ops: add guest iot network preflight

ops/maintenance/check-guest-iot-isolation.ps1

@@ -0,0 +1,127 @@
+param(
+  [string]$HostLanIp = "192.168.178.58",
+  [string]$FritzBoxIp = "192.168.178.1",
+  [ValidateSet("LanPreflight", "Guest")]
+  [string]$Mode = "LanPreflight",
+  [string]$ReportPath = ""
+)
+
+$ErrorActionPreference = "Stop"
+
+function Test-TcpPort {
+  param(
+    [string]$RemoteHost,
+    [int]$Port,
+    [int]$TimeoutMs = 1500
+  )
+
+  $client = [System.Net.Sockets.TcpClient]::new()
+  try {
+    $async = $client.BeginConnect($RemoteHost, $Port, $null, $null)
+    $ok = $async.AsyncWaitHandle.WaitOne($TimeoutMs, $false)
+    if (-not $ok) {
+      return $false
+    }
+    $client.EndConnect($async)
+    return $true
+  } catch {
+    return $false
+  } finally {
+    $client.Close()
+  }
+}
+
+function Add-Result {
+  param(
+    [System.Collections.Generic.List[object]]$Results,
+    [string]$Name,
+    [string]$Target,
+    [bool]$Reachable,
+    [string]$ExpectedGuest,
+    [string]$Risk
+  )
+
+  $Results.Add([pscustomobject]@{
+    Name = $Name
+    Target = $Target
+    Reachable = $Reachable
+    ExpectedFromGuest = $ExpectedGuest
+    RiskIfReachableFromGuest = $Risk
+  })
+}
+
+$adapters = Get-NetIPConfiguration |
+  Where-Object { $_.IPv4Address -and $_.NetAdapter.Status -eq "Up" } |
+  Select-Object InterfaceAlias,
+    @{Name="IPv4";Expression={$_.IPv4Address.IPAddress -join ", "}},
+    @{Name="Gateway";Expression={$_.IPv4DefaultGateway.NextHop -join ", "}},
+    @{Name="DnsServer";Expression={$_.DNSServer.ServerAddresses -join ", "}}
+
+$results = [System.Collections.Generic.List[object]]::new()
+
+Add-Result $results "Unraid HTTP/LAN" "${HostLanIp}:80" (Test-TcpPort $HostLanIp 80) "blocked" "Guest can reach LAN web entrypoint directly"
+Add-Result $results "Unraid HTTPS/LAN" "${HostLanIp}:443" (Test-TcpPort $HostLanIp 443) "blocked" "Guest can reach LAN HTTPS entrypoint directly"
+Add-Result $results "Gitea SSH/LAN" "${HostLanIp}:222" (Test-TcpPort $HostLanIp 222) "blocked" "Guest can reach Git SSH"
+Add-Result $results "AdGuard Admin/LAN" "${HostLanIp}:8082" (Test-TcpPort $HostLanIp 8082) "blocked" "Guest can reach AdGuard admin UI"
+Add-Result $results "InfluxDB LAN" "${HostLanIp}:8181" (Test-TcpPort $HostLanIp 8181) "blocked" "Guest can reach InfluxDB writer endpoint"
+Add-Result $results "FRITZ!Box LAN UI" "${FritzBoxIp}:80" (Test-TcpPort $FritzBoxIp 80) "blocked-or-guest-gateway-only" "Guest can reach main router UI"
+
+$risk = if ($Mode -eq "Guest") {
+  $results | Where-Object {
+    $_.ExpectedFromGuest -like "blocked*" -and $_.Reachable
+  }
+} else {
+  $results | Where-Object {
+    $_.Name -in @("AdGuard Admin/LAN", "InfluxDB LAN") -and $_.Reachable
+  }
+}
+
+$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
+$lines = [System.Collections.Generic.List[string]]::new()
+$lines.Add("# Guest/IoT Isolation Check")
+$lines.Add("")
+$lines.Add("Timestamp: $timestamp")
+$lines.Add("Mode: $Mode")
+$lines.Add("Host LAN IP: $HostLanIp")
+$lines.Add("FRITZ!Box IP: $FritzBoxIp")
+$lines.Add("Risk count: $($risk.Count)")
+$lines.Add("")
+$lines.Add("## Active Network Adapters")
+$lines.Add("")
+$lines.Add("| Interface | IPv4 | Gateway | DNS |")
+$lines.Add("|---|---|---|---|")
+foreach ($adapter in $adapters) {
+  $lines.Add("| $($adapter.InterfaceAlias) | $($adapter.IPv4) | $($adapter.Gateway) | $($adapter.DnsServer) |")
+}
+$lines.Add("")
+$lines.Add("## Port Tests")
+$lines.Add("")
+$lines.Add("| Name | Target | Reachable | Expected from guest Wi-Fi | Risk if reachable from guest |")
+$lines.Add("|---|---|---:|---|---|")
+foreach ($result in $results) {
+  $lines.Add("| $($result.Name) | $($result.Target) | $($result.Reachable) | $($result.ExpectedFromGuest) | $($result.RiskIfReachableFromGuest) |")
+}
+$lines.Add("")
+$lines.Add("## Interpretation")
+$lines.Add("")
+$lines.Add("- `LanPreflight`: reachable `80/443/222` can be normal; `8082` and `8181` should still be blocked.")
+$lines.Add("- `Guest`: all listed LAN targets should be blocked. Public domains may still work via the internet path.")
+$lines.Add("- A non-zero risk count means the selected mode failed.")
+
+$text = $lines -join [Environment]::NewLine
+
+if ($ReportPath) {
+  $parent = Split-Path -Parent $ReportPath
+  if ($parent) {
+    New-Item -ItemType Directory -Force -Path $parent | Out-Null
+  }
+  Set-Content -Path $ReportPath -Value $text -Encoding UTF8
+}
+
+Write-Output $text
+
+if ($risk.Count -gt 0) {
+  exit 2
+}
+
+exit 0

