# UDM Pro VLAN Plan - 100% Complete! 🎉 **Last Updated:** 2026-01-14 **Status:** ✅ **ALL 19 VLANs CONFIGURED** --- ## 🎉 Achievement Unlocked: Complete VLAN Plan **All VLANs from the Network Architecture plan are now configured on the UDM Pro!** --- ## Complete VLAN Configuration (19 Networks) ### Core Networks | VLAN ID | Name | Subnet | Status | |--------:|------|--------|--------| | 1 | Default | 192.168.0.0/24 | ✅ Configured | | 11 | MGMT-LAN | 192.168.11.0/24 | ✅ Configured | ### Besu Networks | VLAN ID | Name | Subnet | Status | |--------:|------|--------|--------| | 110 | BESU-VAL | 10.110.0.0/24 | ✅ Configured | | 111 | BESU-SEN | 10.111.0.0/24 | ✅ Configured | | 112 | BESU-RPC | 10.112.0.0/24 | ✅ Configured | ### Service VLANs | VLAN ID | Name | Subnet | Status | |--------:|------|--------|--------| | 120 | BLOCKSCOUT | 10.120.0.0/24 | ✅ Configured | | 121 | CACTI | 10.121.0.0/24 | ✅ Configured | | 130 | CCIP-OPS | 10.130.0.0/24 | ✅ Configured | | 132 | CCIP-COMMIT | 10.132.0.0/24 | ✅ Configured | | 133 | CCIP-EXEC | 10.133.0.0/24 | ✅ Configured | | 134 | CCIP-RMN | 10.134.0.0/24 | ✅ Configured | | 140 | FABRIC | 10.140.0.0/24 | ✅ Configured | | 141 | FIREFLY | 10.141.0.0/24 | ✅ Configured | | 150 | INDY | 10.150.0.0/24 | ✅ Configured | | 160 | SANKOFA-SVC | 10.160.0.0/22 | ✅ Configured | ### Sovereign Tenant VLANs | VLAN ID | Name | Subnet | Status | Note | |--------:|------|--------|--------|------| | 200 | PHX-SOV-SMOM | 10.200.0.0/20 | ✅ Configured | | | 201 | PHX-SOV-ICCC | 10.201.0.0/20 | ✅ Configured | | | 202 | PHX-SOV-DBIS | 10.202.0.0/24 | ✅ Configured | ⚠️ Shows /24, plan had /20 | | 203 | PHX-SOV-AR | 10.203.0.0/20 | ✅ Configured | | **Total:** ✅ **19/19 Networks (100%)** --- ## Configuration Verification Checklist ### ✅ Network Configuration - [x] All 19 VLANs created - [x] Subnets match plan (except PHX-SOV-DBIS - verify /24 vs /20) - [x] DHCP Server enabled on all VLANs - [x] All VLANs show "UDM Pro" as router ### ⏳ Settings Verification (Next Steps) - [ ] **Network Isolation:** Verify "Isolate Network" is **UNCHECKED** for all VLANs - [ ] **Zone Assignment:** Verify all VLANs are in "Internal" zone - [ ] **Zone Matrix:** Verify Internal → Internal = "Allow All" - [ ] **Gateway IPs:** Verify gateway IPs match plan (e.g., 10.110.0.1 for BESU-VAL) - [ ] **DHCP Ranges:** Verify DHCP ranges are configured appropriately ### ⏳ Testing & Utilization - [ ] **Inter-VLAN Routing:** Test routing between VLANs - [ ] **Firewall Rules:** Configure inter-VLAN firewall rules - [ ] **VM/Container Assignment:** Assign VMs/containers to VLANs - [ ] **Connectivity Testing:** Test connectivity from each VLAN --- ## Critical Settings to Verify ### 1. Network Isolation (CRITICAL) **For each VLAN:** 1. Navigate: Settings → Networks → [VLAN Name] 2. Scroll to "Network" section 3. Ensure **"Isolate Network"** is **UNCHECKED** 4. Save if changed **Why:** Network Isolation blocks inter-VLAN routing. Must be disabled for VLANs to communicate. ### 2. Zone Matrix (CRITICAL) 1. Navigate: Policy Engine → Zone Matrix 2. Find: **Internal → Internal** 3. Verify it says **"Allow All"** 4. If not, click and change to "Allow All" **Why:** Zone Matrix controls inter-zone communication. Internal → Internal = Allow All enables inter-VLAN routing. ### 3. Zone Assignment **For each VLAN:** 1. Navigate: Settings → Networks → [VLAN Name] 2. Verify: **Zone = "Internal"** 3. All VLANs should be in Internal zone --- ## Next Steps for VLAN Utilization ### Immediate (Today) 1. **✅ Verify Network Isolation** - Check all 19 VLANs - Ensure "Isolate Network" is unchecked 2. **✅ Verify Zone Matrix** - Policy Engine → Zone Matrix - Internal → Internal = Allow All 3. **✅ Verify PHX-SOV-DBIS Subnet** - Currently shows `/24` (10.202.0.0/24) - Plan had `/20` (10.202.0.0/20) - Verify if `/24` is intentional or needs update ### Short-term (This Week) 1. **Test Inter-VLAN Routing** ```bash # From VLAN 11, test routing to other VLANs ping 10.110.0.1 # BESU-VAL ping 10.111.0.1 # BESU-SEN ping 10.120.0.1 # BLOCKSCOUT # etc. ``` 2. **Configure Firewall Rules** - Management → Service VLANs - Service VLANs → Management - Sovereign tenant isolation 3. **Assign VMs/Containers to VLANs** - Via Proxmox Web UI or CLI - Test connectivity ### Long-term (This Month) 1. **Migrate Services to VLANs** - Move VMs/containers to appropriate VLANs - Update service configurations 2. **Document VLAN Assignments** - Document which services are on which VLANs - Update architecture documentation 3. **Monitor and Optimize** - Monitor inter-VLAN traffic - Optimize firewall rules - Adjust as needed --- ## VLAN Utilization Guide ### Assigning VMs/Containers to VLANs **Via Proxmox Web UI:** 1. Go to: Datacenter → [Host] → VMs/Containers → [VM/Container ID] 2. Click: Hardware → Network Device 3. Edit: Bridge = `vmbr0`, VLAN Tag = [VLAN ID] 4. Save **Via CLI:** ```bash # For containers pct set -net0 name=eth0,bridge=vmbr0,tag= # For VMs qm set --net0 virtio,bridge=vmbr0,tag= ``` ### Example VLAN Assignments **Besu Validators:** - VLAN: 110 (BESU-VAL) - Subnet: 10.110.0.0/24 **Besu Sentries:** - VLAN: 111 (BESU-SEN) - Subnet: 10.111.0.0/24 **Besu RPC:** - VLAN: 112 (BESU-RPC) - Subnet: 10.112.0.0/24 **Blockscout:** - VLAN: 120 (BLOCKSCOUT) - Subnet: 10.120.0.0/24 **FireFly:** - VLAN: 141 (FIREFLY) - Subnet: 10.141.0.0/24 **Sovereign Tenants:** - VLANs: 200-203 - Subnets: 10.200.0.0/20, 10.201.0.0/20, 10.202.0.0/24, 10.203.0.0/20 --- ## Testing Inter-VLAN Routing ### Test 1: Gateway Connectivity ```bash # From VLAN 11, test routing to other VLAN gateways ping 10.110.0.1 # BESU-VAL ping 10.111.0.1 # BESU-SEN ping 10.112.0.1 # BESU-RPC ping 10.120.0.1 # BLOCKSCOUT # etc. ``` ### Test 2: VM/Container Connectivity ```bash # After assigning VMs/containers to VLANs # Test connectivity between VLANs ping # From VLAN 11 ping # From VLAN 11 # etc. ``` ### Test 3: Firewall Rules ```bash # Test firewall rules # Should allow: Management → Service VLANs (SSH, monitoring) # Should block: Sovereign tenants → Each other ``` --- ## Summary **Status:** ✅ **100% COMPLETE** **Achievement:** - ✅ All 19 VLANs configured - ✅ Complete VLAN plan implemented - ✅ Ready for VLAN utilization **Next Steps:** 1. Verify Network Isolation settings 2. Verify Zone Matrix configuration 3. Test inter-VLAN routing 4. Configure firewall rules 5. Assign VMs/containers to VLANs **VLAN Plan Utilization:** ✅ **READY TO PROCEED** --- **Last Updated:** 2026-01-14