proxmox/docs/04-configuration/UDM_PRO_COMPLETE_MANUAL_GUIDE.md

# UDM Pro Complete Manual Configuration Guide

**Last Updated:** 2025-01-20  
**Status:** Active Documentation
**Purpose:** Comprehensive guide for all remaining manual configuration tasks

---

## Overview

This guide consolidates all remaining manual configuration tasks for the UDM Pro. All automated tasks have been completed (21/35 tasks). This guide covers the 14 remaining tasks that require manual configuration via the UniFi Network web interface.

---

## Quick Start

**Access UniFi Network Web Interface:**
1. Open browser: `https://192.168.0.1`
2. Log in with admin credentials
3. Follow the guides below for each task

---

## Task 1: DHCP Static IP Reservations (High Priority)

**Estimated Time:** 15-30 minutes  
**Guide:** [UDM_PRO_DHCP_RESERVATIONS_GUIDE.md](./UDM_PRO_DHCP_RESERVATIONS_GUIDE.md)

### Quick Steps:

1. **Navigate:** Settings → Networks → MGMT-LAN (VLAN 11)
2. **Add Reservations:**
   - 192.168.11.1 → UDM Pro (Gateway)
   - 192.168.11.10 → ML110 (Proxmox)
   - 192.168.11.11 → R630-01
   - 192.168.11.12 → R630-02
   - 192.168.11.13 → R630-03
   - 192.168.11.14 → R630-04
3. **Verify:** Check active leases

---

## Task 2: Sovereign Tenant Isolation Firewall Rules (High Priority)

**Estimated Time:** 30-45 minutes  
**Guide:** [UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.md](./UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.md)

### Quick Steps:

1. **Navigate:** Settings → Firewall & Security → Firewall Rules
2. **Create Block Rules:**
   - Block VLAN 200 → VLANs 201-203
   - Block VLAN 201 → VLANs 200, 202-203
   - Block VLAN 202 → VLANs 200-201, 203
   - Block VLAN 203 → VLANs 200-202
3. **Set Priority:** Block rules should have higher priority (lower index) than allow rules
4. **Verify:** Test connectivity between VLANs

---

## Task 3: Port Profiles Configuration (High Priority)

**Estimated Time:** 30-60 minutes  
**Guide:** [UDM_PRO_PORT_PROFILES_GUIDE.md](./UDM_PRO_PORT_PROFILES_GUIDE.md)

### Quick Steps:

1. **Navigate:** Settings → Profiles → Port Profiles (or Devices → Switch → Ports)
2. **Create Trunk Profile:**
   - Name: `All-VLANs-Trunk`
   - Native VLAN: 11 (MGMT-LAN)
   - Tagged VLANs: All service VLANs (11, 110-203)
3. **Create Access Profiles:**
   - `MGMT-LAN-Access` (VLAN 11 only)
   - Service VLAN access profiles as needed
4. **Apply to Ports:**
   - Proxmox uplinks: Use trunk profile
   - Management devices: Use access profile

---

## Task 4: WAN Configuration Verification (High Priority)

**Estimated Time:** 10-15 minutes

### Steps:

1. **Navigate:** Settings → Internet → WAN Networks
2. **Verify Internet 1 (Primary WAN):**
   - DNS Servers: 8.8.8.8, 1.1.1.1
   - Gateway: Verify correct gateway
   - Connection Type: Verify (DHCP/Static/PPPoE)
3. **Verify Internet 2 (Secondary WAN):**
   - Configure if needed for failover
   - DNS Servers: 8.8.8.8, 1.1.1.1
4. **Test Connectivity:**
   - Verify internet connectivity
   - Test DNS resolution

**Note:** Current status shows 2 WAN interfaces (Internet 1, Internet 2) - dual WAN is available.

---

## Task 5: System Settings (Medium Priority)

**Estimated Time:** 15-20 minutes  
**Guide:** [UDM_PRO_SYSTEM_SETTINGS_GUIDE.md](./UDM_PRO_SYSTEM_SETTINGS_GUIDE.md)

### Steps:

1. **Navigate:** Settings → System Settings → General
2. **Configure:**
   - **Hostname:** Set appropriate hostname (e.g., `udm-pro-primary`)
   - **Timezone:** Select timezone (e.g., `America/Los_Angeles`)
   - **NTP Servers:** Configure NTP servers
     - Primary: `pool.ntp.org` or `time.google.com`
     - Secondary: `1.pool.ntp.org` or `time.cloudflare.com`
3. **Verify:**
   - Check system time is correct
   - Verify NTP synchronization

---

## Task 6: Configuration Backup (Medium Priority)

**Estimated Time:** 5-10 minutes

### Steps:

1. **Navigate:** Settings → System Settings → Backups (or Maintenance → Backups)
2. **Configure Automatic Backups:**
   - Enable automatic backups
   - Set frequency: Daily (recommended)
   - Set retention: 7-30 days
   - Choose backup location
3. **Create Manual Backup:**
   - Click **Download Backup** or **Export Configuration**
   - Save backup file securely
   - Store in safe location

---

## Task 7: Device Adoption (Medium Priority - Conditional)

**Estimated Time:** 15-30 minutes (if devices need adoption)

### Steps:

1. **Navigate:** Devices
2. **Check for Pending Devices:**
   - Look for devices showing "Pending Adoption"
   - Verify devices are powered on and connected
3. **Adopt Devices:**
   - Click **Adopt** for each pending device
   - Wait for adoption to complete
   - Verify devices show as "Online"
4. **Configure Switch Ports:**
   - Apply port profiles to switch ports
   - Configure VLAN trunking for Proxmox connections
   - Configure access ports for management devices

