d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
master
proxmox/docs/04-configuration/UDM_PRO_CONFIGURATION_CHECKLIST.md

344 lines
8.9 KiB
Markdown
Raw Permalink Normal View History

docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates - ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00
# UDM Pro Configuration Checklist
**Last Updated:** 2025-01-20
**UDM Pro IP:** 192.168.0.1
**Status:** Configuration Planning
---
## Overview
This document provides a comprehensive checklist for configuring the UDM Pro to support the complete network architecture as defined in the Network Architecture documentation.
**Reference:** [NETWORK_ARCHITECTURE.md](../../docs/02-architecture/NETWORK_ARCHITECTURE.md)
---
## Configuration Tasks
### Phase 1: VLAN Configuration (18 VLANs)
All VLAN configurations can be done in parallel.
#### Core Management Network
- [ ] **VLAN 11 (MGMT-LAN)**
- Subnet: 192.168.11.0/24
- Gateway: 192.168.11.1
- DHCP Range: 192.168.11.100-192.168.11.200
- DNS: 8.8.8.8, 1.1.1.1
- Purpose: Proxmox mgmt, switches mgmt, admin endpoints
#### Besu Network VLANs
- [ ] **VLAN 110 (BESU-VAL)**
- Subnet: 10.110.0.0/24
- Gateway: 10.110.0.1
- Purpose: Validator-only network (no member access)
- [ ] **VLAN 111 (BESU-SEN)**
- Subnet: 10.111.0.0/24
- Gateway: 10.111.0.1
- Purpose: Sentry mesh
- [ ] **VLAN 112 (BESU-RPC)**
- Subnet: 10.112.0.0/24
- Gateway: 10.112.0.1
- Purpose: RPC / gateway tier
#### Service VLANs
- [ ] **VLAN 120 (BLOCKSCOUT)**
- Subnet: 10.120.0.0/24
- Gateway: 10.120.0.1
- Purpose: Explorer + DB
- [ ] **VLAN 121 (CACTI)**
- Subnet: 10.121.0.0/24
- Gateway: 10.121.0.1
- Purpose: Interop middleware
- [ ] **VLAN 130 (CCIP-OPS)**
- Subnet: 10.130.0.0/24
- Gateway: 10.130.0.1
- Purpose: Ops/admin
- [ ] **VLAN 132 (CCIP-COMMIT)**
- Subnet: 10.132.0.0/24
- Gateway: 10.132.0.1
- Purpose: Commit-role DON
- [ ] **VLAN 133 (CCIP-EXEC)**
- Subnet: 10.133.0.0/24
- Gateway: 10.133.0.1
- Purpose: Execute-role DON
- [ ] **VLAN 134 (CCIP-RMN)**
- Subnet: 10.134.0.0/24
- Gateway: 10.134.0.1
- Purpose: Risk management network
- [ ] **VLAN 140 (FABRIC)**
- Subnet: 10.140.0.0/24
- Gateway: 10.140.0.1
- Purpose: Fabric
- [ ] **VLAN 141 (FIREFLY)**
- Subnet: 10.141.0.0/24
- Gateway: 10.141.0.1
- Purpose: FireFly
- [ ] **VLAN 150 (INDY)**
- Subnet: 10.150.0.0/24
- Gateway: 10.150.0.1
- Purpose: Identity
- [ ] **VLAN 160 (SANKOFA-SVC)**
- Subnet: 10.160.0.0/22
- Gateway: 10.160.0.1
- Purpose: Sankofa/Phoenix/PanTel service layer
#### Sovereign Tenant VLANs
- [ ] **VLAN 200 (PHX-SOV-SMOM)**
- Subnet: 10.200.0.0/20
- Gateway: 10.200.0.1
- Purpose: Sovereign tenant
- [ ] **VLAN 201 (PHX-SOV-ICCC)**
- Subnet: 10.201.0.0/20
- Gateway: 10.201.0.1
- Purpose: Sovereign tenant
- [ ] **VLAN 202 (PHX-SOV-DBIS)**
- Subnet: 10.202.0.0/20
- Gateway: 10.202.0.1
- Purpose: Sovereign tenant
- [ ] **VLAN 203 (PHX-SOV-AR)**
- Subnet: 10.203.0.0/20
- Gateway: 10.203.0.1
- Purpose: Absolute Realms tenant
---
### Phase 2: DHCP Configuration
- [ ] **VLAN 11 Static IP Reservations**
- 192.168.11.1: UDM Pro (Gateway)
- 192.168.11.10: ML110 (Proxmox)
- 192.168.11.11: R630-01
- 192.168.11.12: R630-02
- 192.168.11.13: R630-03
- 192.168.11.14: R630-04
- [ ] **Other VLANs DHCP Configuration**
- Configure DHCP ranges as needed for each VLAN
- Or configure static IPs for all nodes (recommended for production)
---
### Phase 3: Firewall Rules Configuration
- [ ] **Inter-VLAN Routing Rules**
- Enable routing between VLANs
- Configure default policies (deny by default, explicit allows)
