Howard Enos
8d975c1b44
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:
Clients (structured MSP docs under clients/<name>/docs/):
- anaise (NEW) - 13 files
- cascades-tucson - 47 files merged (existing had only reports/)
- dataforth - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa (NEW) - 22 files, multi-site (camden, river)
- kittle (NEW) - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template - 13-file scaffold for new clients
MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/ - clean_printer_ports, win11_upgrade,
screenconnect-toolbox-commands
Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
no other credentials found
Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
(identical duplicates of msp-audit-scripts versions)
Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)
Session log: session-logs/2026-04-16-howard-client-docs-import.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7.2 KiB
7.2 KiB
Phase 1: Network Migration — Move All Devices to INTERNAL VLAN 20
Goal: Consolidate all staff PCs and printers onto INTERNAL VLAN 20 (10.0.20.x / CSCNet WiFi). During migration, old permissive rules keep both networks talking. After migration, lock down with scoped rules.
Current State (as of 2026-03-09)
- Staff PCs: mix of CSCNet WiFi (INTERNAL, 10.0.20.x) and CSC ENT / wired (LAN, 192.168.x.x)
- Printers: all wired on LAN (192.168.x.x) except accounting assistant (10.0.20.220) and 206 nurse station (10.0.20.69)
- CS-SERVER: 192.168.2.254 (LAN) — stays on LAN
- Synology: 192.168.0.120 (LAN) — stays on LAN
- Old permissive rules (INTERNAL→LAN pass-all, floating rule #4) allow all traffic between networks
pfSense Aliases (created 2026-03-09)
| Alias | Type | Members | Status |
|---|---|---|---|
Server_IPs |
Host(s) | 192.168.2.254 | Created |
NAS_IP |
Host(s) | 192.168.0.120 | Created |
Built-in _private4_ alias (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) will be used instead of custom RFC1918.
Phase 1.1 — Guest VLAN DONE 2026-03-06
All completed:
- pfSense: VLAN 50, GUEST interface (10.0.50.1/24), DHCP scope (10.0.50.50–239)
- pfSense: 4 firewall rules (block LAN, block 10.x, block 172.x, pass internet)
- UniFi: Guest network created (VLAN 50, third-party gateway)
- UniFi: Guest SSID reassigned from Default to Guest network
- Onsite test needed: Verify guest gets 10.0.50.x IP, internet works, cannot reach 192.168.x.x or 10.0.20.x
Phase 1.2 — DNS forwarding DONE 2026-03-06
- pfSense domain overrides:
cascades.local→ 192.168.2.254,_msdcs.cascades.local→ 192.168.2.254 - CS-SERVER DNS client: fixed to 127.0.0.1, 192.168.0.1
- Stale DNS records removed, correct records added
- Reverse lookup zones created (5 zones)
- DNS scavenging enabled (7-day)
- CS-SERVER DNS forwarder confirmed as 192.168.0.1
Phase 1.3 — Quick fixes MOSTLY DONE
- Room 218 DHCP range fixed — DONE 2026-03-07
- Room 130 stale rule deleted — DONE 2026-03-07
- CS-SERVER timezone fixed — DONE 2026-03-07
- UniFi: Delete unused VLAN 10 ("CSC Internal Network")
Phase 1.4 — Migrate Staff PCs to CSCNet (INTERNAL VLAN 20)
Do first — PCs are easy to move (just connect to CSCNet WiFi). No downtime, no re-IPing needed.
PCs Currently on LAN (need to move to CSCNet WiFi)
| PC | Current IP | User(s) | Priority | Notes |
|---|---|---|---|---|
| RECEPTIONIST-PC | 192.168.2.17 | CJ, Christina, Kyla, Tiffany | Medium | Front desk — high traffic |
| RECEPTIONIST-PC (2nd) | 192.168.3.187 | Receptionist | Low | Determine if still in use |
| ASSISTMAN-PC | 192.168.2.38 | Assistant Manager | Low | |
| ASSISTNURSE-PC | 192.168.2.153 | Assist Nurse | Low | |
| NURSESTATION-PC | 192.168.3.135 | Nurse Station | Low | |
| MEMRECEPT-PC | 192.168.3.41 | MemCare Reception | Low | |
| ANN-PC | 192.168.3.252 | Ann | Low | |
| MDIRECTOR-PC | 192.168.3.20 | Shelby Trozzi | Low | Win10 Home — needs Pro upgrade first for domain join |
| DESKTOP-LPOPV30 | 192.168.2.250 | Unknown | Low | |
| DESKTOP-U2DHAP0 | 192.168.3.37 | Unknown | Low | |
| DESKTOP-TRCIEJA | 192.168.3.93 | Unknown | Low | |
| DESKTOP-DLTAGOI | 192.168.3.133 | Unknown | Low | |
| DESKTOP-ROK7VNM | 192.168.3.148 | Unknown | Low | |
| DESKTOP-MD6UQI3 | 192.168.3.208 | Unknown | Low |
PCs Already on INTERNAL (no action needed)
| PC | IP | User(s) |
|---|---|---|
| CRYSTAL-PC | 10.0.20.205 | Crystal Rodriguez |
| ACCT2-PC | 10.0.20.209 | Accounting |
| CHEF-PC | 10.0.20.232 | Chef/Kitchen |
| DESKTOP-H6QHRR7 | 10.0.20.235 | Unknown |
| DESKTOP-KQSL232 | 10.0.20.227 | Unknown |
| DESKTOP-VAVKCIM | 10.0.20.239 | Unknown |
Process for each PC (WiFi move)
- Connect PC to CSCNet WiFi (if not already)
- Forget/remove CSC ENT WiFi profile
- Verify PC gets 10.0.20.x IP
- Verify can reach CS-SERVER (
ping 192.168.2.254) - Verify can reach printers (still on LAN — works due to permissive rules)
- Verify internet works
Phase 1.5 — Migrate Printers to INTERNAL VLAN 20
Do after PCs — requires changing UniFi switch port VLAN, printers get new IPs, must update printer config on all PCs.
