d-bis/proxmox
4
0
Fork 0
Code Issues 1 Pull Requests 9 Actions Packages Projects Releases Wiki Activity
Files
f0f0a4bb844eefe6c19e9568c3af9b2d387e5a2e
proxmox/docs/04-configuration/VLAN_11_SETTINGS_REFERENCE.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

271 lines
9.0 KiB
Markdown
Raw Blame History

# VLAN 11 (MGMT-LAN) Settings Reference
**Last Updated:** 2026-01-13
**Status:** Active Documentation
**Network:** MGMT-LAN
**VLAN ID:** 11
**Purpose:** Proxmox management, switches management, admin endpoints
---
## Network Configuration
### Basic Settings
| Setting | Value |
|---------|-------|
| **Network Name** | MGMT-LAN |
| **VLAN ID** | 11 |
| **Subnet** | 192.168.11.0/24 |
| **Gateway IP** | 192.168.11.1 |
| **Subnet Mask** | 255.255.255.0 |
| **DHCP Mode** | DHCP Server |
| **DHCP Range** | 192.168.11.100 - 192.168.11.200 |
### DNS Configuration
| Setting | Value |
|---------|-------|
| **Primary DNS** | 8.8.8.8 |
| **Secondary DNS** | 1.1.1.1 |
| **DNS Server** | 192.168.11.1 (UDM Pro) |
### Gateway Configuration
- **Gateway IP:** 192.168.11.1
- **Gateway Device:** UDM Pro
- **Interface:** VLAN 11 interface on UDM Pro
---
## Static IP Reservations (DHCP Reservations)
The following static IP reservations are required for VLAN 11:
| IP Address | Device/Hostname | MAC Address | Purpose |
|------------|-----------------|-------------|---------|
| 192.168.11.1 | UDM Pro (Gateway) | [UDM Pro MAC] | Gateway address |
| 192.168.11.10 | ML110 (Proxmox) | [ML110 MAC] | Proxmox host |
| 192.168.11.11 | R630-01 | [R630-01 MAC] | R630 node 1 |
| 192.168.11.12 | R630-02 | [R630-02 MAC] | R630 node 2 |
| 192.168.11.13 | R630-03 | [R630-03 MAC] | R630 node 3 |
| 192.168.11.14 | R630-04 | [R630-04 MAC] | R630 node 4 |
**Note:** MAC addresses need to be obtained from the devices or UniFi Controller.
---
## Firewall Configuration
### Zone-Based Firewall
**Status:** ✅ Zone-Based Firewall migration completed on January 13, 2026 at 14:15
**VLAN 11 Zone Assignment:**
- **Zone:** Internal
- **Network:** MGMT-LAN (VLAN 11)
- **Note:** Zone-Based Firewall simplifies firewall management by grouping network areas
**Important Zone Rules:**
- Networks can only be placed in a **single zone**
- Newly created zones are **blocked from accessing all other zones** except External and Gateway by default
- This provides additional segmentation for security
- Zone policies control traffic between zones, not within zones
**Internal Zone Networks:**
- Default (192.168.0.0/24)
- MGMT-LAN (VLAN 11 - 192.168.11.0/24)
- BESU-VAL (VLAN 110)
- BESU-SEN (VLAN 111)
- BESU-RPC (VLAN 112)
- BLOCKSCOUT (VLAN 120)
- CACTI (VLAN 121)
- +12 additional networks
**Zone Segmentation Note:**
Since both the Default network (192.168.0.0/24) and MGMT-LAN (VLAN 11) are in the **Internal zone**, they should be able to communicate with each other based on the "Internal → Internal: Allow All" policy. If routing is still failing, the issue is likely at the routing layer, not the firewall/zone policy layer.
**Zone Matrix (Internal Zone Policies):**
| Source Zone | Destination Zone | Policy |
|-------------|------------------|--------|
| Internal | Internal | Allow All |
| Internal | External | Allow All (2 rules) |
| Internal | Gateway | Allow All (2 rules) |
| Internal | VPN | Allow All |
| Internal | Hotspot | Allow All |
| Internal | DMZ | Allow All |
| External | Internal | Allow Return (3 rules) |
| Gateway | Internal | Allow All |
| VPN | Internal | Allow All (2 rules) |
| Hotspot | Internal | Allow Return |
| DMZ | Internal | Allow Return |
**Note:** An automatic backup was created prior to the Zone-Based Firewall migration, allowing for restoration if needed.
