Skip to content

Phase 7R — ZBF remediation (owner decisions)

Date: 2026-06-18 Context: Phase 7R audit questionnaire + HA API evidence (§0.3).

Apply policies before existing BLOCK rules in each zone pair. After changes, re-test HA integrations, AirPlay, and printing from Personal WiFi.

Phase 7R outcome (2026-06-18)

Item Status
SLZB-06M / HA → IoT ✅ Settled after Allow HA → IoT zone
Samsung printer ✅ Personal → printer allow (reordered above block)
HomePod AirPlay Still broken — confirm Allow Personal → IoT Action = Allow
Fiio AirPlay ⏸ Low priority — same VLAN; see device-vlan-mapping.md
Aqara hub / TP-Link moves ⏸ Owner follow-up

Next cohort: AdGuard deploy, DNS cutover, backup-client — not HomePod/Fiio tuning.

Owner decisions

ID Decision
Q3.1 B192.168.6.227 → IoT zone only (HA IP, not all of Servers)
Q3.1b B — Move TP-Link plugs to IoT or Appliances WiFi and re-pair
Q3.2 Yes — AirPlay / casting from Personal to IoT
Q3.3 Not intentional — add Personal → IoT VLAN 5 (see Q3.3 explained)
Q3.4 Yes — IoT → 192.168.6.17:53 when AdGuard is live (defer)
Q2.1 Printer stays GenPop .167; Aqara → IoT; OnePlus → Personal (done)

Q2.1 — GenPop device placement

IP Device Decision
192.168.1.167 Samsung printer Stay on GenPop — print from Personal devices; GenPop → Servers already allowed for scan-to-server / NAS features
192.168.1.82 Aqara Hub M2 Move to IoT WiFi (HotSignalsInYourArea)
192.168.1.218 OnePlus 8 Pro Personal VLAN 2 — was guest SSID for testing; owner moved back

Printer firewall gap: Personal → GenPop is blocked today. GenPop → Servers is already allowed — no rule needed for “send to Servers.” Add Policy 3 so phones and laptops on Personal can reach the printer. Optional Policy 4 if HA IPP integration should work.

Q3.3 explained

UniFi groups Appliances (VLAN 3) and IoT (VLAN 5) into one IoT zone. You already had Personal → Appliances ALLOW but not Personal → IoT (VLAN 5). HomePod / Apple TV live on VLAN 5 — discovery worked, streaming did not.

UDM click-through (apply policies 1–4)

Prerequisite: UniFi Network 9.x+, gateway on 4.1+ (you are on 10.5.43). Optional: Settings → System → Backup before changes.

Open the zone matrix

  1. Open UniFi Network (https://192.168.1.1 or unifi.ui.com).
  2. Select your UDM SE site.
  3. Go to Settings (gear, bottom-left).
  4. SecurityPolicy Engine (or Zone-Based Firewall / Zones).
  5. Open the Zone Matrix (grid: source zones on the left, destination across the top).

Policies are evaluated top to bottom within each zone pair. New Allow rules must sit above Block inter-VLAN / default deny for that pair.

Policy 1 — Home Assistant → IoT zone

Goal: HA at 192.168.6.227 reaches SLZB, Aqara (after WiFi move), TP-Link (on IoT/Appliances), doorbell repeater — without opening all of Servers VLAN.

  1. In the matrix, click Internal → IoT (source Internal, destination IoT).
  2. Create Policy (or + / Add rule).
  3. Set fields:
Field Value
Name Allow HA → IoT zone
Action Allow
Source zone Internal
Source IP address192.168.6.227
Destination zone IoT
Destination Any (all networks in IoT zone: Appliances + IoT)
Protocol All / Any
  1. Save / Apply changes.
  2. If the UI offers Move up / drag reorder, place this above any Block rule for Internal → IoT.

Policy 2 — Personal → IoT (AirPlay)

Goal: Phone on Personal WiFi can stream to HomePod / Apple TV on IoT VLAN 5.