Printer Migration Order (least impact first)
| Order | Printer | Current IP | Switch Port | Users | Impact |
|---|---|---|---|---|---|
| 1 | Chef Brother | 192.168.3.88 | TBD | Chef | 1 user |
| 2 | Kitchen Manager Canon | 192.168.3.232 | TBD | Alyssa | 1 user |
| 3 | Meredith's Canon | 192.168.2.67 | TBD | Meredith | 1 user |
| 4 | MemCare Director Canon | 192.168.3.52 | TBD | Shelby | 1 user |
| 5 | MemCare MedTech Brother | 192.168.2.53 | TBD | MemCare MedTechs | Low |
| 6 | Room 103 Brother | 192.168.2.145 | TBD | Ashley, Christina | 2 users |
| 7 | Room 132 Canon | 192.168.3.211 | TBD | Sharon, Susan | 2 users |
| 8 | Room 217 Sales Brother | 192.168.3.44 | TBD | Sales team | ~4 users |
| 9 | Room 206 Bizhub | 192.168.1.138 | TBD | Health Services | Medium |
| 10 | Accounting Canon | 192.168.3.227 | TBD | Lauren | Accounting — careful |
| 11 | Front Desk Epson | 192.168.2.147 | TBD | 4 users | High traffic |
| 12 | Copy Room Canon | 192.168.2.230 | 1st Floor USW Port 45 | Everyone | LAST — highest impact |
Already on INTERNAL (no action needed)
| Printer | IP | Notes |
|---|---|---|
| Accounting Assistant Brother | 10.0.20.220 | Already on INTERNAL |
| 206 Nurse Station Brother | 10.0.20.69 | Fax only, already on INTERNAL |
MemCare Reception Epson — needs hardwire first, then assign to VLAN 20
Process for each printer
- Identify switch port in UniFi
- Change port VLAN/network to INTERNAL (VLAN 20)
- Printer gets new 10.0.20.x IP via DHCP
- Create DHCP reservation on pfSense for new IP
- Update printer IP on all user PCs that print to it
- Test print from each user
Phase 1.6 — Lock Down (AFTER all devices migrated)
Only do this after all PCs and printers are on INTERNAL VLAN 20.
Replace INTERNAL rules
Delete old "INTERNAL to LAN PASS" rule. Replace with:
| # | Action | Proto | Source | Dest | Ports | Description |
|---|---|---|---|---|---|---|
| 1 | PASS | TCP/UDP | INTERNAL net | Server_IPs | 53,88,135,389,445,464,636,3268,3269,5985,9389 | AD/DNS/SMB to DC |
| 2 | PASS | TCP | INTERNAL net | Server_IPs | 3389 | RDP to server |
| 3 | PASS | TCP | INTERNAL net | NAS_IP | 445,5000,5001 | Synology access |
| 4 | PASS | ICMP | INTERNAL net | LAN net | any | Ping diagnostics |
| 5 | BLOCK | IPv4 | INTERNAL net | private4 | any | Block other private (LOG) |
| 6 | PASS | IPv4 | INTERNAL net | any | any | Internet access |
Disable floating rule #4
Replace with scoped room rule:
- PASS | ResidentsGroup | IPv4 | any → ! private4 | "Rooms internet only"
DISABLE only — don't delete. Rollback: re-enable.
Delete LAN rule #1
Remove "INTERNAL net to LAN net via WAN_Group" — no longer needed.
Retire CSC ENT SSID
After all devices confirmed on CSCNet, remove CSC ENT SSID from UniFi.
Rollback
- Re-enable floating rule #4
- Re-enable old INTERNAL→LAN pass rule
- Reconnect devices to CSC ENT if needed
- Restore pfSense XML backup (Diagnostics → Backup & Restore)