d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
proxmox/docs/04-configuration/UDM_PRO_VLAN_PLAN_UTILIZATION.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

9.7 KiB
Raw Permalink Blame History

UDM Pro VLAN Plan - Utilization Guide

Last Updated: 2026-01-14
Status: Ready to Utilize VLAN Plan

Complete VLAN Plan (18 VLANs)

Based on the Network Architecture documentation, here's the complete VLAN plan:

VLAN ID VLAN Name Subnet Gateway Purpose Status
11 MGMT-LAN 192.168.11.0/24 192.168.11.1 Proxmox mgmt, switches mgmt, admin endpoints Configured
110 BESU-VAL 10.110.0.0/24 10.110.0.1 Validator-only network (no member access) To Configure
111 BESU-SEN 10.111.0.0/24 10.111.0.1 Sentry mesh To Configure
112 BESU-RPC 10.112.0.0/24 10.112.0.1 RPC / gateway tier To Configure
120 BLOCKSCOUT 10.120.0.0/24 10.120.0.1 Explorer + DB To Configure
121 CACTI 10.121.0.0/24 10.121.0.1 Interop middleware To Configure
130 CCIP-OPS 10.130.0.0/24 10.130.0.1 Ops/admin To Configure
132 CCIP-COMMIT 10.132.0.0/24 10.132.0.1 Commit-role DON To Configure
133 CCIP-EXEC 10.133.0.0/24 10.133.0.1 Execute-role DON To Configure
134 CCIP-RMN 10.134.0.0/24 10.134.0.1 Risk management network To Configure
140 FABRIC 10.140.0.0/24 10.140.0.1 Fabric To Configure
141 FIREFLY 10.141.0.0/24 10.141.0.1 FireFly To Configure
150 INDY 10.150.0.0/24 10.150.0.1 Identity To Configure
160 SANKOFA-SVC 10.160.0.0/22 10.160.0.1 Sankofa/Phoenix/PanTel service layer To Configure
200 PHX-SOV-SMOM 10.200.0.0/20 10.200.0.1 Sovereign tenant To Configure
201 PHX-SOV-ICCC 10.201.0.0/20 10.201.0.1 Sovereign tenant To Configure
202 PHX-SOV-DBIS 10.202.0.0/20 10.202.0.1 Sovereign tenant To Configure
203 PHX-SOV-AR 10.203.0.0/20 10.203.0.1 Absolute Realms tenant To Configure

Current Status

Completed

  1. VLAN 11 (MGMT-LAN) - Configured and operational

    • Subnet: 192.168.11.0/24
    • Gateway: 192.168.11.1
    • Proxmox hosts accessible
    • Firewall rules configured

  2. Network Isolation - Verified (disabled)

    • Allows inter-VLAN routing

  3. Zone Matrix - Configured

    • Internal → Internal: Allow All

  4. Proxmox Firewall - Configured

    • Allows access from Default network (192.168.0.0/24)
    • Allows access from VLAN 11 (192.168.11.0/24)

To Configure

  • 17 additional VLANs (110-203)
  • Inter-VLAN routing rules
  • Firewall rules for each VLAN
  • DHCP configuration for each VLAN

Prerequisites for VLAN Utilization

1. UDM Pro Configuration

Required Settings:

  • Network Isolation: Disabled on all VLANs (for inter-VLAN routing)
  • Zone Matrix: Internal → Internal = Allow All
  • Inter-VLAN Routing: Enabled (default for VLANs)

Verification:

  • Settings → Networks → Check each VLAN
  • Policy Engine → Zone Matrix → Verify Internal → Internal = Allow All

2. Proxmox Configuration

Required:

  • VLAN-aware bridge (vmbr0) configured
  • Tagged VLANs enabled on bridge
  • Proxmox hosts on VLAN 11 (native)

Verification:

# Check bridge configuration
ssh root@192.168.11.10 "cat /etc/network/interfaces | grep -A 20 vmbr0"

Expected Configuration:

auto vmbr0
iface vmbr0 inet static
    address 192.168.11.10/24
    gateway 192.168.11.1
    bridge-ports eth0
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

3. Firewall Rules

Required:

  • Management VLAN (11) → Service VLANs (specific ports)
  • Service VLANs → Management VLAN (monitoring)
  • Sovereign tenant isolation (VLANs 200-203 blocked from each other)

VLAN Utilization Checklist

Phase 1: Verify Current Setup

  • VLAN 11 configured and operational
  • Proxmox hosts accessible
  • Firewall rules allow Default network
  • Network Isolation disabled
  • Zone Matrix configured

Phase 2: Configure Additional VLANs

For each VLAN (110-203):

  • Create VLAN network in UDM Pro
  • Configure subnet and gateway
  • Assign to Internal zone
  • Disable Network Isolation
  • Configure DHCP (if needed)
  • Test connectivity from VLAN 11

Phase 3: Configure Proxmox for VLANs

  • Verify VLAN-aware bridge on all Proxmox hosts
  • Ensure tagged VLANs are supported
  • Test VM/container assignment to VLANs
  • Verify routing between VLANs

Phase 4: Configure Firewall Rules

  • Management → Service VLANs (SSH, monitoring)
  • Service VLANs → Management (monitoring, logging)
  • Sovereign tenant isolation (200-203)
  • Inter-service communication rules

Testing VLAN Utilization

Test 1: Verify VLAN 11 Access

# From dev machine (192.168.11.4)
ping 192.168.11.1   # Gateway
ping 192.168.11.10 # ml110
ping 192.168.11.11 # r630-01
ping 192.168.11.12 # r630-02

Test 2: Verify Proxmox VLAN Support

# Check VLAN-aware bridge
ssh root@192.168.11.10 "ip link show vmbr0"
ssh root@192.168.11.10 "bridge vlan show"

# Should show VLAN support enabled

Test 3: Test Inter-VLAN Routing (After VLANs Created)

# From VLAN 11, test routing to other VLANs
ping 10.110.0.1  # BESU-VAL gateway
ping 10.111.0.1  # BESU-SEN gateway
# etc.

