azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eed3ece2c7a30d7eb531c8fea6533d2f2cbdb234
claudetools/clients/dataforth/session-logs/2026-06-01-aoi-xp-vlan-share.md
Howard Enos 6f65d45131 sync: auto-sync from HOWARD-HOME at 2026-06-01 13:56:23 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-01 13:56:23
2026-06-01 13:56:34 -07:00

6.7 KiB
Raw Blame History

Dataforth — AOI / XP Optical-Tester VLAN + SMB1 Backup Share

Date: 2026-06-01 Todo: 37543f7f (still OPEN — network isolation incomplete) Mode: infra

User

  • User: Howard Enos (howard)
  • Machine: Howard-Home
  • Role: tech

Objective

Mike's request (relayed via Howard): the AOI machine (Automated Optical Inspection — photographs circuit boards for SMT production defects) dumps data to an external drive on a Windows XP PC. Isolate that XP PC on a VLAN and give it — and only it — a backup share on D2TESTNAS. XP is SMB1-only, so the target must speak SMB1; do not enable SMB1 on any modern server (security).

What got done

Backup share on D2TESTNAS (192.168.0.9) — COMPLETE

  • D2TESTNAS verified to be Debian 13 (trixie), Samba 4.22.6 (it was a Netgear ReadyNAS, since repurposed; wiki said CachyOS and vault said Netgear — both were stale, both corrected).
  • SMB1 already enabled globally for the 64 DOS 6.22 stations (server min protocol = CORE, ntlm auth = ntlmv1-permitted), so the XP needed no new SMB1 surface — just a new share.
  • Created /data/aoi-backup + share [aoibackup]:
    • valid users = admin, hosts allow = 192.168.1.175, hosts deny = 0.0.0.0/0, browseable = no, force user = root, writable.
    • Samba account admin / password matches the XP's local login (set by Howard, per user request).
    • Credentials stored in vault: clients/dataforth/d2testnas.sops.yaml → credentials.smb.aoi-user (= admin) and .aoi-password. (Password is weak — acceptable only because the share is IP-locked + the account is shell-less and NAS-only. Revisit if the box ever leaves the segment.)
  • Verified: XP mapped Z: \\192.168.0.9\aoibackup successfully (read/write works).

Lateral-movement hardening on the NAS — COMPLETE

  • The NAS's other shares (test, datasheets, snapshots) are wide-open guest, writable. The XP can reach the NAS, so it could also have written into the DOS test share → potential virus jump to the 64 DOS stations.
  • Added hosts deny = 192.168.1.175 to test, datasheets, snapshots. Blocks only the XP; DOS stations (192.168.0.x) unaffected. rsync daemon (873) already excludes the XP (hosts allow = 192.168.0.0/24 172.16.0.0/12).
  • Net effect on the NAS: the XP can touch only aoibackup, and only the XP can write aoibackup. Containment is bidirectional at the NAS layer.

VLAN — PARTIAL

  • Decision changed mid-session: instead of a new isolated VLAN 50, the XP was placed on the existing VLAN 2 "mydata" (192.168.1.0/24). Howard moved D2-Breakroom switch port 12 to mydata and rebooted; XP now at 192.168.1.175 (static, DNS = gateway 192.168.1.1).

Network isolation — Mike's decision (2026-06-01)

Howard asked Mike about adding firewall rules. Mike: "It's part of SMT, so it can see anything in SMT as far as I'm concerned." → The AOI PC is a full SMT-VLAN citizen; do NOT restrict it within mydata/SMT. This also removes the risk of breaking the other SMT devices with VLAN-wide rules.

Observed before the decision: from the XP, ping 192.168.0.27 (AD1) succeeded → mydata has open inter-VLAN routing to the main LAN. Mike's call covers SMT-internal exposure but does not explicitly bless the XP reaching the company core (192.168.0.0/24 servers) or the internet.

Recommended (optional) hardening — scoped to the XP only, does NOT touch any other SMT device:

  1. ALLOW 192.168.1.175192.168.0.9 TCP 445,139 (the backup path)
  2. BLOCK 192.168.1.175192.168.0.0/24 (company servers/workstations) — keeps an EOL XP off the domain controllers while leaving all of SMT open per Mike
  3. BLOCK 192.168.1.175 → Internet/WAN (EOL box shouldn't browse) (DNS still works — pointed at gateway 192.168.1.1, intra-VLAN.) These are leave-or-take; if Mike wants zero restrictions, skip them. They will NOT affect goldstar19 / DESKTOP-FT0T4MK / My9-PC / the SMT machines, since they target only 192.168.1.175.

Why scope to the XP, not the VLAN — mydata is the live SMT line

VLAN 2 "mydata" is the SMT production network, not a spare. Active devices:

Switch / Port Device MAC Role
D2-Breakroom 12 WinXPBE-724667 …0f:17 AOI PC (XP) 192.168.1.175
D2-SMT 1 (unnamed) 00:90:fb:80:f0:c6 SMT equipment (industrial)
D2-SMT 2 goldstar19 …68:9a PC
D2-SMT 3 (unnamed) 00:80:79:05:23:f2 SMT equipment
D2-SMT 5 DESKTOP-FT0T4MK …b6:ee Windows desktop (GbE)
D2-SMT 7 (unnamed) 00:80:79:04:47:e7 SMT equipment
D2-SMT 8 My9-PC …75:e0 PC
D2-SMT 4 / SFP+1 / SFP+2 empty

A blanket mydata→LAN block could break the SMT PCs' access to servers (Sage, file shares) and the SMT machines' data flows. Hence: scope firewall rules to 192.168.1.175 only, and discuss broader SMT segmentation with Mike before touching VLAN-wide policy.

Vault changes

  • clients/dataforth/d2testnas.sops.yaml:
    • os corrected → "Debian 13 (trixie), Samba 4.22.6 — repurposed from Netgear ReadyNAS"
    • added credentials.smb.aoi-user = admin, credentials.smb.aoi-password, credentials.smb.aoi-share

Open / Next

  1. DONE — Mike consulted. Decision: XP stays open within SMT (no intra-SMT firewall rules).
  2. Optional, Howard/Mike to decide: apply the 2 protective rules that don't affect SMT — block 192.168.1.175192.168.0.0/24 (except the NAS) and → Internet. If approved, add on UDM, then verify ping 192.168.0.27 FAILs while net use Z: \\192.168.0.9\aoibackup still WORKs.
  3. Confirm the share deny worked: net use Q: \\192.168.0.9\test should be DENIED (the earlier test used T:, which was already mapped — inconclusive).
  4. Samba verbose auth logging lowered back to log level = 1 on D2TESTNAS (done this session).
  5. Todo 37543f7f: core ask (VLAN placement + locked XP-only SMB1 share) COMPLETE. Left open only pending the optional company-LAN/internet hardening decision; close once decided.

Billing

  • Syncro ticket #32361 (Dataforth Corp) created + invoiced. 1.0 hr onsite (26118 @ $175) drawn from the prepaid block (40.0 -> 39.0). Invoice #67754 = $0.00 (prepaid applied). Customer-visible "Work Performed" note added. https://computerguru.syncromsp.com/tickets/111892822
  • Todos 37543f7f + follow-up b52cc87e both closed (Mike waved off the optional company-LAN/internet hardening — "it's part of SMT, so it can see anything in SMT").

Reference

  • Runbook: clients/dataforth/docs/aoi-xp-vlan-backup-runbook.md
  • D2TESTNAS smb.conf backups: /etc/samba/smb.conf.bak.* (timestamped, per change)
Reference in New Issue View Git Blame Copy Permalink