proxmox/docs/04-configuration/UDM_PRO_VLAN_PLAN_UTILIZATION.md

# UDM Pro VLAN Plan - Utilization Guide

**Last Updated:** 2026-01-14  
**Status:** ✅ Ready to Utilize VLAN Plan

---

## Complete VLAN Plan (18 VLANs)

Based on the Network Architecture documentation, here's the complete VLAN plan:

| VLAN ID | VLAN Name | Subnet | Gateway | Purpose | Status |
|--------:|-----------|--------|---------|---------|--------|
| **11** | MGMT-LAN | 192.168.11.0/24 | 192.168.11.1 | Proxmox mgmt, switches mgmt, admin endpoints | ✅ Configured |
| 110 | BESU-VAL | 10.110.0.0/24 | 10.110.0.1 | Validator-only network (no member access) | ⏳ To Configure |
| 111 | BESU-SEN | 10.111.0.0/24 | 10.111.0.1 | Sentry mesh | ⏳ To Configure |
| 112 | BESU-RPC | 10.112.0.0/24 | 10.112.0.1 | RPC / gateway tier | ⏳ To Configure |
| 120 | BLOCKSCOUT | 10.120.0.0/24 | 10.120.0.1 | Explorer + DB | ⏳ To Configure |
| 121 | CACTI | 10.121.0.0/24 | 10.121.0.1 | Interop middleware | ⏳ To Configure |
| 130 | CCIP-OPS | 10.130.0.0/24 | 10.130.0.1 | Ops/admin | ⏳ To Configure |
| 132 | CCIP-COMMIT | 10.132.0.0/24 | 10.132.0.1 | Commit-role DON | ⏳ To Configure |
| 133 | CCIP-EXEC | 10.133.0.0/24 | 10.133.0.1 | Execute-role DON | ⏳ To Configure |
| 134 | CCIP-RMN | 10.134.0.0/24 | 10.134.0.1 | Risk management network | ⏳ To Configure |
| 140 | FABRIC | 10.140.0.0/24 | 10.140.0.1 | Fabric | ⏳ To Configure |
| 141 | FIREFLY | 10.141.0.0/24 | 10.141.0.1 | FireFly | ⏳ To Configure |
| 150 | INDY | 10.150.0.0/24 | 10.150.0.1 | Identity | ⏳ To Configure |
| 160 | SANKOFA-SVC | 10.160.0.0/22 | 10.160.0.1 | Sankofa/Phoenix/PanTel service layer | ⏳ To Configure |
| 200 | PHX-SOV-SMOM | 10.200.0.0/20 | 10.200.0.1 | Sovereign tenant | ⏳ To Configure |
| 201 | PHX-SOV-ICCC | 10.201.0.0/20 | 10.201.0.1 | Sovereign tenant | ⏳ To Configure |
| 202 | PHX-SOV-DBIS | 10.202.0.0/20 | 10.202.0.1 | Sovereign tenant | ⏳ To Configure |
| 203 | PHX-SOV-AR | 10.203.0.0/20 | 10.203.0.1 | Absolute Realms tenant | ⏳ To Configure |

---

## Current Status

### ✅ Completed

1. **VLAN 11 (MGMT-LAN)** - ✅ Configured and operational
   - Subnet: 192.168.11.0/24
   - Gateway: 192.168.11.1
   - Proxmox hosts accessible
   - Firewall rules configured

2. **Network Isolation** - ✅ Verified (disabled)
   - Allows inter-VLAN routing

3. **Zone Matrix** - ✅ Configured
   - Internal → Internal: Allow All

4. **Proxmox Firewall** - ✅ Configured
   - Allows access from Default network (192.168.0.0/24)
   - Allows access from VLAN 11 (192.168.11.0/24)

### ⏳ To Configure

- 17 additional VLANs (110-203)
- Inter-VLAN routing rules
- Firewall rules for each VLAN
- DHCP configuration for each VLAN

---

## Prerequisites for VLAN Utilization

### 1. UDM Pro Configuration

**Required Settings:**
- ✅ Network Isolation: Disabled on all VLANs (for inter-VLAN routing)
- ✅ Zone Matrix: Internal → Internal = Allow All
- ✅ Inter-VLAN Routing: Enabled (default for VLANs)