### Custom ACL Rules (VLAN 11 Specific)
#### Rules Allowing Access TO VLAN 11
| Rule Name | Priority | Source | Destination | Protocol | Status |
|-----------|----------|--------|-------------|----------|--------|
| Allow Default Network to Management VLAN | 5 | 192.168.0.0/24 | VLAN 11 | All | ✅ Enabled |
| Allow Monitoring to Management VLAN | 20 | Service VLANs (110-160) | VLAN 11 | TCP, UDP | ✅ Enabled |
#### Rules Allowing Access FROM VLAN 11
| Rule Name | Priority | Source | Destination | Protocol | Status |
|-----------|----------|--------|-------------|----------|--------|
| Allow Management to Service VLANs (TCP) | 10 | VLAN 11 | Service VLANs (110-160) | TCP | ✅ Enabled |
### Default System Firewall Rules (UDM Pro)
These are the default system firewall rules configured on the UDM Pro:
| Rule Name | Action | IP Version | Protocol | Direction | Source | Source Port | Destination | Destination Port | Priority |
|-----------|--------|------------|----------|-----------|--------|-------------|--------------|------------------|----------|
| Allow Neighbor Advertisements | Allow | IPv6 | ICMPv6 | External | Any | Any | Gateway | Any | 30005 |
| Allow Neighbor Solicitations | Allow | IPv6 | ICMPv6 | External | Any | Any | Gateway | Any | 30004 |
| Allow OpenVPN Server | Allow | IPv4 | TCP | External | Any | Any | Gateway | 1194 | 30002 |
| Allow Return Traffic | Allow | Both | All | Multiple | Any | Any | Multiple | Any | 30000 |
| Allow WireGuard VPNs | Allow | IPv4 | UDP | External | Any | Any | Gateway | 51820 | 30003 |
| Allow mDNS | Allow | Both | UDP | Internal | Any | 5353 | Gateway | 5353 (2 IPs) | 30000 |
| Block Invalid Traffic | Block | Both | All | Multiple | Any | Any | Multiple | Any | Multiple |
| Allow All Traffic | Allow | Both | All | Multiple | Any | Any | Multiple | Any | 1 |
| Block All Traffic | Block | Both | All | Multiple | Any | Any | Multiple | Any | 1 |
**Note:** These are system-level firewall rules that apply globally, not specific to VLAN 11. They are evaluated in priority order (lower numbers = higher priority).
**Zone-Based Firewall Context:**
- Rules are applied based on source and destination zones
- Internal zone (including MGMT-LAN/VLAN 11) has "Allow All" policies for inter-zone communication
- External zone has "Allow Return" policies for established connections
- Zone-based policies simplify firewall management by grouping network areas
---
## Routing Configuration
### Inter-VLAN Routing
- **Status:** ✅ Enabled by default on UDM Pro
- **Note:** Firewall rules control access between VLANs
- **Default Policy:** Allow inter-VLAN routing (controlled by ACL rules)
### Static Routes (if needed)
If routing from `192.168.0.0/24` to `192.168.11.0/24` fails:
| Route Name | Destination | Gateway | Interface | Status |
|------------|-------------|---------|-----------|--------|
| Route to VLAN 11 | 192.168.11.0/24 | 192.168.11.1 | VLAN 11 | ⏳ May be needed |
---
## Network ID (UniFi API)
- **Network ID:** `5797bd48-6955-4a7c-8cd0-72d8106d3ab2`
- **Used for:** API calls, ACL rule configuration
---
## Port Profile Configuration
### Trunk Ports (Proxmox Uplinks)
- **Native VLAN:** 11 (MGMT-LAN)
- **Tagged VLANs:** All service VLANs (11, 110-203)
- **Purpose:** Proxmox hosts need trunk ports to access multiple VLANs
### Access Ports
- **VLAN:** 11 (untagged)
- **Purpose:** Management devices, admin workstations
---
## Devices on VLAN 11
### Proxmox Hosts
| Hostname | IP Address | Purpose |
|----------|------------|---------|
| ml110-01 | 192.168.11.10 | Proxmox management + seed services |
| r630-01 | 192.168.11.11 | R630 node 1 |
| r630-02 | 192.168.11.12 | R630 node 2 |
| r630-03 | 192.168.11.13 | R630 node 3 |
| r630-04 | 192.168.11.14 | R630 node 4 |
### Other Services
| Service | IP Address | Port | Purpose |
|---------|------------|------|---------|
| UDM Pro | 192.168.11.1 | 443 | Gateway/Management |
| Omada Controller | 192.168.11.8 | 8043 | Network Controller |
---
## Access Patterns
### Allowed Access TO VLAN 11
1. **From Default Network (192.168.0.0/24):**
- ✅ All protocols (ICMP, TCP, UDP)
- Purpose: Management access from UDM Pro default network
2. **From Service VLANs (110-160):**
- ✅ TCP, UDP (monitoring ports: 161, 9090, 9091)
- Purpose: Monitoring and logging
### Allowed Access FROM VLAN 11
1. **To Service VLANs (110-160):**
- ✅ TCP (SSH, HTTPS, database admin ports)
- Purpose: Administrative access
---
## Troubleshooting
### Common Issues
1. **Cannot reach VLAN 11 from 192.168.0.0/24:**
- Check firewall rule: "Allow Default Network to Management VLAN" (Priority 5)
- Verify inter-VLAN routing is enabled
- Check if static route is needed
2. **DHCP not working:**
- Verify DHCP range: 192.168.11.100-192.168.11.200
- Check DHCP server is enabled
- Verify DNS settings
3. **Static IP reservations not working:**
- Verify MAC addresses are correct
- Check IP addresses are within allowed range
- Ensure reservations are saved and applied
### Verification Commands
```bash
# List current ACL rules affecting VLAN 11
cd /home/intlc/projects/proxmox
NODE_TLS_REJECT_UNAUTHORIZED=0 node scripts/unifi/list-acl-rules-node.js
# Test connectivity
ping -c 3 192.168.11.10
ping -c 3 192.168.11.1
```
---
## Related Documentation
- [UDM_PRO_DHCP_RESERVATIONS_GUIDE.md](./UDM_PRO_DHCP_RESERVATIONS_GUIDE.md) - DHCP reservations setup
- [UDM_PRO_ROUTING_TROUBLESHOOTING.md](./UDM_PRO_ROUTING_TROUBLESHOOTING.md) - Routing troubleshooting
- [UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.md](./UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.md) - Firewall configuration
- [NETWORK_ARCHITECTURE.md](../02-architecture/NETWORK_ARCHITECTURE.md) - Overall network architecture
---
**Last Updated:** 2026-01-13
Reference in New Issue View Git Blame Copy Permalink