Release v1.11.2: Protect camera VLAN detection, Cloudflare port forward checks, DNS and notes fixes by tvancott42 · Pull Request #393 · Ozark-Connect/NetworkOptimizer

tvancott42 · 2026-03-01T18:24:47Z

Summary

Detect Protect cameras on wrong VLAN via Protect API (Detect Protect cameras on wrong VLAN via Protect API #387) - Fallback detection for cameras not matched to a switch port, using the Protect API's ConnectionNetworkId to verify VLAN placement
Cloudflare IP restriction check for actively targeted port forwards (Cloudflare IP restriction check for actively targeted port forwards (#375) #388) - Port forwards targeting commonly-scanned ports (22, 80, 443, 3389, etc.) now get severity tiered by source restriction: unrestricted > other restriction > Cloudflare-only
Fix notes auto-save on paste and add save-on-blur (Fix notes auto-save on paste and add save-on-blur #390) - Notes now save when pasting content and when clicking away from the text area
Fix false-positive DNS misconfigured for non-default management VLANs (Fix false-positive DNS misconfigured for non-default management VLANs #392) - DNS audit no longer flags networks whose DNS server is the gateway of a non-default management VLAN

PRs included

Detect Protect cameras on wrong VLAN via Protect API #387 - Detect Protect cameras on wrong VLAN via Protect API
Cloudflare IP restriction check for actively targeted port forwards (#375) #388 - Cloudflare IP restriction check for actively targeted port forwards
Fix notes auto-save on paste and add save-on-blur #390 - Fix notes auto-save on paste and add save-on-blur
Fix false-positive DNS misconfigured for non-default management VLANs #392 - Fix false-positive DNS misconfigured for non-default management VLANs

Test plan

All 4 PRs individually reviewed and merged to dev
Code review passed (no blocking issues)
Verify Protect camera fallback detection on test site
Verify Cloudflare port forward severity tiering
Verify DNS audit with non-default management VLAN
Verify notes auto-save on paste and blur

* Detect Protect cameras on wrong VLAN via Protect API Protect cameras (G6 Pro Bullet, etc.) don't appear in stat/sta so CameraVlanRule never saw them. Now checks port MACs against the Protect camera collection before the ForwardMode gate, and a fallback pass in ConfigAuditEngine catches cameras not matched to any port. Uses ConnectionNetworkId from the Protect API for 100% confidence detection. * Add TODO notes for 802.1X VLAN placement gap and Protect infrastructure devices

…375) (#388) * Cloudflare IP restriction check for actively targeted port forwards (#375) Downgrades severity when a targeted port forward has source IP restrictions: - Cloudflare-only restriction: Info (0 points) - properly locked down - Other IP restriction: Recommended (3 points) - some protection in place - No restriction: Critical/Recommended (7/3 points) - fully exposed Adds CloudflareIpRanges utility in Core/Helpers with hardcoded IPv4/IPv6 ranges. * Add context-specific recommendation messages for threat exposure issues Each restriction level gets its own recommendation: - Cloudflare-only: no action needed - Other restriction: suggests switching to Cloudflare IP Network List - No restriction: explains how to create a Network List and apply it * Link threat exposure issues to Threat Intelligence port drilldown Issue descriptions now include "See Threat Intelligence for details" with a deep link to /threats?tab=drilldown&port=X for the specific port.

@onkeyup

The notes fields (Speed Test details, UPnP Inspector) only triggered auto-save via @onkeyup, which doesn't fire on paste. Moved debounce into @oninput (fires on any text change) and added @onfocusout to save immediately on blur. Both paths funnel through a common debounced save with skip-if-unchanged guard.

…#392) * Fix device DNS check to accept any gateway IP or admin-configured DNS (#389) The device DNS misconfigured check was comparing against a single expected gateway IP (from the management network). This caused false positives when devices pointed to a different VLAN's gateway or to an admin-configured DNS server like Pi-hole. Now accepts any gateway IP from any network (same physical gateway, different interfaces) and any DHCP DNS servers configured by the admin. * Fix device DNS check to accept management gateway, native gateway, or admin-configured DNS (#389) The device DNS misconfigured check was comparing against a single expected gateway IP (from the management network). This caused false positives when devices pointed to a different valid target. Valid DNS targets for infrastructure devices are now: 1. Management network gateway (LAN-local gateway) 2. Native/VLAN 1 gateway (main gateway IP) 3. Admin-configured DHCP DNS servers (Pi-hole, AdGuard Home, etc.) * Use per-device subnet gateway instead of single global gateway Valid DNS for each infrastructure device is now: 1. The device's own subnet gateway (matched by IP) 2. The native/VLAN 1 gateway 3. Admin-configured DHCP DNS servers (Pi-hole, AdGuard, etc.)

tvancott42 added 4 commits February 28, 2026 21:03

tvancott42 merged commit d67400f into main Mar 1, 2026
1 check passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Release v1.11.2: Protect camera VLAN detection, Cloudflare port forward checks, DNS and notes fixes#393

Release v1.11.2: Protect camera VLAN detection, Cloudflare port forward checks, DNS and notes fixes#393
tvancott42 merged 4 commits intomainfrom
dev

tvancott42 commented Mar 1, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

tvancott42 commented Mar 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

PRs included

Test plan

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

tvancott42 commented Mar 1, 2026 •

edited

Loading