d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
master
proxmox/docs/04-configuration/UDM_PRO_NETWORKS_ROUTING_CONFIGURATION.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

278 lines
8.8 KiB
Markdown
Raw Permalink Blame History

# UDM Pro Networks Routing Configuration Guide
**Last Updated:** 2026-01-13
**Status:** Active Documentation
**Issue:** Enable routing between Default network (192.168.0.0/24) and MGMT-LAN (VLAN 11 - 192.168.11.0/24)
**Access URL:** `https://192.168.0.1`
---
## Step-by-Step Configuration Instructions
### Step 1: Access UDM Pro Web Interface
1. **Open web browser**
2. **Navigate to:** `https://192.168.0.1`
3. **Log in** with admin credentials
---
### Step 2: Navigate to Networks Settings
1. **Click on:** **Settings** (left sidebar)
2. **Click on:** **Networks** (under Settings)
- You should see a list of all networks including:
- Default (192.168.0.0/24)
- MGMT-LAN (VLAN 11 - 192.168.11.0/24)
- BESU-VAL, BESU-SEN, BESU-RPC, etc.
---
### Step 3: Configure Default Network
1. **Click on:** **Default** network (first row in the networks list)
- Network: Default
- VLAN: 1
- Subnet: 192.168.0.0/24
- Gateway: UDM Pro
2. **Verify/Configure Network Settings:**
- **Network Name:** Default
- **VLAN ID:** 1 (or blank/untagged)
- **Subnet:** 192.168.0.0/24
- **Gateway IP/Subnet:** Should be 192.168.0.1/24
3. **Check Routing Settings:**
- Look for **"Enable Inter-VLAN Routing"** or **"Route Between VLANs"** option
- If present, ensure it's **enabled** (checked)
- If not present, inter-VLAN routing may be enabled by default
4. **Check Security Posture:**
- **Default Security Posture:** Should be set appropriately
- For routing to work, ensure it's not set to "Block All"
5. **Click:** **Save** or **Apply** (if changes were made)
---
### Step 4: Configure MGMT-LAN (VLAN 11)
1. **Click on:** **MGMT-LAN** network (second row in the networks list)
- Network: MGMT-LAN
- VLAN: 11
- Subnet: 192.168.11.0/24
- Gateway: UDM Pro
2. **Verify/Configure Network Settings:**
- **Network Name:** MGMT-LAN
- **VLAN ID:** 11
- **Subnet:** 192.168.11.0/24
- **Gateway IP/Subnet:** Should be 192.168.11.1/24
3. **Check Routing Settings:**
- Look for **"Enable Inter-VLAN Routing"** or **"Route Between VLANs"** option
- Ensure it's **enabled** (checked)
- This allows VLAN 11 to communicate with other VLANs
4. **Check Security Posture:**
- **Default Security Posture:** Should allow inter-VLAN communication
- Ensure it's not set to "Block All"
5. **DHCP Settings (if applicable):**
- Verify DHCP is configured correctly
- DHCP Range: 192.168.11.100 - 192.168.11.200
6. **Click:** **Save** or **Apply** (if changes were made)
---
### Step 5: Verify Global Network Settings
1. **Scroll down** on the Networks page to see **Global Switch Settings**
2. **Check VLAN Scope:**
- **VLAN Scope:** Should include both networks
- Default (1) should be listed
- MGMT-LAN (11) should be listed
- All other VLANs should be listed
3. **Check Default Security Posture:**
- **Default Security Posture:**
- Should be set to **"Allow All"** or **"Auto"** for inter-VLAN routing
- If set to **"Block All"**, change to **"Allow All"** or **"Auto"**
4. **Gateway mDNS Proxy:**
- This setting doesn't affect routing but may be useful for service discovery
- Can be left as default
5. **IGMP Snooping:**
- Doesn't affect routing
- Can be left as default
6. **Spanning Tree Protocol:**
- Doesn't affect routing
- Can be left as default
7. **Click:** **Save** or **Apply** (if changes were made)
---
### Step 6: Verify Zone-Based Firewall Configuration
Since Zone-Based Firewall is active, verify zone assignments:
1. **Navigate to:** **Settings****Firewall & Security****Zones** (or **Policy Engine**)
2. **Verify Zone Assignments:**
- **Default network (192.168.0.0/24):** Should be in **Internal** zone
- **MGMT-LAN (VLAN 11):** Should be in **Internal** zone
3. **Verify Zone Policy:**
- **Internal → Internal:** Should be **"Allow All"**
- This policy allows all networks in the Internal zone to communicate
4. **If networks are in different zones:**
- Create a firewall policy to allow communication
- Or move both networks to the same zone (Internal)
---
### Step 7: Test Routing
1. **From source device (192.168.0.23):**
```bash
# Test ping
ping -c 3 192.168.11.10
# Test with traceroute (if available)
traceroute 192.168.11.10
```
2. **Expected Result:**
- Ping should succeed
- Traceroute should show routing path through UDM Pro
3. **If ping still fails:**
