d-bis/proxmox
4
0
Fork 0
Code Issues 1 Pull Requests 9 Actions Packages Projects Releases Wiki Activity
Files
f0f0a4bb844eefe6c19e9568c3af9b2d387e5a2e
proxmox/docs/04-configuration/UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

198 lines
6.2 KiB
Markdown
Raw Blame History

# UDM Pro Firewall Manual Configuration Guide
**Last Updated:** 2025-01-20
**Status:** Active Documentation
**Purpose:** Manual configuration guide for firewall rules that cannot be automated via API
---
## Overview
This guide provides step-by-step instructions for configuring firewall rules via the UniFi Network web interface. Some firewall rules (particularly those with overlapping source/destination networks) cannot be automated via the API and require manual configuration.
---
## Accessing Firewall Configuration
1. Open web browser and navigate to: `https://192.168.0.1`
2. Log in with your admin account
3. Navigate to **Settings****Firewall & Security****Firewall Rules** (or **Traffic Rules**)
---
## Sovereign Tenant Isolation (VLANs 200-203)
### Goal
Block east-west traffic between sovereign tenant VLANs (200-203) to ensure complete isolation between tenants.
### Configuration Steps
1. **Navigate to Firewall Rules:**
- Go to **Settings****Firewall & Security****Firewall Rules**
- Click **Create New Rule** or **Add Rule**
2. **Create Block Rule for Each Pair:**
Since the API doesn't support overlapping network blocks, create individual rules for each direction:
**Rule 1: Block VLAN 200 → VLANs 201-203**
- **Name:** `Block VLAN 200 to Sovereign Tenants`
- **Action:** Block
- **Protocol:** All (or specific protocols as needed)
- **Source Type:** Network
- **Source Network:** PHX-SOV-SMOM (VLAN 200)
- **Destination Type:** Network
- **Destination Networks:**
- PHX-SOV-ICCC (VLAN 201)
- PHX-SOV-DBIS (VLAN 202)
- PHX-SOV-AR (VLAN 203)
- **Priority/Order:** Set appropriate priority (higher priority = evaluated first)
**Rule 2: Block VLAN 201 → VLANs 200, 202-203**
- **Name:** `Block VLAN 201 to Sovereign Tenants`
- **Action:** Block
- **Source Network:** PHX-SOV-ICCC (VLAN 201)
- **Destination Networks:** PHX-SOV-SMOM, PHX-SOV-DBIS, PHX-SOV-AR
- (Repeat for VLANs 202 and 203)
**Alternative:** Create bidirectional rules (if the UI supports it):
- Block VLAN 200 ↔ VLAN 201
- Block VLAN 200 ↔ VLAN 202
- Block VLAN 200 ↔ VLAN 203
- Block VLAN 201 ↔ VLAN 202
- Block VLAN 201 ↔ VLAN 203
- Block VLAN 202 ↔ VLAN 203
3. **Set Rule Priority:**
- Ensure block rules have higher priority than allow rules
- Block rules should be evaluated before general allow rules
- Typical priority order:
1. Block rules (highest priority)
2. Management access rules
3. Monitoring rules
4. Default allow/deny (lowest priority)
4. **Enable Rules:**
- Enable each rule after creation
- Rules are typically enabled by default when created
5. **Verify Configuration:**
- Review all rules in the firewall rules list
- Verify rule order/priority
- Test connectivity between VLANs to confirm isolation
---
## Additional Firewall Rules
### Management VLAN Access (if not automated)
If the management VLAN access rules were not created via API, configure manually:
**Rule: Allow Management VLAN → Service VLANs**
- **Name:** `Allow Management to Service VLANs`
- **Action:** Allow
- **Protocol:** TCP
- **Source Network:** MGMT-LAN (VLAN 11)
- **Destination Networks:** All service VLANs
- **Destination Ports:** 22 (SSH), 443 (HTTPS), 5432 (PostgreSQL), 8080 (Admin consoles), etc.
- **Priority:** Medium (after block rules, before default)
### Monitoring Access (if not automated)
**Rule: Allow Service VLANs → Management VLAN (Monitoring)**
- **Name:** `Allow Monitoring to Management`
- **Action:** Allow
- **Protocol:** TCP, UDP
- **Source Networks:** All service VLANs
- **Destination Network:** MGMT-LAN (VLAN 11)
- **Destination Ports:** 161 (SNMP), 9090-9091 (Prometheus), etc.
- **Priority:** Medium
---
## Rule Priority Guidelines
Firewall rules are evaluated in order of priority. Recommended priority order:
1. **Block Rules (Priority 100-199)**
- Sovereign tenant isolation
- Other security blocks
- Highest priority
2. **Management Access (Priority 10-19)**
- Management VLAN → Service VLANs
- Critical administrative access
3. **Monitoring Access (Priority 20-29)**
- Service VLANs → Management VLAN
- Monitoring and logging
4. **Default Rules (Priority 1000+)**
- Default allow/deny rules
- Lowest priority
---
## Verification
After configuring firewall rules:
1. **Review Rule List:**
- Verify all rules are created and enabled
- Check rule priorities/order
- Confirm source/destination networks are correct
2. **Test Connectivity:**
- Test connectivity between VLANs that should be blocked
- Verify blocked VLANs cannot communicate
- Confirm allowed VLANs can communicate as expected
3. **Monitor Logs:**
- Check firewall logs for blocked connections
- Verify rules are being applied correctly
- Monitor for any unexpected blocks
---
## Network IDs Reference
For reference, here are the network IDs for key VLANs:
- **VLAN 11 (MGMT-LAN):** `5797bd48-6955-4a7c-8cd0-72d8106d3ab2`
- **VLAN 200 (PHX-SOV-SMOM):** `581333cb-e5fb-4729-9b75-d2a35a4ca119`
- **VLAN 201 (PHX-SOV-ICCC):** `6b07cb44-c931-445e-849c-f22515ab3223`
- **VLAN 202 (PHX-SOV-DBIS):** `e8c6c524-b4c5-479e-93f8-780a89b0c4d2`
- **VLAN 203 (PHX-SOV-AR):** `750d95fb-4f2a-4370-b9d1-b29455600e1b`
---
## Troubleshooting
### Rules Not Working
- **Check Rule Priority:** Ensure block rules have higher priority than allow rules
- **Verify Rule Order:** Rules are evaluated top-to-bottom in some interfaces
- **Check Rule Status:** Ensure rules are enabled
- **Review Logs:** Check firewall logs for blocked/allowed connections
### Connectivity Issues
- **Test Each Rule:** Disable rules one-by-one to identify problematic rules
- **Check Default Rules:** Ensure default allow/deny rules aren't overriding your rules
- **Verify Networks:** Confirm source/destination networks are correct
- **Protocol Matching:** Ensure protocol filters match the traffic type
---
## Related Documentation
- [UDM_PRO_API_FIREWALL_ENDPOINTS.md](./UDM_PRO_API_FIREWALL_ENDPOINTS.md) - Firewall API endpoints
- [UDM_PRO_FIREWALL_API_LIMITATIONS.md](./UDM_PRO_FIREWALL_API_LIMITATIONS.md) - API limitations
- [UDM_PRO_STATUS.md](./UDM_PRO_STATUS.md) - Configuration status and remaining tasks
---
**Last Updated:** 2025-01-20
Reference in New Issue View Git Blame Copy Permalink