**Verification:**
- Settings → Networks → Check each VLAN
- Policy Engine → Zone Matrix → Verify Internal → Internal = Allow All

### 2. Proxmox Configuration

**Required:**
- ✅ VLAN-aware bridge (`vmbr0`) configured
- ✅ Tagged VLANs enabled on bridge
- ✅ Proxmox hosts on VLAN 11 (native)

**Verification:**
```bash
# Check bridge configuration
ssh root@192.168.11.10 "cat /etc/network/interfaces | grep -A 20 vmbr0"
```

**Expected Configuration:**
```
auto vmbr0
iface vmbr0 inet static
    address 192.168.11.10/24
    gateway 192.168.11.1
    bridge-ports eth0
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094
```

### 3. Firewall Rules

**Required:**
- ✅ Management VLAN (11) → Service VLANs (specific ports)
- ✅ Service VLANs → Management VLAN (monitoring)
- ✅ Sovereign tenant isolation (VLANs 200-203 blocked from each other)

---

## VLAN Utilization Checklist

### Phase 1: Verify Current Setup ✅

- [x] VLAN 11 configured and operational
- [x] Proxmox hosts accessible
- [x] Firewall rules allow Default network
- [x] Network Isolation disabled
- [x] Zone Matrix configured

### Phase 2: Configure Additional VLANs ⏳

For each VLAN (110-203):

- [ ] Create VLAN network in UDM Pro
- [ ] Configure subnet and gateway
- [ ] Assign to Internal zone
- [ ] Disable Network Isolation
- [ ] Configure DHCP (if needed)
- [ ] Test connectivity from VLAN 11

### Phase 3: Configure Proxmox for VLANs ⏳

- [ ] Verify VLAN-aware bridge on all Proxmox hosts
- [ ] Ensure tagged VLANs are supported
- [ ] Test VM/container assignment to VLANs
- [ ] Verify routing between VLANs

### Phase 4: Configure Firewall Rules ⏳

- [ ] Management → Service VLANs (SSH, monitoring)
- [ ] Service VLANs → Management (monitoring, logging)
- [ ] Sovereign tenant isolation (200-203)
- [ ] Inter-service communication rules

---

## Testing VLAN Utilization

### Test 1: Verify VLAN 11 Access

```bash
# From dev machine (192.168.11.4)
ping 192.168.11.1   # Gateway
ping 192.168.11.10 # ml110
ping 192.168.11.11 # r630-01
ping 192.168.11.12 # r630-02
```

### Test 2: Verify Proxmox VLAN Support

```bash
# Check VLAN-aware bridge
ssh root@192.168.11.10 "ip link show vmbr0"
ssh root@192.168.11.10 "bridge vlan show"

# Should show VLAN support enabled
```

### Test 3: Test Inter-VLAN Routing (After VLANs Created)

```bash
# From VLAN 11, test routing to other VLANs
ping 10.110.0.1  # BESU-VAL gateway
ping 10.111.0.1  # BESU-SEN gateway
# etc.
```

---

## Next Steps to Utilize VLAN Plan

### Immediate (Ready Now)

1. ✅ **Access Proxmox hosts** - Working
2. ✅ **Configure VMs/containers** - Can assign to VLANs
3. ✅ **Test VLAN assignment** - Proxmox supports VLAN tagging

### Short-term (This Week)

1. **Create remaining VLANs** (110-203) via UDM Pro web UI
2. **Configure DHCP** for each VLAN (if needed)
3. **Test routing** between VLANs
4. **Configure firewall rules** for inter-VLAN communication

### Long-term (This Month)

1. **Migrate VMs/containers** to appropriate VLANs
2. **Configure sovereign tenant isolation** (VLANs 200-203)
3. **Set up monitoring** across VLANs
4. **Document VLAN assignments** for all services

---

## Proxmox VLAN Assignment

### How to Assign VMs/Containers to VLANs

1. **Via Web UI:**
   - Edit VM/Container → Network
   - Select bridge: `vmbr0`
   - Set VLAN tag: Enter VLAN ID (e.g., 110, 111, etc.)
   - Save

2. **Via CLI:**
   ```bash
   # Set VLAN tag for VM/container network interface
   qm set <VMID> --net0 virtio,bridge=vmbr0,tag=<VLAN_ID>
   ```