- Check firewall rules (ACL rules)
- Verify Zone-Based Firewall policies
- Check if static route is needed (see Step 8)
---
### Step 8: Configure Static Route (If Needed)
If inter-VLAN routing is enabled but traffic still doesn't work:
1. **Navigate to:** **Settings** → **Routing & Firewall** → **Static Routes**
2. **Add Static Route:**
- **Name:** Route to VLAN 11
- **Destination Network:** `192.168.11.0/24`
- **Gateway:** `192.168.11.1` (or leave blank if using interface routing)
- **Interface:** Select VLAN 11 interface (or leave as default)
- **Distance:** 1 (or default)
- **Enabled:** ✅ Checked
3. **Click:** **Add** or **Save**
4. **Verify Route:**
- Route should appear in the static routes list
- Status should show as active/enabled
---
## Troubleshooting
### Issue: Cannot see "Enable Inter-VLAN Routing" option
**Possible Causes:**
- Option may be named differently in your UDM Pro version
- Inter-VLAN routing may be enabled by default
- Option may be in a different location
**Solutions:**
1. Check network settings for any routing-related options
2. Verify both networks are configured as VLANs
3. Check Zone-Based Firewall policies instead
### Issue: Networks are in different zones
**Solution:**
1. Move both networks to the same zone (Internal)
2. Or create firewall policy between zones
3. Reference: [UDM_PRO_ZONE_BASED_FIREWALL_GUIDE.md](./UDM_PRO_ZONE_BASED_FIREWALL_GUIDE.md)
### Issue: "Block All" security posture is enabled
**Solution:**
1. Change Default Security Posture to "Allow All" or "Auto"
2. This is in Global Switch Settings on the Networks page
3. Save changes
### Issue: Routing works but firewall blocks traffic
**Solution:**
1. Check ACL rules (firewall rules)
2. Verify "Allow Default Network to Management VLAN" rule exists
3. Check rule priority (lower numbers = higher priority)
4. Ensure no BLOCK rules with higher priority
---
## Verification Checklist
After configuration, verify:
- [ ] Default network (192.168.0.0/24) is configured correctly
- [ ] MGMT-LAN (VLAN 11 - 192.168.11.0/24) is configured correctly
- [ ] Inter-VLAN routing is enabled (or enabled by default)
- [ ] Both networks are in the same zone (Internal)
- [ ] Zone policy allows Internal → Internal communication
- [ ] Default Security Posture is not "Block All"
- [ ] Firewall rule exists: "Allow Default Network to Management VLAN"
- [ ] Static route added (if needed)
- [ ] Ping test succeeds: `ping 192.168.11.10` from `192.168.0.23`
---
## Current Network Status
Based on the Networks settings page:
| Network | VLAN | Subnet | Gateway | DHCP Status | Clients |
|---------|------|--------|---------|-------------|---------|
| Default | 1 | 192.168.0.0/24 | UDM Pro | Server | 2/249 |
| MGMT-LAN | 11 | 192.168.11.0/24 | UDM Pro | Server | 0/249 |
| BESU-VAL | 110 | 10.110.0.0/24 | UDM Pro | Server | 0/249 |
| BESU-SEN | 111 | 10.111.0.0/24 | UDM Pro | Server | 0/249 |
| BESU-RPC | 112 | 10.112.0.0/24 | UDM Pro | Server | 0/249 |
| BLOCKSCOUT | 120 | 10.120.0.0/24 | UDM Pro | Server | 0/249 |
| CACTI | 121 | 10.121.0.0/24 | UDM Pro | Server | 0/249 |
| CCIP-OPS | 130 | 10.130.0.0/24 | UDM Pro | Server | 0/249 |
| CCIP-COMMIT | 132 | 10.132.0.0/24 | UDM Pro | Server | 0/249 |
| CCIP-EXEC | 133 | 10.133.0.0/24 | UDM Pro | Server | 0/249 |
| CCIP-RMN | 134 | 10.134.0.0/24 | UDM Pro | Server | 0/249 |
| FABRIC | 140 | 10.140.0.0/24 | UDM Pro | Server | 0/249 |
| FIREFLY | 141 | 10.141.0.0/24 | UDM Pro | Server | 0/249 |
| INDY | 150 | 10.150.0.0/24 | UDM Pro | Server | 0/249 |
| SANKOFA-SVC | 160 | 10.160.0.0/22 | UDM Pro | Server | 0/1007 |
| PHX-SOV-SMOM | 200 | 10.200.0.0/20 | UDM Pro | Server | 0/4069 |
| PHX-SOV-ICCC | 201 | 10.201.0.0/20 | UDM Pro | Server | 0/4069 |
| PHX-SOV-DBIS | 202 | 10.202.0.0/24 | UDM Pro | Server | 0/249 |
| PHX-SOV-AR | 203 | 10.203.0.0/20 | UDM Pro | Server | 0/4069 |
**Note:** All networks show "Server" for DHCP, indicating DHCP servers are configured. Default network has 2 active clients.
---
## Related Documentation
- [UDM_PRO_ROUTING_TROUBLESHOOTING.md](./UDM_PRO_ROUTING_TROUBLESHOOTING.md) - Detailed troubleshooting guide
- [UDM_PRO_ZONE_BASED_FIREWALL_GUIDE.md](./UDM_PRO_ZONE_BASED_FIREWALL_GUIDE.md) - Zone-Based Firewall configuration
- [VLAN_11_SETTINGS_REFERENCE.md](./VLAN_11_SETTINGS_REFERENCE.md) - VLAN 11 complete settings
- [UDM_PRO_ROUTING_API_LIMITATIONS.md](./UDM_PRO_ROUTING_API_LIMITATIONS.md) - API limitations for routing
---
**Last Updated:** 2026-01-13
Reference in New Issue View Git Blame Copy Permalink