  1. Click Internal → IoT again (same cell as Policy 1).
  2. Create Policy.
  3. Set fields:
Field Value
Name Allow Personal → IoT
Action Allow
Source zone Internal
Source NetworkPersonal Devices (VLAN 2)
Destination zone IoT
Destination NetworkIoT (VLAN 5)
Protocol All / Any
  1. Save / Apply.
  2. Order: Allow rules above Block for Internal → IoT.

Policy 3 — Personal → Samsung printer (GenPop)

Goal: Print from laptops/phones on Personal to printer at 192.168.1.167 on GenPop. Narrow destination = printer IP only (guests on GenPop stay isolated).

  1. Click Internal → Internal (both sides Internal zone).
  2. Create Policy.
  3. Set fields:
Field Value
Name Allow Personal → Samsung printer
Action Allow
Source zone Internal
Source NetworkPersonal Devices (VLAN 2)
Destination zone Internal
Destination IP address192.168.1.167
Protocol All / Any
  1. Save / Apply.
  2. Place above Block inter-VLAN (Internal) (policy index 10004 in your live config).

Already works without a new rule: GenPop → Servers (existing allow) covers the printer initiating traffic to NAS / print server on Servers VLAN.

Policy 4 — Home Assistant → Samsung printer (optional)

Goal: Fix HA ipp / syncthru integrations for the Samsung (currently setup_retry in §0.3). Skip if you do not use the printer in HA.

  1. Click Internal → Internal.
  2. Create Policy:
Field Value
Name Allow HA → Samsung printer
Action Allow
Source zone Internal
Source IP address192.168.6.227
Destination zone Internal
Destination IP address192.168.1.167
Protocol All / Any
  1. Save / Apply — above Block inter-VLAN.

Apply to gateway

  1. Click Apply changes if the UI shows pending updates.
  2. Wait ~30–60 seconds.

When creating each policy, double-check Action = Allow before saving. The Name field alone does not set allow vs block.

Reference only: rule evaluation order (not a click checklist) UniFi evaluates rules top-to-bottom. Allow rules must sit above **Block inter-VLAN**. See [Troubleshooting](#troubleshooting) if traffic still fails.

WiFi moves (no firewall change)

Aqara Hub M2 (192.168.1.82 → IoT)

  1. Settings → WiFi → confirm HotSignalsInYourArea (IoT, VLAN 5) is enabled.
  2. Factory reset or use Aqara app to change WiFi on the hub → join HotSignalsInYourArea.
  3. Expect new IP on 192.168.7.0/24 (reserve .81 in DHCP if desired).
  4. In HA: remove stale Aqara-Hub-M2-7E74 entry if stuck; re-add via HomeKit or Aqara after hub is on IoT (Policy 1 lets HA reach it).

Move each plug from GenPop to IoT or Appliances SSID; re-pair in Kasa / HA.

Plug Old IP Target SSID
ProxBox EP10 192.168.1.248 IoT or Appliances
MotoPlug EP10 192.168.1.107 IoT or Appliances
Living Room Lamp EP10 192.168.1.39 IoT or Appliances

Troubleshooting

Printer allow rule exists but PC still cannot print (2026-06-18)

Live API pull after Action was fixed to Allow:

Index Rule Action Hits
10004 Block inter-VLAN BLOCK 8
10005 Allow Personal → Samsung printer ALLOW 527k+
10002 Allow Personal → IoT BLOCK 8k+

Root cause: UniFi evaluates rules top → bottom by index. Block inter-VLAN (10004) runs before Allow Personal → Samsung printer (10005). New sessions from 192.168.3.17192.168.1.167 hit the block rule first and never reach the printer allow.

The high hit count on 10005 is misleading — it does not mean printing works.

