azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eb5c147bcdb50a7ea0cdd848c31b3446fc981d04
claudetools/clients/dataforth/docs/aoi-xp-vlan-backup-runbook.md
Howard Enos 8e14422a5f sync: auto-sync from HOWARD-HOME at 2026-06-01 13:46:39 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-01 13:46:39
2026-06-01 13:46:56 -07:00

9.0 KiB
Raw Blame History

Dataforth — AOI / XP Optical-Tester VLAN + Backup Runbook

Todo: 37543f7f · Requested by: Mike (relayed via Howard) · Started: 2026-06-01 Goal: Isolate the XP machine (which holds the AOI optical-inspection data) on its own VLAN, and give it — and only it — access to a new backup share on D2TESTNAS over SMB1.

>>> ACTUAL OUTCOME (2026-06-01) — this overrides the planned specifics below <<<

The plan below was drafted around a hypothetical new "VLAN 50". What was actually done:

  • VLAN: XP placed on the existing VLAN 2 "mydata" (the SMT line, 192.168.1.0/24), not a new VLAN. Moved D2-Breakroom switch port 12 to mydata. XP static IP 192.168.1.175, gw/DNS 192.168.1.1.
  • Share: \\192.168.0.9\aoibackup on D2TESTNAS — valid users = admin (password matches XP login), hosts allow = 192.168.1.175, browseable = no. DEPLOYED + verified (XP maps Z: r/w).
  • NAS hardening: test/datasheets/snapshots shares now hosts deny = 192.168.1.175; rsync(873) already excludes the XP. The XP can touch ONLY aoibackup on the NAS.
  • Credentials in vault: clients/dataforth/d2testnas.sops.yaml → credentials.smb.aoi-user(=admin) /.aoi-password/.aoi-share.
  • Firewall (UDM): Per Mike"it's part of SMT, so it can see anything in SMT" — NO intra-SMT restriction. Optional pending: block XP(.175) → company LAN 192.168.0.0/24 (except NAS) + Internet.
  • D2TESTNAS confirmed Debian 13 / Samba 4.22.6 (repurposed Netgear ReadyNAS).

Read the section below as background/reference only; the specifics above are the source of truth.

The setup (as understood)

  • AOI machine = Automated Optical Inspection unit. Photographs circuit boards for production defects. Not a PC — it writes image data to an external drive attached to an XP machine.
  • XP machine = the actual target. Holds the AOI external drive. Windows XP → cannot do SMB2/3, must use SMB1.
  • Backup target = a new, locked-down share on D2TESTNAS (192.168.0.9). Only the XP may reach it.

Why D2TESTNAS (not a server)

D2TESTNAS already runs SMB1 globally for the 64 DOS 6.22 test stations (server min protocol = CORE, ntlm auth = ntlmv1-permitted). Pointing the XP box at it adds zero new SMB1 surface. Enabling SMB1 on AD1/AD2 (Server 2016/2022) would create fresh EternalBlue-class exposure on a domain controller — rejected. Security note in the todo: "minimize SMB1 exposure — scope it to just the required server/share."

Verified remotely (2026-06-01, before onsite)

Item Finding
D2TESTNAS OS Debian 13 (trixie), kernel 6.12, Samba 4.22.6. (Wiki said CachyOS, vault said Netgear ReadyNAS — both stale. Was a Netgear, repurposed. Corrected.)
SMB1 Already enabled globally (CORE..SMB3, NTLMv1 permitted, WINS on, workgroup D2TESTING).
Existing shares test, datasheets, snapshots — all guest/public, wide open. New AOI share will be the opposite: authenticated + host-locked.
SMB accounts None (DOS shares are guest). Will create a dedicated aoi user.
Disk /data = 512 G, 71 G free (87 % full). ⚠ Confirm AOI data size + retention before bulk copy.
NAS host firewall None restrictive (only Tailscale nft). Isolation enforced at UDM, Samba hosts allow = defense-in-depth.
UDM SSH Password auth rejected (publickey + keyboard-interactive only; 2FA push on). id_ed25519_udm key not on Howard-Home → UDM work is onsite via UniFi UI, or add this machine's key first.

ONSITE — collect these first

  1. XP hostname, current IP, and MAC address (ipconfig /all on the XP).
  2. Which switch + port the XP is patched into (for the VLAN port profile).
  3. XP login username (local or domain? has a password?) — needed for the scheduled-task run-as.
  4. AOI external drive letter + data path (e.g. E:\AOI_Data\...), rough size and growth rate.
  5. Existing VLANs — UniFi → Settings → Networks. Confirm proposed VLAN 50 / 192.168.50.0/24 is free (known in use: default 192.168.0.0/24, Voice VLAN 100 = 192.168.100.0/24, unused UDM voice 192.168.1.0/24, OpenVPN 192.168.6.0/24).

