73 lines
4.8 KiB
Markdown
73 lines
4.8 KiB
Markdown
# WiFi Configuration (UniFi)
|
||
|
||
## SSIDs (3)
|
||
| SSID | Network Assignment | AP Group | Bands | Security | Purpose |
|
||
|------|-------------------|----------|-------|----------|---------|
|
||
| **CSCNet** | 238 Networks (per-room VLANs) | All APs | 2.4 + 5 GHz | WPA2 | Primary SSID — residents + staff. VLAN assignment handled at UniFi controller level (per-AP network mapping), NOT via RADIUS/NPS. NPS on CS-SERVER has only default deny policies, no RADIUS clients, and no VLAN attributes configured. |
|
||
| **CSC ENT** | Native Network (Default LAN, 192.168.0.0/22) | All APs | 2.4 + 5 GHz | WPA2 | Legacy staff WiFi + the WPA2 island for WPA2-only devices (Helpany "Paul" sensors, key `Ftfd85710#`). **PLANNED (2026-06-24): repurpose as the 5 GHz-only WPA2 PPSK device island** — phones -> VLAN 30, Helpany -> VLAN 40. **Do NOT delete** (would orphan the Pauls). See `csc-ent-device-island-plan.md`. |
|
||
| **Guest** | Guest (VLAN 50, 10.0.50.0/24) | All APs | 2.4 + 5 GHz | WPA2 | Guest WiFi — isolated from all internal networks (moved from Default LAN 2026-03-06) |
|
||
|
||
## UniFi Network Definitions
|
||
|
||
### Infrastructure Networks
|
||
| Network Name | VLAN ID | Gateway | Subnet | Notes |
|
||
|-------------|---------|---------|--------|-------|
|
||
| Default | 1 (native) | Third-party (pfSense) | 192.168.0.0/22 | Main LAN — servers, infra, APs |
|
||
| Guest | **50** | Third-party (pfSense) | 10.0.50.0/24 | Guest WiFi isolation (added 2026-03-06) |
|
||
| CSC Internal Network | **10** | Third-party (pfSense) | - | **Mismatch: pfSense has INTERNAL on VLAN 20, not 10** |
|
||
| Internal | **20** | Third-party (pfSense) | - | Staff VLAN (10.0.20.0/24) — matches pfSense |
|
||
| 999 - Test | 999 | Third-party (pfSense) | - | GuruTestNet |
|
||
|
||
### Room VLANs (238 total)
|
||
All room VLANs are defined in UniFi as "Third-party Gateway" networks. VLAN IDs match room numbers.
|
||
|
||
**Floor 1 (44):** 101-149 (missing: 113, 114, 139, 141)
|
||
**Floor 2 (46):** 201-249 (missing: 213, 214, 239)
|
||
**Floor 3 (48):** 301-350 (missing: 313, 314)
|
||
**Floor 4 (47):** 401-449 (missing: 413, 414)
|
||
**Floor 5 — MemCare (21):** 501-522 (missing: 513)
|
||
**Floor 6 — MemCare (29):** 603-631
|
||
|
||
## Issues
|
||
|
||
### ~~1. Guest WiFi on Native LAN — NO ISOLATION (High)~~ FIXED 2026-03-06
|
||
Guest SSID moved to VLAN 50 (10.0.50.0/24) with internet-only firewall rules. All RFC1918 ranges blocked. DHCP scope: 10.0.50.50–10.0.50.239 (190 addresses). **Needs onsite testing to verify isolation.**
|
||
|
||
### 2. CSC Internal Network VLAN Mismatch (Medium)
|
||
UniFi defines "CSC Internal Network" as VLAN 10, but pfSense has the INTERNAL interface on VLAN 20 (igc1.20, 10.0.20.0/24). UniFi also has "Internal" on VLAN 20 (correct). The VLAN 10 network may be unused/orphaned, or it could cause tagging issues if any port or SSID references it.
|
||
|
||
**Fix:** Verify if VLAN 10 is used anywhere. If not, delete "CSC Internal Network" from UniFi to avoid confusion.
|
||
|
||
### 3. All SSIDs Use WPA2 Only (Low)
|
||
WPA3 is not enabled on any SSID. WPA2 is acceptable but WPA3-transitional mode would improve security for newer devices while maintaining compatibility.
|
||
|
||
### 4. Kitchen iPads Not Restricted (Medium — Security)
|
||
9 kitchen iPads are on INTERNAL VLAN (10.0.20.x) with full access to staff resources. They are food-service only (NOT medical) — used for taking orders and printing to kitchen thermal receipt printers. They should be restricted to kitchen printer access only to prevent lateral movement into PHI networks if a device is compromised.
|
||
|
||
**Fix:** Create firewall rules restricting kitchen iPad MACs to kitchen thermal printer IPs only. Block access to staff VLAN, servers, and Synology. Allow internet for app updates. See `security/hipaa.md`.
|
||
|
||
### 5. No Band Steering or Separate SSIDs (Low) — being addressed
|
||
Band steering (`no2ghz_oui`) is in fact ON on CSCNet/CSC ENT/Guest, but it does **not** reliably
|
||
hold the Poly voice OUI (`48:25:67`) or the Helpany sensors on 5 GHz — they land on congested 2.4.
|
||
**Fix in progress (2026-06-24):** rather than rely on steering, give the voice + sensor devices a
|
||
dedicated **5 GHz-only WPA2 SSID** by repurposing CSC ENT (PPSK -> VLAN 30 phones / VLAN 40 Helpany).
|
||
Full plan: `csc-ent-device-island-plan.md`.
|
||
|
||
## Migration Plan — WiFi Changes (Phase 1.1)
|
||
|
||
### Guest SSID → VLAN 50
|
||
|
||
The Guest SSID will be reassigned from the Default (native LAN) network to a new Guest network on VLAN 50 (10.0.50.0/24). This isolates guest traffic from all internal resources.
|
||
|
||
**UniFi changes:**
|
||
1. Create "Guest" network: VLAN 50, third-party gateway
|
||
2. Change Guest SSID network assignment: Default → Guest (VLAN 50)
|
||
|
||
**Note:** Guest WiFi will briefly disconnect during SSID reassignment.
|
||
|
||
### Delete CSC Internal Network (VLAN 10)
|
||
|
||
After verifying VLAN 10 is not referenced by any port profile or SSID, delete "CSC Internal Network" from UniFi to avoid confusion with the correct "Internal" network on VLAN 20.
|
||
|
||
See `migration/phase1-network.md` for full steps.
|