**Note:** Only perform if UniFi switches/APs are present and need adoption.

---

## Task 8: WAN Failover Configuration (Low Priority - Conditional)

**Estimated Time:** 20-30 minutes (if dual WAN available)

### Prerequisites:

- Dual WAN available (verified: Internet 1, Internet 2)
- Secondary WAN connection configured

### Steps:

1. **Navigate:** Settings → Internet → WAN Failover
2. **Configure Failover:**
   - Enable WAN failover
   - Set primary WAN: Internet 1
   - Set secondary WAN: Internet 2
   - Configure failover threshold: 3 failed pings
   - Configure health check: Ping 8.8.8.8 every 30 seconds
3. **Test Failover:**
   - Test failover by disconnecting primary WAN
   - Verify automatic failover to secondary
   - Test failback when primary restored

---

## Task 9: NAT Pool Configuration (Low Priority - Conditional)

**Estimated Time:** 30-60 minutes (if public IP blocks available)

### Prerequisites:

- Public IP blocks assigned/available
- NAT pool configuration supported on UDM Pro

### Required NAT Pools:

- VLAN 132 (CCIP-COMMIT) → Public Block #2
- VLAN 133 (CCIP-EXEC) → Public Block #3
- VLAN 134 (CCIP-RMN) → Public Block #4
- VLAN 160 (SANKOFA-SVC) → Public Block #5
- VLANs 200-203 (Sovereign tenants) → Public Block #6

### Steps:

1. **Navigate:** Settings → Routing & Firewall → NAT (or similar)
2. **Configure NAT Pools:**
   - Create NAT pool for each VLAN
   - Assign public IP block to each pool
   - Configure egress NAT rules
3. **Verify:**
   - Test egress traffic uses correct public IPs
   - Verify NAT pool assignments

**Note:** This is conditional and may not be applicable if public IP blocks are not available.

---

## Task 10: SSL Certificate (Low Priority - Optional)

**Estimated Time:** 15-30 minutes

### Option 1: Let's Encrypt (Recommended for Production)

1. **Navigate:** Settings → System Settings → Certificate
2. **Configure Let's Encrypt:**
   - Enable Let's Encrypt
   - Enter domain name
   - Configure email for notifications
   - Certificate auto-renews

### Option 2: Self-Signed (Acceptable for Development)

- Current setup uses self-signed certificate
- Document this in configuration
- Can upgrade to Let's Encrypt later

---

## Configuration Verification Checklist

After completing manual configurations, verify:

- [ ] DHCP reservations active and devices receiving correct IPs
- [ ] Firewall rules created and enabled
- [ ] Port profiles created and applied to ports
- [ ] WAN configuration verified (DNS, gateway)
- [ ] System settings configured (hostname, timezone, NTP)
- [ ] Backups enabled and working
- [ ] Devices adopted (if applicable)
- [ ] Connectivity tested between VLANs
- [ ] Internet connectivity verified

---

## Testing & Verification

### Test Connectivity

```bash
# Test VLAN connectivity
ping 192.168.11.1  # UDM Pro gateway
ping 192.168.11.10 # ML110 (if configured)

# Test internet connectivity
ping 8.8.8.8
nslookup google.com 8.8.8.8
```

### Verify Configuration

Run verification script:
```bash
cd /home/intlc/projects/proxmox
./scripts/unifi/verify-configuration.sh
```

---

## Troubleshooting

### Common Issues

1. **Devices not getting static IPs:**
   - Verify MAC address is correct
   - Check device is on correct VLAN
   - Verify reservation is enabled

2. **Firewall rules not working:**
   - Check rule priority/order
   - Verify rules are enabled
   - Check rule source/destination networks

3. **Port profiles not applying:**
   - Verify port profile is created
   - Check port is not locked/restricted
   - Verify physical connection

4. **WAN connectivity issues:**
   - Verify DNS servers are correct
   - Check gateway configuration
   - Test connectivity from devices

---

## Priority Order

**Recommended completion order:**

1. **High Priority (Complete First):**
   - DHCP Reservations
   - Sovereign Tenant Isolation
   - Port Profiles
   - WAN Configuration

2. **Medium Priority (Complete Next):**
   - System Settings
   - Configuration Backup
   - Device Adoption (if applicable)

3. **Low/Conditional Priority (Complete Last):**
   - WAN Failover (if needed)
   - NAT Pools (if applicable)
   - SSL Certificate (optional)

---

## Related Documentation

- [UDM_PRO_DHCP_RESERVATIONS_GUIDE.md](./UDM_PRO_DHCP_RESERVATIONS_GUIDE.md) - Detailed DHCP guide
- [UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.md](./UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.md) - Detailed firewall guide
- [UDM_PRO_PORT_PROFILES_GUIDE.md](./UDM_PRO_PORT_PROFILES_GUIDE.md) - Detailed port profiles guide
- [UDM_PRO_SYSTEM_SETTINGS_GUIDE.md](./UDM_PRO_SYSTEM_SETTINGS_GUIDE.md) - Detailed system settings guide
- [UDM_PRO_CONFIGURATION_CHECKLIST.md](./UDM_PRO_CONFIGURATION_CHECKLIST.md) - Complete checklist
- [UDM_PRO_STATUS.md](./UDM_PRO_STATUS.md) - Configuration status and remaining tasks

---

**Last Updated:** 2025-01-20