# Phase 1: Network Segmentation - START HERE

**Status:** Ready to implement  
**Last Updated:** 2026-01-19  
**Your Maintenance Window:** Plan for 2-3 hours (Phase 1A) + 1-1.5 hours (Phase 1B)

## Documentation Overview

Phase 1 is split into two parts: network foundation (1A) and endpoint hardening (1B).

Phase 1 implements a dual-router, dual-subnet design. Router #2 remains in router mode as the IoT edge, and the Mac mini is dual-homed as the enforcement point for HA/Scrypted access.

### Pre-Implementation Documents

1. **cr1000a-audit-results.md** - READ FIRST
   - Router capabilities assessment
   - Explains why Phase 1 is split into A+B

2. **phase1-decision-guide.md** - DECISIONS FINALIZED
   - Dual-router, dual-subnet architecture (Trusted + IoT)
   - Router #2 remains in router mode as the IoT edge
   - Mac mini dual-homed requirement
   - Phase 2 upgrade path documented

3. **phase1-preflight-checklist.md** - DO BEFORE STARTING
   - Screenshots to capture
   - Access verification
   - Backup procedures
   - Maintenance window planning

### Implementation Guides

4. **phase1a-implementation-guide.md** - START HERE (Phase 1A)
   - **Time:** 2-3 hours
   - **Focus:** Network foundation (routers, subnets, DHCP, wiring)
   - **Outcomes:**
     - Router #1 (Trusted) + Router #2 (IoT) with separate subnets
     - DHCP scopes and reservations in place
     - IoT devices migrated behind Router #2

5. **phase1b-implementation-guide.md** - DO AFTER 1A
   - **Time:** 1-1.5 hours
   - **Focus:** Endpoint hardening
   - **Outcomes:**
     - Home Assistant authentication hardening (MFA, least privilege)
     - OS firewalls enabled and reviewed
     - Router security review completed

## Time Breakdown (Phase 1)

| Phase | Focus | Time |
|------|------|------|
| Phase 1A | Dual-router foundation: wiring, subnets, DHCP scopes, reservations, device migration | 2-3 hours |
| Phase 1B | Endpoint hardening: HA auth, OS firewalls, router security review | 1-1.5 hours |
| **TOTAL** | **Phase 1** | **~3-4.5 hours** |

## What Phase 1 Will Achieve

### Achievable in Phase 1A + 1B:

1. **Network-level separation via routers**
   - Two routers, two subnets: Trusted (Router #1) and IoT (Router #2)
   - Router #2 stays in router mode as the IoT edge
   - Mac mini is dual-homed so HA/Scrypted can reach IoT without routing changes

2. **Clear organization (SSIDs are not security boundaries)**
   - SSIDs are used for labeling and device placement only
   - Security separation comes from the router topology and endpoint controls

3. **Endpoint enforcement and hardening**
   - Endpoint firewalls on Mac mini (and Windows, if applicable)
   - Home Assistant MFA and least-privilege accounts
   - Router security review completed

4. **Stable addressing**
   - DHCP scopes per subnet
   - Reservations for critical devices and hubs

### Not in scope for Phase 1 (Phase 2 targets)

- Centralized inter-zone firewall policy with granular rules
- VLAN-based segmentation with mDNS reflection
- Network-wide DNS enforcement and advanced logging

## Critical Success Factors

After Phase 1 implementation, verify:

- Router #1 LAN -> Router #2 WAN wiring is correct
- Trusted subnet is 192.168.1.x and IoT subnet is 192.168.2.x
- Mac mini is dual-homed with both interfaces active
- HA and Scrypted are reachable on the Trusted subnet
- HA and Scrypted can reach IoT devices via the IoT interface
- Endpoint firewalls enabled (macOS, Windows if applicable)
- Critical devices have DHCP reservations
- Core integrations are online

## Emergency Rollback

**If something breaks:**

In [None]:
# Phase 1A Rollback Commands (macOS/Linux)
# 1. Revert router wiring to the previous upstream configuration
# 2. Restore Router #1 and Router #2 LAN/DHCP scopes from snapshots
# 3. Remove new DHCP reservations if needed
# 4. Move devices back to their previous network

print("Phase 1A Rollback Steps:")
print("1. Revert physical wiring")
print("2. Restore router configurations from screenshots")
print("3. Remove DHCP reservations")
print("4. Move devices back to original networks")

In [None]:
# Phase 1B Rollback Commands (macOS)

# Disable HA MFA (if causing issues) - do this via HA UI

# Disable macOS Firewall
!sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off

print("\nmacOS firewall disabled")
print("For Windows firewall rules, remove via Windows Security UI")

### Nuclear Option:
- Router backup file location: `01-Network/CR1000A_V3.6.0.2_BD_backup.cfg` (if captured)
- Factory reset CR1000A (last resort)

## Ready to Start?

Reply with one of these:

1. **"Start Phase 1A"** - Begin network foundation (dual-router)
2. **"I have questions about X"** - Ask before starting
3. **"Show me the decision summary"** - Review final decisions document

---

**Next Steps:** Open the Phase 1A notebook to begin implementation