# UDM Pro VLAN Plan - Utilization Guide **Last Updated:** 2026-01-14 **Status:** ✅ Ready to Utilize VLAN Plan --- ## Complete VLAN Plan (18 VLANs) Based on the Network Architecture documentation, here's the complete VLAN plan: | VLAN ID | VLAN Name | Subnet | Gateway | Purpose | Status | |--------:|-----------|--------|---------|---------|--------| | **11** | MGMT-LAN | 192.168.11.0/24 | 192.168.11.1 | Proxmox mgmt, switches mgmt, admin endpoints | ✅ Configured | | 110 | BESU-VAL | 10.110.0.0/24 | 10.110.0.1 | Validator-only network (no member access) | ⏳ To Configure | | 111 | BESU-SEN | 10.111.0.0/24 | 10.111.0.1 | Sentry mesh | ⏳ To Configure | | 112 | BESU-RPC | 10.112.0.0/24 | 10.112.0.1 | RPC / gateway tier | ⏳ To Configure | | 120 | BLOCKSCOUT | 10.120.0.0/24 | 10.120.0.1 | Explorer + DB | ⏳ To Configure | | 121 | CACTI | 10.121.0.0/24 | 10.121.0.1 | Interop middleware | ⏳ To Configure | | 130 | CCIP-OPS | 10.130.0.0/24 | 10.130.0.1 | Ops/admin | ⏳ To Configure | | 132 | CCIP-COMMIT | 10.132.0.0/24 | 10.132.0.1 | Commit-role DON | ⏳ To Configure | | 133 | CCIP-EXEC | 10.133.0.0/24 | 10.133.0.1 | Execute-role DON | ⏳ To Configure | | 134 | CCIP-RMN | 10.134.0.0/24 | 10.134.0.1 | Risk management network | ⏳ To Configure | | 140 | FABRIC | 10.140.0.0/24 | 10.140.0.1 | Fabric | ⏳ To Configure | | 141 | FIREFLY | 10.141.0.0/24 | 10.141.0.1 | FireFly | ⏳ To Configure | | 150 | INDY | 10.150.0.0/24 | 10.150.0.1 | Identity | ⏳ To Configure | | 160 | SANKOFA-SVC | 10.160.0.0/22 | 10.160.0.1 | Sankofa/Phoenix/PanTel service layer | ⏳ To Configure | | 200 | PHX-SOV-SMOM | 10.200.0.0/20 | 10.200.0.1 | Sovereign tenant | ⏳ To Configure | | 201 | PHX-SOV-ICCC | 10.201.0.0/20 | 10.201.0.1 | Sovereign tenant | ⏳ To Configure | | 202 | PHX-SOV-DBIS | 10.202.0.0/20 | 10.202.0.1 | Sovereign tenant | ⏳ To Configure | | 203 | PHX-SOV-AR | 10.203.0.0/20 | 10.203.0.1 | Absolute Realms tenant | ⏳ To Configure | --- ## Current Status ### ✅ Completed 1. **VLAN 11 (MGMT-LAN)** - ✅ Configured and operational - Subnet: 192.168.11.0/24 - Gateway: 192.168.11.1 - Proxmox hosts accessible - Firewall rules configured 2. **Network Isolation** - ✅ Verified (disabled) - Allows inter-VLAN routing 3. **Zone Matrix** - ✅ Configured - Internal → Internal: Allow All 4. **Proxmox Firewall** - ✅ Configured - Allows access from Default network (192.168.0.0/24) - Allows access from VLAN 11 (192.168.11.0/24) ### ⏳ To Configure - 17 additional VLANs (110-203) - Inter-VLAN routing rules - Firewall rules for each VLAN - DHCP configuration for each VLAN --- ## Prerequisites for VLAN Utilization ### 1. UDM Pro Configuration **Required Settings:** - ✅ Network Isolation: Disabled on all VLANs (for inter-VLAN routing) - ✅ Zone Matrix: Internal → Internal = Allow All - ✅ Inter-VLAN Routing: Enabled (default for VLANs) **Verification:** - Settings → Networks → Check each VLAN - Policy Engine → Zone Matrix → Verify Internal → Internal = Allow All ### 2. Proxmox Configuration **Required:** - ✅ VLAN-aware bridge (`vmbr0`) configured - ✅ Tagged VLANs enabled on bridge - ✅ Proxmox hosts on VLAN 11 (native) **Verification:** ```bash # Check bridge configuration ssh