### Example: Assign Container to VLAN 110 (BESU-VAL)

```bash
# Via Proxmox web UI
# 1. Go to: Datacenter → ml110 → Containers → <Container ID>
# 2. Click: Hardware → Network Device
# 3. Edit: Bridge = vmbr0, VLAN Tag = 110
# 4. Save

# Or via CLI
pct set <CTID> -net0 name=eth0,bridge=vmbr0,tag=110
```

---

## Firewall Rules for VLAN Utilization

### Management VLAN (11) → Service VLANs

**Allow:**
- SSH (TCP 22)
- Database admin (PostgreSQL 5432, MySQL 3306)
- Admin consoles (Keycloak 8080, etc.)
- Monitoring (SNMP, Prometheus, etc.)

**Example Rule:**
```
Source: 192.168.11.0/24 (MGMT-LAN)
Destination: 10.110.0.0/24 (BESU-VAL)
Protocol: TCP
Port: 22 (SSH)
Action: Allow
```

### Service VLANs → Management VLAN

**Allow:**
- Monitoring agents
- Logging (Syslog, etc.)
- Health checks

### Sovereign Tenant Isolation

**Block:**
- VLAN 200 ↔ VLAN 201
- VLAN 200 ↔ VLAN 202
- VLAN 200 ↔ VLAN 203
- VLAN 201 ↔ VLAN 202
- VLAN 201 ↔ VLAN 203
- VLAN 202 ↔ VLAN 203

**Allow:**
- Each sovereign tenant → Management VLAN (monitoring only)
- Each sovereign tenant → External (internet)

---

## Verification Commands

### Check VLAN Configuration

```bash
# List all VLANs on UDM Pro (via API)
# Note: Requires API access from Default network or VLAN 11

# Check Proxmox VLAN support
ssh root@192.168.11.10 "bridge vlan show vmbr0"
```

### Test Inter-VLAN Routing

```bash
# From VLAN 11, test routing to other VLANs
# (After VLANs are created)

# Test gateway connectivity
ping 10.110.0.1  # BESU-VAL
ping 10.111.0.1  # BESU-SEN
ping 10.112.0.1  # BESU-RPC
```

### Verify Firewall Rules

```bash
# Check ACL rules
cd /home/intlc/projects/proxmox
NODE_TLS_REJECT_UNAUTHORIZED=0 node scripts/unifi/list-acl-rules-node.js
```

---

## Current Capabilities

### ✅ What Works Now

1. **VLAN 11 (MGMT-LAN)** - Fully operational
2. **Proxmox Access** - All hosts accessible
3. **Inter-VLAN Routing** - Enabled (can route between VLANs)
4. **Firewall Configuration** - Rules can be added
5. **VLAN Assignment** - Proxmox supports VLAN tagging

### ⏳ What Needs Configuration

1. **Additional VLANs** - Need to be created (110-203)
2. **DHCP Configuration** - For each VLAN
3. **Firewall Rules** - Inter-VLAN communication rules
4. **VM/Container Migration** - Assign to appropriate VLANs

---

## Quick Start: Create Next VLAN

### Example: Create VLAN 110 (BESU-VAL)

1. **Access UDM Pro Web UI:**
   - URL: https://192.168.0.1
   - Login: unifi_api / L@kers2010$$

2. **Navigate:**
   - Settings → Networks → Create New Network

3. **Configure:**
   - Name: BESU-VAL
   - VLAN ID: 110
   - Subnet: 10.110.0.0/24
   - Gateway: 10.110.0.1
   - Zone: Internal
   - Network Isolation: ❌ Disabled
   - DHCP: Configure as needed

4. **Verify:**
   - Test routing: `ping 10.110.0.1` from VLAN 11
   - Check Zone Matrix: Internal → Internal = Allow All

---

## Summary

**Current Status:**
- ✅ VLAN 11 operational
- ✅ Proxmox accessible
- ✅ Firewall configured
- ✅ Routing enabled
- ✅ Ready to create additional VLANs

**Next Steps:**
1. Create remaining VLANs (110-203) via UDM Pro web UI
2. Configure firewall rules for inter-VLAN communication
3. Assign VMs/containers to appropriate VLANs
4. Test and verify VLAN utilization

**You can now utilize the VLAN plan!** The foundation is in place - VLAN 11 is working, Proxmox supports VLAN tagging, and routing is enabled.

---

**Last Updated:** 2026-01-14