Next Steps to Utilize VLAN Plan

Immediate (Ready Now)

  1. Access Proxmox hosts - Working
  2. Configure VMs/containers - Can assign to VLANs
  3. Test VLAN assignment - Proxmox supports VLAN tagging

Short-term (This Week)

  1. Create remaining VLANs (110-203) via UDM Pro web UI
  2. Configure DHCP for each VLAN (if needed)
  3. Test routing between VLANs
  4. Configure firewall rules for inter-VLAN communication

Long-term (This Month)

  1. Migrate VMs/containers to appropriate VLANs
  2. Configure sovereign tenant isolation (VLANs 200-203)
  3. Set up monitoring across VLANs
  4. Document VLAN assignments for all services

Proxmox VLAN Assignment

How to Assign VMs/Containers to VLANs

  1. Via Web UI:

    • Edit VM/Container → Network
    • Select bridge: vmbr0
    • Set VLAN tag: Enter VLAN ID (e.g., 110, 111, etc.)
    • Save

  2. Via CLI:

    # Set VLAN tag for VM/container network interface
qm set <VMID> --net0 virtio,bridge=vmbr0,tag=<VLAN_ID>

Example: Assign Container to VLAN 110 (BESU-VAL)

# Via Proxmox web UI
# 1. Go to: Datacenter → ml110 → Containers → <Container ID>
# 2. Click: Hardware → Network Device
# 3. Edit: Bridge = vmbr0, VLAN Tag = 110
# 4. Save

# Or via CLI
pct set <CTID> -net0 name=eth0,bridge=vmbr0,tag=110

Firewall Rules for VLAN Utilization

Management VLAN (11) → Service VLANs

Allow:

  • SSH (TCP 22)
  • Database admin (PostgreSQL 5432, MySQL 3306)
  • Admin consoles (Keycloak 8080, etc.)
  • Monitoring (SNMP, Prometheus, etc.)

Example Rule:

Source: 192.168.11.0/24 (MGMT-LAN)
Destination: 10.110.0.0/24 (BESU-VAL)
Protocol: TCP
Port: 22 (SSH)
Action: Allow

Service VLANs → Management VLAN

Allow:

  • Monitoring agents
  • Logging (Syslog, etc.)
  • Health checks

Sovereign Tenant Isolation

Block:

  • VLAN 200 ↔ VLAN 201
  • VLAN 200 ↔ VLAN 202
  • VLAN 200 ↔ VLAN 203
  • VLAN 201 ↔ VLAN 202
  • VLAN 201 ↔ VLAN 203
  • VLAN 202 ↔ VLAN 203

Allow:

  • Each sovereign tenant → Management VLAN (monitoring only)
  • Each sovereign tenant → External (internet)

Verification Commands

Check VLAN Configuration

# List all VLANs on UDM Pro (via API)
# Note: Requires API access from Default network or VLAN 11

# Check Proxmox VLAN support
ssh root@192.168.11.10 "bridge vlan show vmbr0"

Test Inter-VLAN Routing

# From VLAN 11, test routing to other VLANs
# (After VLANs are created)

# Test gateway connectivity
ping 10.110.0.1  # BESU-VAL
ping 10.111.0.1  # BESU-SEN
ping 10.112.0.1  # BESU-RPC

Verify Firewall Rules

# Check ACL rules
cd /home/intlc/projects/proxmox
NODE_TLS_REJECT_UNAUTHORIZED=0 node scripts/unifi/list-acl-rules-node.js

Current Capabilities

What Works Now

  1. VLAN 11 (MGMT-LAN) - Fully operational
  2. Proxmox Access - All hosts accessible
  3. Inter-VLAN Routing - Enabled (can route between VLANs)
  4. Firewall Configuration - Rules can be added
  5. VLAN Assignment - Proxmox supports VLAN tagging

What Needs Configuration

  1. Additional VLANs - Need to be created (110-203)
  2. DHCP Configuration - For each VLAN
  3. Firewall Rules - Inter-VLAN communication rules
  4. VM/Container Migration - Assign to appropriate VLANs

Quick Start: Create Next VLAN

Example: Create VLAN 110 (BESU-VAL)

  1. Access UDM Pro Web UI:

  2. Navigate:

    • Settings → Networks → Create New Network

  3. Configure:

    • Name: BESU-VAL
    • VLAN ID: 110
    • Subnet: 10.110.0.0/24
    • Gateway: 10.110.0.1
    • Zone: Internal
    • Network Isolation: Disabled
    • DHCP: Configure as needed

  4. Verify:

    • Test routing: ping 10.110.0.1 from VLAN 11
    • Check Zone Matrix: Internal → Internal = Allow All

Summary

Current Status:

  • VLAN 11 operational
  • Proxmox accessible
  • Firewall configured
  • Routing enabled
  • Ready to create additional VLANs

Next Steps:

  1. Create remaining VLANs (110-203) via UDM Pro web UI
  2. Configure firewall rules for inter-VLAN communication
  3. Assign VMs/containers to appropriate VLANs
  4. Test and verify VLAN utilization

You can now utilize the VLAN plan! The foundation is in place - VLAN 11 is working, Proxmox supports VLAN tagging, and routing is enabled.

Last Updated: 2026-01-14

Reference in New Issue View Git Blame Copy Permalink