ops/maintenance/check-guest-iot-preflight.sh

@@ -0,0 +1,90 @@
+#!/bin/bash
+set -euo pipefail
+
+HOST_LAN_IP="${HOST_LAN_IP:-192.168.178.58}"
+TAILSCALE_IP="${TAILSCALE_IP:-100.80.98.33}"
+FRITZBOX_TR064_URL="${FRITZBOX_TR064_URL:-http://192.168.178.1:49000/tr64desc.xml}"
+REPORT_ROOT="${REPORT_ROOT:-/mnt/user/backups/restore-reports}"
+STAMP="$(date +%F-%H%M%S)"
+REPORT_FILE="$REPORT_ROOT/guest-iot-preflight-$STAMP.md"
+
+mkdir -p "$REPORT_ROOT"
+
+tcp_check() {
+  local host="$1"
+  local port="$2"
+  timeout 2 bash -c "cat < /dev/null > /dev/tcp/$host/$port" >/dev/null 2>&1
+}
+
+result_row() {
+  local name="$1"
+  local target="$2"
+  local expectation="$3"
+  local status="$4"
+  printf '| %s | `%s` | %s | %s |\n' "$name" "$target" "$status" "$expectation"
+}
+
+{
+  echo "# Guest/IoT Preflight"
+  echo
+  echo "Timestamp: $(date '+%F %T')"
+  echo "Scope: host-side read-only checks before enabling FRITZ!Box guest/IoT network"
+  echo
+  echo "## FRITZ!Box TR-064"
+  echo
+  if curl -fsS --max-time 5 "$FRITZBOX_TR064_URL" >/tmp/guest-iot-fritzbox-tr064.xml 2>/dev/null; then
+    model="$(grep -o '<friendlyName>[^<]*' /tmp/guest-iot-fritzbox-tr064.xml | head -n1 | sed 's/<friendlyName>//')"
+    echo "- TR-064 descriptor reachable: yes"
+    echo "- Model: ${model:-unknown}"
+  else
+    echo "- TR-064 descriptor reachable: no"
+  fi
+  rm -f /tmp/guest-iot-fritzbox-tr064.xml
+  echo
+  echo "## Host listeners"
+  echo
+  echo '```text'
+  ss -ltnp | sort -k4 | grep -E ':(53|80|443|222|8082|8181)[[:space:]]' || true
+  echo '```'
+  echo
+  echo "## Port reachability from host namespace"
+  echo
+  echo "| Check | Target | Status | Expectation |"
+  echo "|---|---|---|---|"
+
+  for port in 80 443 222 53; do
+    if tcp_check "$HOST_LAN_IP" "$port"; then
+      result_row "LAN service" "$HOST_LAN_IP:$port" "may be reachable from normal LAN; must be blocked from guest Wi-Fi" "reachable"
+    else
+      result_row "LAN service" "$HOST_LAN_IP:$port" "not reachable from host namespace or UDP-only" "blocked"
+    fi
+  done
+
+  if tcp_check "$HOST_LAN_IP" 8082; then
+    result_row "AdGuard Admin via LAN IP" "$HOST_LAN_IP:8082" "should be blocked" "reachable"
+  else
+    result_row "AdGuard Admin via LAN IP" "$HOST_LAN_IP:8082" "should be blocked" "blocked"
+  fi
+
+  if tcp_check "$TAILSCALE_IP" 8082; then
+    result_row "AdGuard Admin via Tailscale IP" "$TAILSCALE_IP:8082" "operator path should work" "reachable"
+  else
+    result_row "AdGuard Admin via Tailscale IP" "$TAILSCALE_IP:8082" "operator path should work" "blocked"
+  fi
+
+  if tcp_check "$HOST_LAN_IP" 8181; then
+    result_row "InfluxDB via LAN IP" "$HOST_LAN_IP:8181" "should be blocked unless HA LAN writer is reintroduced" "reachable"
+  else
+    result_row "InfluxDB via LAN IP" "$HOST_LAN_IP:8181" "should be blocked unless HA LAN writer is reintroduced" "blocked"
+  fi
+  echo
+  echo "## Next operator step"
+  echo
+  echo "Enable FRITZ!Box guest Wi-Fi only after confirming LAN isolation is active. Then connect a phone/laptop to guest Wi-Fi and run:"
+  echo
+  echo '```powershell'
+  echo 'G:\Gitea_Clone\homelab-infra\ops\maintenance\check-guest-iot-isolation.ps1'
+  echo '```'
+} | tee "$REPORT_FILE"
+
+echo "Guest/IoT preflight report: $REPORT_FILE"