claudetools/wiki/clients/tohono-oodham-doit.md

type, name, display_name, last_compiled, compiled_by, sources, backlinks

type	name	display_name	last_compiled	compiled_by	sources	backlinks
client	tohono-oodham-doit	Tohono O'odham Nation - Department of Information & Technology (DoIT)	2026-06-12	GURU-5070/claude-main	clients/tohono-oodham-doit/session-logs/2026-05-27-session.md syncro:33069069	clients/sif-oidak

Tohono O'odham Nation - Department of Information & Technology (DoIT)

Profile

• Contract type: Break-fix with recurring Starlink service reseller billing (monthly internet + per-incident labor)
• Key contacts:
  • Shannon Ramon — shannon.ramon@tonation-nsn.gov, 520-471-3072 (primary)
  • Brandon Capeheart (I&T System Administrator) — brandon.capeheart@tonation-nsn.gov, 520-993-5779
  • Marcus Ramon (I&T Network Manager) — marcus.ramon@tonation-nsn.gov, 520-240-0844
  • Trina Rodriguez (DoIT) — trina.rodriguez@tonation-nsn.gov, 520-383-0270 / 520-349-4297
  • Yvonne Enriguez (DoIT Office Manager) — Yvonne.Enriquez@tonation-nsn.gov, 520-383-0270
  • Tianna Aguilla (Accounts Payable) — tianna.aguilla@tonation-nsn.gov, (520) 648-4130 ext 4108
  • Denise Darrell (Accounts Payable, Dept of IT) — denise.darrell@tonnation-nsn.gov, 520-383-6600
• Billing rate: $175/hr (onsite labor)
• Hours remaining (if prepaid): N/A — no prepaid block
• Active ticket: Syncro #32328 (Waiting on Customer)
• Syncro customer ID: 33069069
• Address: 25310 South Toltec Buttes Road, Eloy, AZ 85131; mailing: PO Box 837, Sells, AZ 85634; DoIT Annex: 307 Vamori Street, Tucson, AZ 85756

Infrastructure

Servers & Services

Host	IP	Role	OS	Notes

No Syncro-managed assets on record. No RMM agents deployed as of 2026-06-12.

Email & Identity

• M365 tenant: (verify)
• MX / mail flow: (verify) — staff use @tonation-nsn.gov addresses
• MFA status: (verify)

Network

• ISP / WAN (field sites x2): Starlink Roam Unlimited (mobile); configured in bypass mode — Check Point 1550 WAN interface holds the ISP-assigned IP directly. Starlink Roam issues CGNAT 100.64.x.x addresses, so each field site has no public routable WAN IP.
• ISP / WAN (main office): Non-Starlink; public static IP(s). ISP and gateway hardware unconfirmed.
• Firewall (field): Check Point 1550 (Gaia Embedded) — 2 units, one per field site
• Firewall (main office): (verify — make/model unconfirmed; assumed Check Point based on field fleet)
• VPN: Pending design decision; two options under evaluation:
  • Option A — Native IPsec hub-and-spoke: Field 1550s initiate outbound IPsec to office public IP using existing hardware; no overlay required. Cleanest path if main office gateway is also Check Point.
  • Option B — Tailscale overlay: Subnet-router node deployed behind the office firewall; small Tailscale-capable node (GL.iNet Beryl AX, Flint 2, pfSense, or OPNsense) at each field site. Traverses CGNAT via NAT-traversal and DERP relay on port 443.

Access

• No remote access credentials or vault paths on file for this client.
• Vault path: (verify — create at clients/tohono-oodham-doit/ if credentials are issued)
• Syncro: https://computerguru.syncromsp.com/customers/33069069

Patterns & Known Issues

• CGNAT field WAN: All field sites are behind Starlink Roam Unlimited in bypass mode. Bypass mode removes Starlink's own NAT but Starlink Roam still assigns a CGNAT 100.64.x.x address to the 1550 WAN port — not a public IP. Any site-to-site VPN or remote management initiated from the field must be outbound-only; the main office hub must be the reachable endpoint. On-site verification: each field 1550's WAN IP should show 100.64.x.x. If a real public IP appears, a Starlink public-IP add-on may be active, which changes the VPN calculus.
• Check Point 1550 (Gaia Embedded) is a closed appliance: Third-party overlay software (Tailscale, ZeroTier) is not supported and cannot be installed on the 1550 itself. An Option B Tailscale deployment requires a separate device alongside the 1550 at each field site.
• Multiple Tohono O'odham accounts in Syncro: DoIT (33069069), Legislative Branch (35323240), Farming Authority (33405788), Sif-oidak District (7694718) are separate Syncro customer records for the same tribal nation. Confirm account before opening tickets.
• Starlink reseller billing: ComputerGuru bills DoIT for recurring Starlink internet service (~$397-421/month for 2 lines). Labor is billed break-fix at $175/hr as separate line items.

Active Work

As of 2026-06-12 — Syncro shows 1 open ticket:

Ticket	Subject	Status	Opened
#32328 (ID: 111209848)	Request for Starlink Static IP options	Waiting on Customer	2026-05-27

Ticket #32328: Presented two site-to-site VPN design options (native Check Point IPsec hub-and-spoke vs. Tailscale overlay) for CGNAT field-to-office connectivity. Recommended skipping a Starlink static IP upgrade — the reachable main office hub makes it unnecessary for either option. Awaiting DoIT internal IT decision on VPN entrypoint and main office gateway make/model confirmation.

History Highlights

• 2025-01: Onsite Starlink installation (invoice #64532, 1 hr labor, $175)
• 2025-11-18: Onsite event Starlink rental and setup for November event in Sells, AZ (invoice #66431, $362.50 — rental + 1hr setup + 0.5hr trip fee)
• 2025-11-25: Sold and installed 2x Starlink Mini Mobile Roam kits (receiver, car adapter, roof mount) at field sites; monthly Starlink service billing initiated (invoice #66494, $915.94 hardware; recurring ~$397-421/month since)
• 2026-05-27: VPN design consultation for CGNAT field-to-office connectivity — researched Starlink static IP availability (not available on Roam) and CGNAT traversal options; created Ticket #32328, posted customer-visible two-option recommendation; ticket set to Waiting on Customer

Backlinks

• Sif-oidak District - Tohono O'odham Nation — related Syncro account for the same tribal nation (Sif-oidak District, ID 7694718)