Step 1 — UDM: create the isolation VLAN (UniFi UI)

Settings → Networks → New Virtual Network:

  • Name: AOI-Isolated
  • VLAN ID: 50 (or next free)
  • Gateway/Subnet: 192.168.50.1/24
  • DHCP: enable, but give the XP a fixed IP — either DHCP reservation by MAC or set the XP static to 192.168.50.10 (fixed IP keeps the firewall rule simple). Proposed: 192.168.50.10.
  • DNS: not required for backup-by-IP. Leave gateway default.
  • Do NOT use the simple "Isolate Network" toggle — it's all-or-nothing and would also block the one flow we need. Use explicit firewall rules (Step 3) instead.

Step 2 — UDM: assign the XP's switch port to VLAN 50

UniFi → switch → the XP's port → set Native/Access VLAN = AOI-Isolated (50), tagged VLANs none. (Effectively an access port on VLAN 50.) Confirm the AOI machine itself does NOT share this port/run through the XP's NIC — if the AOI unit is daisy-chained behind the XP, flag it before changing the port.

Step 3 — UDM: firewall rules (order matters — allow before block)

Zone-based firewall (new UniFi OS) or LAN IN (classic). Source = AOI-Isolated (VLAN 50):

  1. ALLOW → dest host 192.168.0.9TCP 445, TCP 139 → Accept (XP maps by IP; Windows tries 445 then 139. Add UDP 137 only if name resolution is needed.)
  2. DROP → dest 192.168.0.0/24 (rest of LAN) → Drop
  3. DROP → dest 192.168.100.0/24 (voice) and any other internal VLANs → Drop
  4. DROP → Internet/WAN (an XP box should not reach the internet) → Drop (If the AOI/XP needs NTP or a license server, add a narrow allow above this.)
  • Return traffic (established/related) is handled automatically by UniFi.

Step 4 — D2TESTNAS: create the locked-down share

Run remotely (Claude can apply once XP IP is known) or onsite via SSH root@192.168.0.9. Substitute the XP's VLAN IP for 192.168.50.10:

# 1. backup dir
mkdir -p /data/aoi-backup
chown root:root /data/aoi-backup
chmod 0770 /data/aoi-backup

# 2. dedicated samba user (NOT a Linux login shell)
useradd -M -s /usr/sbin/nologin aoi 2>/dev/null || true
smbpasswd -a aoi        # set a strong password -> store in vault clients/dataforth/d2testnas.sops.yaml
smbpasswd -e aoi

# 3. append share stanza to /etc/samba/smb.conf
cat >> /etc/samba/smb.conf <<'EOF'

[aoibackup]
    path = /data/aoi-backup
    comment = AOI Optical Tester Backup (XP only)
    browseable = no
    writable = yes
    guest ok = no
    public = no
    valid users = aoi
    force user = root
    force group = root
    create mask = 0660
    directory mask = 0770
    hosts allow = 192.168.50.10
    hosts deny = 0.0.0.0/0
EOF

# 4. validate + reload
testparm -s
systemctl reload smbd

Notes:

  • browseable = no hides the share; valid users = aoi + hosts allow = two independent gates.
  • Global ntlm auth = ntlmv1-permitted already lets XP authenticate over SMB1 — no global change.
  • Store the aoi password in vault: clients/dataforth/d2testnas.sops.yaml → credentials.smb.aoi.

Step 5 — XP: map the drive + scheduled backup

XP has no robocopy. Use net use + xcopy (incremental via /D). On the XP:

net use Z: \\192.168.0.9\aoibackup <aoi-password> /user:aoi /persistent:yes
xcopy "E:\AOI_Data\*" "Z:\" /D /E /C /I /H /R /Y

(Replace E:\AOI_Data with the real AOI external-drive path. /D copies only newer files = incremental.)

Schedule it (XP Task Scheduler or schtasks), e.g. daily off-shift:

schtasks /Create /TN "AOI Backup" /TR "C:\Scripts\aoi-backup.bat" /SC DAILY /ST 23:00 /RU <xp-user>

Put the two commands above in C:\Scripts\aoi-backup.bat.

Step 6 — Verify

  • From the XP: net use shows Z: connected; create a test file on Z:, confirm it lands in /data/aoi-backup on the NAS.
  • From a different LAN host: confirm \\192.168.0.9\aoibackup is denied (host-locked).
  • Confirm the XP cannot ping/reach other LAN hosts (e.g. ping 192.168.0.27 fails) and has no internet.
  • Run the scheduled task once manually; confirm files copy.

Step 7 — Document

  • Update wiki/clients/dataforth.md: add XP/AOI to workstation inventory, new VLAN 50 row, the aoibackup share, firewall ACL, and correct D2TESTNAS OS (Debian 13). Add Active Work + History entries.
  • Correct the vault os: field on clients/dataforth/d2testnas.sops.yaml (Netgear ReadyNAS → Debian 13).
  • Close todo 37543f7f; update coord component clients/dataforth.

Open questions for Mike / to resolve onsite

  • AOI data size + growth vs. 71 G free — full mirror or incremental+retention? Prune policy?
  • Is the AOI unit networked separately, or only ever via the XP's external drive? (Affects whether anything else needs VLAN 50 access.)
  • Does the XP need any other LAN/internet flow to function (license, time, AOI vendor)? Default: none.
Reference in New Issue View Git Blame Copy Permalink