Fix — reorder (Internal → Internal):

  1. Settings → Security → Policy Engine → Zone Matrix
  2. Click Internal → Internal
  3. Move up (or drag) Allow Personal → Samsung printer so it sits above Block inter-VLAN — directly under Allow Personal → Servers is fine.
  4. Same for Allow HA → Samsung printer if you use HA printing.
  5. Apply changes → wait 30–60 s.

Target order (user rules only):

Allow Management → All
Allow GenPop → Servers
Allow Personal → Servers
Allow Personal → Samsung printer    ← must be HERE
Allow HA → Samsung printer          ← optional, same band
Drop invalid state
Block inter-VLAN                    ← after all allows

Also still wrong: Allow Personal → IoT — Action is Block (10002, 8k+ hits). Change to Allow; destination Network: IoT (VLAN 5) (not Block + Any). Same index band is fine once Action flips — no reorder needed in Internal→IoT.

Fiio R7 (separate issue): At 192.168.3.44 on Personal VLAN 2 — same VLAN as KrustyKrab phones. ZBF Personal → IoT does not apply. UniFi shows Fiio last on The LAN Before Time SSID name; phone is on KrustyKrab. Fix WiFi/mDNS on Personal, not IoT firewall — see AirPlay: Fiio on Personal.

HA / IoT

# From infra-services (WSL SSH)
ping -c2 192.168.7.132

In HA: Settings → Devices & services → reload SLZB-06M / smlight.

AirPlay: HomePod / Apple TV (IoT VLAN 5)

Symptom: iPhone on KrustyKrab sees targets sometimes but cannot stream.

Live cause (2026-06-18): Allow Personal → IoTAction = Block, 8k+ hits.

  1. Settings → Security → Policy Engine → Zone Matrix → Internal → IoT
  2. Open Allow Personal → IoT
  3. Action → Allow
  4. Source: Personal Devices (VLAN 2)
  5. Destination: Network → IoT (VLAN 5) — not “Any” if the UI offers IoT network
  6. Apply changes

Verify: iPhone .169 on KrustyKrab → AirPlay to HomePod 192.168.7.124.

HomePod is on IoT VLAN 5 (may still show old SSID name in UniFi; IP matters).

AirPlay: Fiio R7 (same VLAN)

Symptom: Phone on KrustyKrab cannot AirPlay to Fiio.

Live cause: Fiio is 192.168.3.44Personal VLAN 2, same subnet family as the phone. Not blocked by Personal → IoT (that rule is for VLAN 5 only).

Device IP VLAN SSID (UniFi)
iPhone 192.168.3.169 2 IsThisTheKrustyKrab
Fiio R7 192.168.3.44 2 The LAN Before Time (stale or wrong SSID)

Fix (WiFi / iOS, not firewall): Owner keeps Fiio on LAN Before Time with Personal network override — see device-vlan-mapping.md. Optional: iOS Local Network for Music; multicast enhancement on KrustyKrab.

Mac/phone on Personal → print to Samsung at 192.168.1.167.

GenPop → Servers (printer outbound)

Should already work; test scan-to-folder or whatever uses Servers if applicable.

Policy to add later — AdGuard DNS (Q3.4)

When: AdGuard running on 192.168.6.17, before UDM DNS cutover.

  1. IoT → Internal → Create Policy
  2. Source zone IoT, source Any
  3. Destination zone Internal, destination IP 192.168.6.17
  4. Allow, ports TCP 53 + UDP 53 only

Post-change HA checklist

  1. Reload smlight / SLZB-06M
  2. Reload mqtt / zigbee2mqtt
  3. Re-pair TP-Link after WiFi move
  4. Re-add / reload Aqara after hub on IoT
  5. Re-auth UniFi Protect
  6. Remove stale synology_dsm entries (192.168.1.88, .105)
  7. Reload ipp / syncthru if Policy 4 added

Re-run audit: uv run python .scratch/audit/ha-pull.py

Rollback

Disable the four new Allow policies in the zone matrix. Isolation posture returns; HA, AirPlay, and Personal→printer break again.