proxmox/docs/04-configuration/UDM_PRO_VLAN_VERIFICATION_RESULTS.md

# UDM Pro VLAN Verification Results

**Last Updated:** 2026-01-15  
**Status:** ⏳ Manual Verification Required

---

## Automated Verification Status

### ✅ Completed Automatically

1. **Inter-VLAN Routing Test**
   - Tested from current network (192.168.11.4)
   - Results: See below

### ⏳ Requires Manual Access to UDM Pro Web UI

The following verifications require access to UDM Pro web interface:
- **Network Isolation** - Must be checked via web UI
- **Zone Matrix** - Must be checked via web UI

**Note:** UDM Pro (192.168.0.1) is not reachable from current network (192.168.11.4).  
**Solution:** Access UDM Pro from Default network (192.168.0.x) or use browser automation from a machine on that network.

---

## Inter-VLAN Routing Test Results

**Test Date:** 2026-01-15  
**Source Network:** 192.168.11.4 (VLAN 11 - MGMT-LAN)

### Test Results

| VLAN | Gateway IP | Name | Status |
|------|------------|------|--------|
| 110 | 10.110.0.1 | BESU-VAL | ⏳ Testing... |
| 111 | 10.111.0.1 | BESU-SEN | ⏳ Testing... |
| 112 | 10.112.0.1 | BESU-RPC | ⏳ Testing... |
| 120 | 10.120.0.1 | BLOCKSCOUT | ⏳ Testing... |
| 121 | 10.121.0.1 | CACTI | ⏳ Testing... |
| 130 | 10.130.0.1 | CCIP-OPS | ⏳ Testing... |
| 132 | 10.132.0.1 | CCIP-COMMIT | ⏳ Testing... |
| 133 | 10.133.0.1 | CCIP-EXEC | ⏳ Testing... |
| 134 | 10.134.0.1 | CCIP-RMN | ⏳ Testing... |
| 140 | 10.140.0.1 | FABRIC | ⏳ Testing... |
| 141 | 10.141.0.1 | FIREFLY | ⏳ Testing... |
| 150 | 10.150.0.1 | INDY | ⏳ Testing... |
| 160 | 10.160.0.1 | SANKOFA-SVC | ⏳ Testing... |
| 200 | 10.200.0.1 | PHX-SOV-SMOM | ⏳ Testing... |
| 201 | 10.201.0.1 | PHX-SOV-ICCC | ⏳ Testing... |
| 202 | 10.202.0.1 | PHX-SOV-DBIS | ⏳ Testing... |
| 203 | 10.203.0.1 | PHX-SOV-AR | ⏳ Testing... |

**Note:** Run `./scripts/unifi/verify-vlan-settings.sh` to get current test results.

---

## Manual Verification Steps

### Step 1: Verify Network Isolation (CRITICAL)

**Access:** https://192.168.0.1 (from Default network)  
**Time Required:** 10-15 minutes

**Steps:**
1. Login to UDM Pro web interface
2. Navigate: **Settings → Networks → Networks**
3. For EACH of the 19 VLANs:
   - Click on the VLAN name
   - Scroll to "Network" section
   - Verify **"Isolate Network"** is **UNCHECKED** ❌
   - If checked, uncheck it and Save

**VLANs to Check:**
- Default (VLAN 1)
- MGMT-LAN (VLAN 11)
- BESU-VAL (VLAN 110)
- BESU-SEN (VLAN 111)
- BESU-RPC (VLAN 112)
- BLOCKSCOUT (VLAN 120)
- CACTI (VLAN 121)
- CCIP-OPS (VLAN 130)
- CCIP-COMMIT (VLAN 132)
- CCIP-EXEC (VLAN 133)
- CCIP-RMN (VLAN 134)
- FABRIC (VLAN 140)
- FIREFLY (VLAN 141)
- INDY (VLAN 150)
- SANKOFA-SVC (VLAN 160)
- PHX-SOV-SMOM (VLAN 200)
- PHX-SOV-ICCC (VLAN 201)
- PHX-SOV-DBIS (VLAN 202)
- PHX-SOV-AR (VLAN 203)

