TopherMayor/hermes-ice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
hermes-ice/homelab/docs/unifi-execution-plan.md
Hermes Agent e4d91aadf9 Initial commit: homelab infrastructure wiki 
- Full Obsidian vault content
- Host configs (ice, grizzley, ubuntu, proxmox, truenas, panda, hyte)
- Media stack documentation
- Traefik HA setup
- Automation scripts
- Bachelor party planning
2026-05-24 16:08:40 -07:00

5.4 KiB
Raw Permalink Blame History

project
project
name status category source created updated description goals priority tags
UniFi Execution Plan active infrastructure homelabagentroot 2026-03-17 2026-03-17 Exact staged UniFi zone and firewall change plan derived from current live state and authoritative host repos
Apply the minimum set of high-value zone and policy changes safely
Preserve application reachability while tightening security boundaries
Provide an execution sequence that supports rollback and verification
high
unifi
firewall
zones
execution
planning

UniFi Execution Plan

Current Status

Implemented on 2026-03-17:

  • Family of D. moved from Management to Internal
  • Management reduced to Default only
  • New Internal allow rules created for Servers (80/443), IoT, and Staging
  • Logging enabled on selected user-defined edge and VPN policies
  • Staged DHCP reservations enabled for grizzley, ice, and homeassistant
  • First host-side migration step completed for truenas: default gateway moved from 192.168.1.1 to 192.168.50.1
  • proxmox default gateway moved from 192.168.1.1 to 192.168.50.1
  • ubuntu default gateway moved from 192.168.1.1 to 192.168.50.1
  • proxmox legacy 192.168.1.11 address removed from vmbr0
  • ubuntu legacy 192.168.1.61 address removed from enp6s18
  • truenas legacy 192.168.1.12 address removed from enp6s17
  • grizzley Wi-Fi config removed
  • ice Wi-Fi config removed
  • staging-side 192.168.40.x addresses removed from truenas, grizzley, and ice

Still pending:

  • later interface cleanup for legacy truenas, proxmox, and ubuntu addresses that still remain active
  • later interface cleanup for staging-side addresses that still remain active on truenas, grizzley, and ice
  • cleanup of stale UniFi controller observations for the removed Ubuntu legacy address
  • cleanup of stale or lagging UniFi controller observations for removed Wi-Fi paths on grizzley and ice
  • decide whether remaining infrastructure-side 192.168.30.x addresses should persist long-term
  • deny-rule logging expansion
  • public HTTP exposure review
  • duplicate-rule cleanup and broader rule tightening
  • maintenance-window execution of the one-host-at-a-time migration runbook

Reservation Update Notes

The UniFi controller accepted staged reservation updates for:

  • grizzley -> 192.168.10.145
  • ice Wi-Fi -> 192.168.10.178
  • ice wired -> 192.168.50.197
  • homeassistant -> 192.168.30.196
  • ubuntu -> 192.168.1.61
  • proxmox -> 192.168.1.11

The active truenas reservation at 192.168.1.12 remains valid.

Follow-up change:

  • the stale secondary TrueNAS fixed-IP reservation at 192.168.1.145 has been cleared; the remaining task is to decide how many live TrueNAS interfaces should persist long-term
  • Wi-Fi reservations for grizzley and ice were cleared after host-side Wi-Fi removal
  • Staging access rules were disabled after staging-side host addresses were removed

Scope

This plan focuses on the first safe wave of changes:

  • restore Management as an infrastructure-only trust boundary
  • keep Internal for trusted user devices only
  • preserve Guest internet-only access
  • preserve IoT with narrow app exceptions
  • maintain Servers as the homelab application segment
  • treat Vpn as explicit least-privilege remote access

Phase 1: Zone Corrections

  1. Remove Family of D. from Management
  2. Ensure Family of D. is mapped to Internal
  3. Keep Default in Management
  4. Keep Production in Servers
  5. Keep Will of D. IoT in IoT
  6. Keep Will of D. (Guest) in Guest
  7. Keep UGC WireGuard in Vpn unless there is a deliberate reason to merge admin semantics elsewhere

Phase 2: Logging Improvements

  1. Enable logging on edge-facing allow rules:
    • External -> Web Proxy
    • External -> HTTPS
    • External -> HTTP if retained
  2. Enable logging on key deny rules:
    • Guest -> Internal
    • Guest -> Servers
    • IoT -> Internal
    • IoT -> Management
  3. Enable logging on sensitive admin rules:
    • Vpn -> Management
    • Vpn -> Servers

Phase 3: Rule Tightening

  1. Review and narrow broad Internal -> Servers rules to app ports only
  2. Review and narrow broad IoT -> Servers rules to explicit media and automation ports only
  3. Review Vpn -> Management and reduce to the smallest needed host/port set
  4. Remove duplicate return-path rules once stateful behavior is confirmed
  5. Remove or disable HTTP exposure if no longer required for redirect or certificate workflows

Phase 4: Host Placement Follow-Through

  1. Normalize infrastructure hosts to their intended addresses where possible
  2. Keep split-plane exceptions documented explicitly, such as panda
  3. Revisit firewall rules after host addressing settles so the final policy set matches reality

Verification Checklist

  • Management clients can reach infrastructure admin interfaces
  • Internal clients can reach approved apps over HTTPS
  • Guest clients have internet access only
  • IoT clients can reach only approved services such as Jellyfin, Traefik, and Home Assistant where required
  • VPN clients retain the minimum access needed for admin work
  • Public apps remain reachable through the intended hardened edge

Rollback Principles

  • export before each major edit
  • change one zone or rule set at a time
  • verify from at least one host in each affected zone
  • keep a saved copy of previous zone membership and rule ordering
Reference in New Issue View Git Blame Copy Permalink