---
project:
  name: UniFi Live Drift Table
  status: planning
  category: infrastructure
  source: homelabagentroot
  created: 2026-03-17
  updated: 2026-03-17
  description: Drift table comparing live UniFi observations to authoritative host repo and catalog intent
  goals:
    - Identify address and zone drift for infrastructure hosts
    - Separate intentional split-plane designs from accidental placement
    - Provide a decision aid before firewall cleanup execution
  priority: high
  tags: [unifi, drift, hosts, planning, audit]
---

# UniFi Live Drift Table

## Summary

This table compares live UniFi observations from 2026-03-17 with the latest pulled host repos and homelab catalogs.

| Host / Asset | Authoritative Intent | Live UniFi Observation | Drift Level | Decision Needed |
|--------------|----------------------|------------------------|-------------|-----------------|
| `ubuntu` | `192.168.50.61`, primary Docker/app edge | host now routes and serves from `192.168.50.61`; UniFi currently reports the MAC on another VLAN-side address | Low | Refresh controller/client state so UniFi reflects the completed host-side removal |
| `grizzley` | `192.168.50.84`, edge ingress/control node | host now routes from `192.168.50.84`; UniFi may still show stale/disconnected Wi-Fi history for `192.168.10.145` | Low | Confirm whether any residual Wi-Fi client state ages out cleanly |
| `ice` | `192.168.50.197`, control-plane host | host now routes from `192.168.50.197`; UniFi may still show stale/disconnected Wi-Fi history for `192.168.10.178` | Low | Confirm residual Wi-Fi client state ages out cleanly |
| `proxmox` | `192.168.50.11`, infra-only hypervisor | `192.168.50.11`; legacy `192.168.1.11` removed | Low | Keep monitoring hosted service paths |
| `truenas` | `192.168.50.12`, storage-only host | `192.168.50.12`; default route prefers `192.168.50.1` | Low | Keep monitoring storage-path behavior |
| `panda` app plane | `192.168.30.196` | `192.168.30.196` | Low | Keep |
| `panda` admin plane | `192.168.50.196` SSH endpoint | not shown in current client list | Low | Keep and validate by access test, not client inventory alone |
| `traefik-lxc` | `192.168.50.115` | not queried directly in client output | Medium | Validate server-segment reachability and access scope |
| `alpine-adguard` | `192.168.50.157` | not queried directly in client output | Medium | Validate DNS/admin access scope |

## Staged-Cutover Notes

- `grizzley` Wi-Fi path now has a staged reservation for `192.168.10.145`
- `ice` now has staged reservations for both `192.168.10.178` and `192.168.50.197`
- `homeassistant` now has an active staged reservation for `192.168.30.196`
- `ubuntu` and `proxmox` were corrected by switching to the legacy fixed-IP update format accepted by the classic UniFi endpoint
- `truenas` conflict was traced to a second NIC record that had reserved `192.168.1.145`; that stale fixed-IP reservation has been cleared, while the active primary reservation at `192.168.1.12` remains valid
- `truenas` host egress now prefers `192.168.50.1`, and the legacy `192.168.1.12` address has been removed
- `grizzley` and `ice` Wi-Fi reservations were cleared after host-side Wi-Fi removal, but UniFi may still report the disconnected records until controller state refreshes
- `ubuntu` host-side removal of `192.168.1.61` is complete, but UniFi currently reports the MAC on another VLAN-side address, which appears to be a controller observation artifact for a multi-VLAN host
- staging-side host addresses were removed from `truenas`, `grizzley`, and `ice`, and the two explicit staging firewall policies were disabled

## Interpretation

- High drift means live UniFi placement materially conflicts with the intended trust boundary in the authoritative repos.
- Medium drift means the placement may be legitimate, but it still needs explicit documentation and tighter firewall policy.
- Low drift means the live state matches the intended design closely enough for now.

## Most Important Drift Items

1. `ubuntu` carries your primary public and internal app edge, so its current `Default`-side visibility has the biggest security impact.
2. `proxmox` and `truenas` should not sit in a broadly reachable user or legacy management segment unless there is a deliberate operational reason.
3. `grizzley` and `ice` appearing on `Family of D.` weakens the intended separation between user devices and infrastructure nodes.
4. `panda` is the cleanest example of an intentional split-plane design and can be used as a model for how to document exceptions.

## Remaining 192.168.30.x Assessment

- `ubuntu`, `proxmox`, `grizzley`, and `ice` still expose `192.168.30.x` addresses
- Those addresses were retained intentionally in this cleanup wave because they are more likely to back IoT-side service access than the removed legacy `192.168.1.x` or staging `192.168.40.x` paths
- Removing them should be a per-service maintenance task, not a bulk cleanup operation