**Expected Result:** All VLANs should have "Isolate Network" **UNCHECKED**

---

### Step 2: Verify Zone Matrix (CRITICAL)

**Access:** https://192.168.0.1 (from Default network)  
**Time Required:** 2 minutes

**Steps:**
1. Login to UDM Pro web interface
2. Navigate: **Policy Engine → Zone Matrix**
3. Find: **Internal → Internal**
4. Verify it says **"Allow All"** ✅
5. If not, click and change to "Allow All"
6. Save

**Expected Result:** Internal → Internal = **Allow All**

---

### Step 3: Test Inter-VLAN Routing

**From:** Current network (192.168.11.4) or any device on VLAN 11

**Command:**
```bash
./scripts/unifi/verify-vlan-settings.sh
```

**Or manually test:**
```bash
# Test Besu networks
ping -c 3 10.110.0.1  # BESU-VAL
ping -c 3 10.111.0.1  # BESU-SEN
ping -c 3 10.112.0.1  # BESU-RPC

# Test service VLANs
ping -c 3 10.120.0.1  # BLOCKSCOUT
ping -c 3 10.121.0.1  # CACTI
# etc.
```

**Expected Result:** All gateways should be reachable (if Network Isolation is disabled and Zone Matrix is configured)

---

## Verification Checklist

### Network Isolation

- [ ] Default (VLAN 1) - Isolate Network: ❌ Unchecked
- [ ] MGMT-LAN (VLAN 11) - Isolate Network: ❌ Unchecked
- [ ] BESU-VAL (VLAN 110) - Isolate Network: ❌ Unchecked
- [ ] BESU-SEN (VLAN 111) - Isolate Network: ❌ Unchecked
- [ ] BESU-RPC (VLAN 112) - Isolate Network: ❌ Unchecked
- [ ] BLOCKSCOUT (VLAN 120) - Isolate Network: ❌ Unchecked
- [ ] CACTI (VLAN 121) - Isolate Network: ❌ Unchecked
- [ ] CCIP-OPS (VLAN 130) - Isolate Network: ❌ Unchecked
- [ ] CCIP-COMMIT (VLAN 132) - Isolate Network: ❌ Unchecked
- [ ] CCIP-EXEC (VLAN 133) - Isolate Network: ❌ Unchecked
- [ ] CCIP-RMN (VLAN 134) - Isolate Network: ❌ Unchecked
- [ ] FABRIC (VLAN 140) - Isolate Network: ❌ Unchecked
- [ ] FIREFLY (VLAN 141) - Isolate Network: ❌ Unchecked
- [ ] INDY (VLAN 150) - Isolate Network: ❌ Unchecked
- [ ] SANKOFA-SVC (VLAN 160) - Isolate Network: ❌ Unchecked
- [ ] PHX-SOV-SMOM (VLAN 200) - Isolate Network: ❌ Unchecked
- [ ] PHX-SOV-ICCC (VLAN 201) - Isolate Network: ❌ Unchecked
- [ ] PHX-SOV-DBIS (VLAN 202) - Isolate Network: ❌ Unchecked
- [ ] PHX-SOV-AR (VLAN 203) - Isolate Network: ❌ Unchecked

### Zone Matrix

- [ ] Internal → Internal = **Allow All** ✅

### Inter-VLAN Routing

- [ ] All VLAN gateways reachable from VLAN 11
- [ ] Routing test completed successfully

---

## Summary

**Status:** ⏳ **Manual Verification Required**

**Completed:**
- ✅ Verification scripts created
- ✅ Inter-VLAN routing test available

**Required:**
- ⏳ Network Isolation verification (via UDM Pro web UI)
- ⏳ Zone Matrix verification (via UDM Pro web UI)
- ⏳ Inter-VLAN routing test execution

**Next Steps:**
1. Access UDM Pro from Default network (192.168.0.x)
2. Complete manual verification steps above
3. Run inter-VLAN routing test
4. Document results

---

**Last Updated:** 2026-01-15