proxmox/scripts/archive/consolidated/verify/verify-vlan-settings.sh

#!/bin/bash
set -euo pipefail

# Verify VLAN Settings - Network Isolation and Zone Configuration
# This script provides instructions and checks for verifying VLAN settings

set -e

echo "🔍 VLAN Settings Verification Guide"
echo ""
echo "This script helps verify critical VLAN settings on UDM Pro."
echo "Some checks require manual verification via UDM Pro web UI."
echo ""

# Check if we can access UDM Pro
UDM_PRO_IP="192.168.0.1"
echo "📋 Testing UDM Pro connectivity..."
if ping -c 1 -W 2 $UDM_PRO_IP >/dev/null 2>&1; then
    echo "   ✅ UDM Pro ($UDM_PRO_IP) is reachable"
    UDM_ACCESSIBLE=true
else
    echo "   ⚠️  UDM Pro ($UDM_PRO_IP) is not reachable from current network"
    echo "   💡 Access UDM Pro via: https://$UDM_PRO_IP"
    UDM_ACCESSIBLE=false
fi

echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "📋 MANUAL VERIFICATION STEPS (Required)"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""

echo "1️⃣  VERIFY NETWORK ISOLATION (CRITICAL)"
echo "   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "   For EACH of the 19 VLANs:"
echo ""
echo "   Steps:"
echo "   1. Access UDM Pro: https://$UDM_PRO_IP"
echo "   2. Navigate: Settings → Networks → Networks"
echo "   3. Click on each VLAN (one at a time)"
echo "   4. Scroll to 'Network' section"
echo "   5. Verify 'Isolate Network' is UNCHECKED ❌"
echo "   6. If checked, UNCHECK it and Save"
echo ""
echo "   VLANs to check:"
echo "   • Default (VLAN 1)"
echo "   • MGMT-LAN (VLAN 11)"
echo "   • BESU-VAL (VLAN 110)"
echo "   • BESU-SEN (VLAN 111)"
echo "   • BESU-RPC (VLAN 112)"
echo "   • BLOCKSCOUT (VLAN 120)"
echo "   • CACTI (VLAN 121)"
echo "   • CCIP-OPS (VLAN 130)"
echo "   • CCIP-COMMIT (VLAN 132)"
echo "   • CCIP-EXEC (VLAN 133)"
echo "   • CCIP-RMN (VLAN 134)"
echo "   • FABRIC (VLAN 140)"
echo "   • FIREFLY (VLAN 141)"
echo "   • INDY (VLAN 150)"
echo "   • SANKOFA-SVC (VLAN 160)"
echo "   • PHX-SOV-SMOM (VLAN 200)"
echo "   • PHX-SOV-ICCC (VLAN 201)"
echo "   • PHX-SOV-DBIS (VLAN 202)"
echo "   • PHX-SOV-AR (VLAN 203)"
echo ""
echo "   ⚠️  CRITICAL: Network Isolation must be DISABLED for inter-VLAN routing!"
echo ""

echo "2️⃣  VERIFY ZONE MATRIX (CRITICAL)"
echo "   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "   Steps:"
echo "   1. Access UDM Pro: https://$UDM_PRO_IP"
echo "   2. Navigate: Policy Engine → Zone Matrix"
echo "   3. Find: Internal → Internal"
echo "   4. Verify it says 'Allow All' ✅"
echo "   5. If not, click and change to 'Allow All'"
echo ""
echo "   ⚠️  CRITICAL: Internal → Internal = Allow All enables inter-VLAN communication!"
echo ""

echo "3️⃣  VERIFY ZONE ASSIGNMENT"
echo "   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "   For EACH VLAN:"
echo "   1. Navigate: Settings → Networks → [VLAN Name]"
echo "   2. Verify: Zone = 'Internal'"
echo "   3. All VLANs should be in Internal zone"
echo ""

echo "4️⃣  VERIFY PHX-SOV-DBIS SUBNET"
echo "   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "   Steps:"
echo "   1. Navigate: Settings → Networks → PHX-SOV-DBIS"
echo "   2. Check: Subnet shows 10.202.0.0/24"
echo "   3. Plan had: 10.202.0.0/20"
echo "   4. Verify if /24 is intentional or needs update to /20"
echo ""

echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "🧪 AUTOMATED TESTS (Can run from command line)"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""

# Test current network
CURRENT_IP=$(ip -4 addr show eth0 2>/dev/null | grep -oP 'inet \K[\d.]+' | head -1 || echo "unknown")
echo "📋 Current Network: $CURRENT_IP"
echo ""

# Test inter-VLAN routing
echo "🔍 Testing Inter-VLAN Routing..."
echo "   (From current network to VLAN gateways)"
echo ""

VLAN_GATEWAYS=(
    "10.110.0.1:BESU-VAL (VLAN 110)"
    "10.111.0.1:BESU-SEN (VLAN 111)"
    "10.112.0.1:BESU-RPC (VLAN 112)"
    "10.120.0.1:BLOCKSCOUT (VLAN 120)"
    "10.121.0.1:CACTI (VLAN 121)"
    "10.130.0.1:CCIP-OPS (VLAN 130)"
    "10.132.0.1:CCIP-COMMIT (VLAN 132)"
    "10.133.0.1:CCIP-EXEC (VLAN 133)"
    "10.134.0.1:CCIP-RMN (VLAN 134)"
    "10.140.0.1:FABRIC (VLAN 140)"
    "10.141.0.1:FIREFLY (VLAN 141)"
    "10.150.0.1:INDY (VLAN 150)"
    "10.160.0.1:SANKOFA-SVC (VLAN 160)"
    "10.200.0.1:PHX-SOV-SMOM (VLAN 200)"
    "10.201.0.1:PHX-SOV-ICCC (VLAN 201)"
    "10.202.0.1:PHX-SOV-DBIS (VLAN 202)"
    "10.203.0.1:PHX-SOV-AR (VLAN 203)"
)

REACHABLE=0
UNREACHABLE=0

for gateway_entry in "${VLAN_GATEWAYS[@]}"; do
    IFS=':' read -r gateway_ip vlan_name <<< "$gateway_entry"
    echo -n "   Testing $vlan_name ($gateway_ip)... "
    
    if ping -c 1 -W 2 $gateway_ip >/dev/null 2>&1; then
        echo "✅ REACHABLE"
        ((REACHABLE++))
    else
        echo "❌ UNREACHABLE"
        ((UNREACHABLE++))
    fi
done

echo ""
echo "📊 Routing Test Results:"
echo "   ✅ Reachable: $REACHABLE"
echo "   ❌ Unreachable: $UNREACHABLE"
echo ""

if [ $REACHABLE -gt 0 ]; then
    echo "   ✅ Inter-VLAN routing is WORKING for some VLANs!"
elif [ $UNREACHABLE -gt 0 ]; then
    echo "   ⚠️  Inter-VLAN routing may need configuration"
    echo "   💡 Ensure Network Isolation is disabled and Zone Matrix is configured"
fi

echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "✅ Verification Complete"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
echo "📋 Summary:"
echo "   • Manual verification required for Network Isolation and Zone Matrix"
echo "   • Inter-VLAN routing test completed"
echo ""
echo "📁 Next Steps:"
echo "   1. Complete manual verification steps above"
echo "   2. Run firewall configuration script"
echo "   3. Assign VMs/containers to VLANs"
echo ""