phase 1.1)

Guest SSID → VLAN 50

The Guest SSID will be reassigned from the Default (native LAN) network to a new Guest network on VLAN 50 (10.0.50.0/24). This isolates guest traffic from all internal resources.

UniFi changes:

  1. Create "Guest" network: VLAN 50, third-party gateway
  2. Change Guest SSID network assignment: Default → Guest (VLAN 50)

Note: Guest WiFi will briefly disconnect during SSID reassignment.

Delete CSC Internal Network (VLAN 10)

After verifying VLAN 10 is not referenced by any port profile or SSID, delete "CSC Internal Network" from UniFi to avoid confusion with the correct "Internal" network on VLAN 20.

See migration/phase1-network.md for full steps.