root@192.168.11.10 "cat /etc/network/interfaces | grep -A 20 vmbr0" ``` **Expected Configuration:** ``` auto vmbr0 iface vmbr0 inet static address 192.168.11.10/24 gateway 192.168.11.1 bridge-ports eth0 bridge-stp off bridge-fd 0 bridge-vlan-aware yes bridge-vids 2-4094 ``` ### 3. Firewall Rules **Required:** - ✅ Management VLAN (11) → Service VLANs (specific ports) - ✅ Service VLANs → Management VLAN (monitoring) - ✅ Sovereign tenant isolation (VLANs 200-203 blocked from each other) --- ## VLAN Utilization Checklist ### Phase 1: Verify Current Setup ✅ - [x] VLAN 11 configured and operational - [x] Proxmox hosts accessible - [x] Firewall rules allow Default network - [x] Network Isolation disabled - [x] Zone Matrix configured ### Phase 2: Configure Additional VLANs ⏳ For each VLAN (110-203): - [ ] Create VLAN network in UDM Pro - [ ] Configure subnet and gateway - [ ] Assign to Internal zone - [ ] Disable Network Isolation - [ ] Configure DHCP (if needed) - [ ] Test connectivity from VLAN 11 ### Phase 3: Configure Proxmox for VLANs ⏳ - [ ] Verify VLAN-aware bridge on all Proxmox hosts - [ ] Ensure tagged VLANs are supported - [ ] Test VM/container assignment to VLANs - [ ] Verify routing between VLANs ### Phase 4: Configure Firewall Rules ⏳ - [ ] Management → Service VLANs (SSH, monitoring) - [ ] Service VLANs → Management (monitoring, logging) - [ ] Sovereign tenant isolation (200-203) - [ ] Inter-service communication rules --- ## Testing VLAN Utilization ### Test 1: Verify VLAN 11 Access ```bash # From dev machine (192.168.11.4) ping 192.168.11.1 # Gateway ping 192.168.11.10 # ml110 ping 192.168.11.11 # r630-01 ping 192.168.11.12 # r630-02 ``` ### Test 2: Verify Proxmox VLAN Support ```bash # Check VLAN-aware bridge ssh root@192.168.11.10 "ip link show vmbr0" ssh root@192.168.11.10 "bridge vlan show" # Should show VLAN support enabled ``` ### Test 3: Test Inter-VLAN Routing (After VLANs Created) ```bash # From VLAN 11, test routing to other VLANs ping 10.110.0.1 # BESU-VAL gateway ping 10.111.0.1 # BESU-SEN gateway # etc. ``` --- ## Next Steps to Utilize VLAN Plan ### Immediate (Ready Now) 1. ✅ **Access Proxmox hosts** - Working 2. ✅ **Configure VMs/containers** - Can assign to VLANs 3. ✅ **Test VLAN assignment** - Proxmox supports VLAN tagging ### Short-term (This Week) 1. **Create remaining VLANs** (110-203) via UDM Pro web UI 2. **Configure DHCP** for each VLAN (if needed) 3. **Test routing** between VLANs 4. **Configure firewall rules** for inter-VLAN communication ### Long-term (This Month) 1. **Migrate VMs/containers** to appropriate VLANs 2. **Configure sovereign tenant isolation** (VLANs 200-203) 3. **Set up monitoring** across VLANs 4. **Document VLAN assignments** for all services --- ## Proxmox VLAN Assignment ### How to Assign VMs/Containers to VLANs 1. **Via Web UI:** - Edit VM/Container → Network - Select bridge: `vmbr0` - Set VLAN tag: Enter VLAN ID (e.g., 110, 111, etc.) - Save 2. **Via CLI:** ```bash # Set VLAN tag for VM/container network interface qm set --net0 virtio,bridge=vmbr0,tag= ``` ### Example: Assign Container to VLAN 110 (BESU-VAL) ```bash # Via Proxmox web UI # 1. Go to: Datacenter → ml110 → Containers → # 2. Click: Hardware → Network Device # 3. Edit: Bridge = vmbr0, VLAN Tag = 110 # 4. Save # Or via CLI pct set -net0 name=eth0,bridge=vmbr0,tag=110 ``` --- ## Firewall Rules for VLAN Utilization ### Management VLAN (11) → Service VLANs **Allow:** - SSH (TCP 22) - Database admin (PostgreSQL 5432, MySQL 3306) - Admin consoles (Keycloak 8080, etc.) - Monitoring (SNMP, Prometheus, etc.) **Example Rule:** ``` Source: 192.168.11.0/24 (MGMT-LAN) Destination: 10.110.0.0/24 (BESU-VAL) Protocol: TCP Port: 22 (SSH) Action: Allow ``` ### Service VLANs → Management VLAN **Allow:** - Monitoring agents - Logging (Syslog, etc.) - Health checks ### Sovereign Tenant Isolation **Block:** - VLAN 200 ↔ VLAN 201 - VLAN 200 ↔ VLAN 202 - VLAN 200 ↔ VLAN 203 - VLAN 201 ↔ VLAN 202 - VLAN 201 ↔ VLAN 203 - VLAN 202 ↔ VLAN 203 **Allow:** - Each sovereign tenant → Management VLAN (monitoring only) - Each sovereign tenant → External (internet) --- ## Verification Commands ### Check VLAN Configuration ```bash # List all VLANs on UDM Pro (via API) # Note: Requires API access from Default network or VLAN 11 # Check Proxmox VLAN support ssh root@192.168.11.10 "bridge vlan show vmbr0" ``` ### Test Inter-VLAN Routing ```bash # From VLAN 11, test routing to other VLANs # (After VLANs are created) # Test gateway connectivity ping 10.110.0.1 # BESU-VAL ping 10.111.0.1 # BESU-SEN ping 10.112.0.1 # BESU-RPC ``` ### Verify Firewall Rules ```bash # Check ACL rules cd /home/intlc/projects/proxmox NODE_TLS_REJECT_UNAUTHORIZED=0 node scripts/unifi/list-acl-rules-node.js ``` --- ## Current Capabilities ### ✅ What Works Now 1. **VLAN 11 (MGMT-LAN)** - Fully operational 2. **Proxmox Access** - All hosts accessible 3. **Inter-VLAN Routing** - Enabled (can route between VLANs) 4. **Firewall Configuration** - Rules can be added 5. **VLAN Assignment** - Proxmox supports VLAN tagging ### ⏳ What Needs Configuration 1. **Additional VLANs** - Need to be created (110-203) 2. **DHCP Configuration** - For each VLAN 3. **Firewall Rules** - Inter-VLAN communication rules 4. **VM/Container Migration** - Assign to appropriate VLANs --- ## Quick Start: Create Next VLAN ### Example: Create VLAN 110 (BESU-VAL) 1. **Access UDM Pro Web UI:** - URL: https://192.168.0.1 - Login: unifi_api / L@kers2010$$ 2. **Navigate:** - Settings → Networks → Create New Network 3. **Configure:** - Name: BESU-VAL - VLAN ID: 110 - Subnet: 10.110.0.0/24 - Gateway: 10.110.0.1 - Zone: Internal - Network Isolation: ❌ Disabled - DHCP: Configure as needed 4. **Verify:** - Test routing: `ping 10.110.0.1` from VLAN 11 - Check Zone Matrix: Internal → Internal = Allow All --- ## Summary **Current Status:** - ✅ VLAN 11 operational - ✅ Proxmox accessible - ✅ Firewall configured - ✅ Routing enabled - ✅ Ready to create additional VLANs **Next Steps:** 1. Create remaining VLANs (110-203) via UDM Pro web UI 2. Configure firewall rules for inter-VLAN communication 3. Assign VMs/containers to appropriate VLANs 4. Test and verify VLAN utilization **You can now utilize the VLAN plan!** The foundation is in place - VLAN 11 is working, Proxmox supports VLAN tagging, and routing is enabled. --- **Last Updated:** 2026-01-14