TopherMayor/hermes-ice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e4d91aadf968847e84a84f31c806d8f408ac4488
hermes-ice/homelab/docs/unifi-execution-plan.md
Hermes Agent e4d91aadf9 Initial commit: homelab infrastructure wiki 
- Full Obsidian vault content
- Host configs (ice, grizzley, ubuntu, proxmox, truenas, panda, hyte)
- Media stack documentation
- Traefik HA setup
- Automation scripts
- Bachelor party planning
2026-05-24 16:08:40 -07:00

135 lines
5.4 KiB
Markdown
Raw Blame History

---
project:
name: UniFi Execution Plan
status: active
category: infrastructure
source: homelabagentroot
created: 2026-03-17
updated: 2026-03-17
description: Exact staged UniFi zone and firewall change plan derived from current live state and authoritative host repos
goals:
- Apply the minimum set of high-value zone and policy changes safely
- Preserve application reachability while tightening security boundaries
- Provide an execution sequence that supports rollback and verification
priority: high
tags: [unifi, firewall, zones, execution, planning]
---
# UniFi Execution Plan
## Current Status
Implemented on 2026-03-17:
- `Family of D.` moved from `Management` to `Internal`
- `Management` reduced to `Default` only
- New `Internal` allow rules created for `Servers` (`80/443`), `IoT`, and `Staging`
- Logging enabled on selected user-defined edge and VPN policies
- Staged DHCP reservations enabled for `grizzley`, `ice`, and `homeassistant`
- First host-side migration step completed for `truenas`: default gateway moved from `192.168.1.1` to `192.168.50.1`
- `proxmox` default gateway moved from `192.168.1.1` to `192.168.50.1`
- `ubuntu` default gateway moved from `192.168.1.1` to `192.168.50.1`
- `proxmox` legacy `192.168.1.11` address removed from `vmbr0`
- `ubuntu` legacy `192.168.1.61` address removed from `enp6s18`
- `truenas` legacy `192.168.1.12` address removed from `enp6s17`
- `grizzley` Wi-Fi config removed
- `ice` Wi-Fi config removed
- staging-side `192.168.40.x` addresses removed from `truenas`, `grizzley`, and `ice`
Still pending:
- later interface cleanup for legacy `truenas`, `proxmox`, and `ubuntu` addresses that still remain active
- later interface cleanup for staging-side addresses that still remain active on `truenas`, `grizzley`, and `ice`
- cleanup of stale UniFi controller observations for the removed Ubuntu legacy address
- cleanup of stale or lagging UniFi controller observations for removed Wi-Fi paths on `grizzley` and `ice`
- decide whether remaining infrastructure-side `192.168.30.x` addresses should persist long-term
- deny-rule logging expansion
- public `HTTP` exposure review
- duplicate-rule cleanup and broader rule tightening
- maintenance-window execution of the one-host-at-a-time migration runbook
## Reservation Update Notes
The UniFi controller accepted staged reservation updates for:
- `grizzley` -> `192.168.10.145`
- `ice` Wi-Fi -> `192.168.10.178`
- `ice` wired -> `192.168.50.197`
- `homeassistant` -> `192.168.30.196`
- `ubuntu` -> `192.168.1.61`
- `proxmox` -> `192.168.1.11`
The active `truenas` reservation at `192.168.1.12` remains valid.
Follow-up change:
- the stale secondary TrueNAS fixed-IP reservation at `192.168.1.145` has been cleared; the remaining task is to decide how many live TrueNAS interfaces should persist long-term
- Wi-Fi reservations for `grizzley` and `ice` were cleared after host-side Wi-Fi removal
- Staging access rules were disabled after staging-side host addresses were removed
## Scope
This plan focuses on the first safe wave of changes:
- restore `Management` as an infrastructure-only trust boundary
- keep `Internal` for trusted user devices only
- preserve `Guest` internet-only access
- preserve `IoT` with narrow app exceptions
- maintain `Servers` as the homelab application segment
- treat `Vpn` as explicit least-privilege remote access
## Phase 1: Zone Corrections
1. Remove `Family of D.` from `Management`
2. Ensure `Family of D.` is mapped to `Internal`
3. Keep `Default` in `Management`
4. Keep `Production` in `Servers`
5. Keep `Will of D. IoT` in `IoT`
6. Keep `Will of D. (Guest)` in `Guest`
7. Keep `UGC WireGuard` in `Vpn` unless there is a deliberate reason to merge admin semantics elsewhere
## Phase 2: Logging Improvements
1. Enable logging on edge-facing allow rules:
- `External -> Web Proxy`
- `External -> HTTPS`
- `External -> HTTP` if retained
2. Enable logging on key deny rules:
- `Guest -> Internal`
- `Guest -> Servers`
- `IoT -> Internal`
- `IoT -> Management`
3. Enable logging on sensitive admin rules:
- `Vpn -> Management`
- `Vpn -> Servers`
## Phase 3: Rule Tightening
1. Review and narrow broad `Internal -> Servers` rules to app ports only
2. Review and narrow broad `IoT -> Servers` rules to explicit media and automation ports only
3. Review `Vpn -> Management` and reduce to the smallest needed host/port set
4. Remove duplicate return-path rules once stateful behavior is confirmed
5. Remove or disable `HTTP` exposure if no longer required for redirect or certificate workflows
## Phase 4: Host Placement Follow-Through
1. Normalize infrastructure hosts to their intended addresses where possible
2. Keep split-plane exceptions documented explicitly, such as `panda`
3. Revisit firewall rules after host addressing settles so the final policy set matches reality
## Verification Checklist
- `Management` clients can reach infrastructure admin interfaces
- `Internal` clients can reach approved apps over `HTTPS`
- `Guest` clients have internet access only
- `IoT` clients can reach only approved services such as Jellyfin, Traefik, and Home Assistant where required
- VPN clients retain the minimum access needed for admin work
- Public apps remain reachable through the intended hardened edge
## Rollback Principles
- export before each major edit
- change one zone or rule set at a time
- verify from at least one host in each affected zone
- keep a saved copy of previous zone membership and rule ordering
Reference in New Issue View Git Blame Copy Permalink