- [ ] **Sovereign Tenant Isolation**
- Deny east-west traffic between VLANs 200-203
- Allow only specific paths if needed
- [ ] **Management VLAN Access Rules**
- Allow Management VLAN (11) → Service VLANs (specific ports)
- SSH (TCP 22)
- Database admin ports (e.g., PostgreSQL 5432)
- Admin console ports (e.g., Keycloak 8080)
- API monitoring ports
- [ ] **Service VLAN Monitoring Rules**
- Allow Service VLANs → Management VLAN (monitoring/logging ports)
- SNMP, monitoring agents, logging
- [ ] **WAN Access Rules**
- Block WAN → LAN (default deny)
- Allow LAN → WAN (with NAT)
- Configure break-glass rules if needed (with strict IP allowlists)
---
### Phase 4: Port Profiles & Switching
- [ ] **VLAN Trunk Port Profiles**
- Configure 802.1Q trunk ports
- Tagged VLANs: All service VLANs (11, 110-114, 120-121, 130-134, 140-141, 150, 160, 200-203)
- Native VLAN: 11 (MGMT) for management ports
- [ ] **Access Port Profiles**
- Single VLAN, untagged
- Native VLAN 11 for management ports
- Service VLAN ports as needed
- [ ] **Apply Port Profiles to Switch Ports**
- Configure trunk ports for Proxmox uplinks
- Configure access ports for management devices
---
### Phase 5: WAN & NAT Configuration
- [ ] **Primary WAN Configuration**
- Configure WAN interface
- DNS: 8.8.8.8, 1.1.1.1
- Gateway configuration
- [ ] **WAN Failover (if dual WAN available)**
- Configure secondary WAN interface
- Enable failover with health checks
- Failover threshold: 3 failed pings
- Health check: Ping 8.8.8.8 every 30 seconds
- [ ] **Egress NAT Pools (if public IP blocks available)**
- VLAN 132 (CCIP-COMMIT) → Public Block #2
- VLAN 133 (CCIP-EXEC) → Public Block #3
- VLAN 134 (CCIP-RMN) → Public Block #4
- VLAN 160 (SANKOFA-SVC) → Public Block #5
- VLANs 200-203 (Sovereign tenants) → Public Block #6
**Note:** NAT pool configuration depends on UDM Pro capabilities and available public IP blocks.
---
### Phase 6: System Settings
- [ ] **Hostname Configuration**
- Set appropriate hostname for UDM Pro
- [ ] **Timezone Configuration**
- Set timezone (America/Los_Angeles or as appropriate)
- [ ] **NTP Configuration**
- Configure NTP time synchronization
- Use reliable NTP servers
- [ ] **SSL Certificate**
- Install proper SSL certificate (recommended)
- Or document self-signed certificate usage for internal networks
- Reference: [UNIFI_API_SETUP.md](./UNIFI_API_SETUP.md#production-ssl-certificate-setup)
---
### Phase 7: Device Management
- [ ] **UniFi Device Adoption**
- Adopt UniFi switches if present
- Adopt UniFi APs if present
- Configure switch ports for VLAN trunking
- Configure APs with appropriate WLANs
- [ ] **Switch Port Configuration**
- Configure ports for VLAN trunking (802.1Q)
- Apply port profiles to appropriate ports
---
### Phase 8: Backup & Documentation
- [ ] **Configuration Backup**
- Enable automatic backups
- Export initial configuration
- Store backups securely
- [ ] **Verification**
- Verify all VLAN configurations using Private API
- Test connectivity between VLANs
- Test routing functionality
- Verify firewall rules
- [ ] **Documentation**
- Document final UDM Pro configuration
- Update configuration status documents
- Create network topology diagram
---
## Configuration Summary
**Total Tasks:** 35 tasks across 8 phases
**Priority Levels:**
1. **High Priority:**
- VLAN 11 (MGMT-LAN) - Critical for management access
- Core service VLANs (110-114, 120-121, 130-134, 140-141, 150, 160)
- Basic firewall rules for security
- DHCP reservations for critical devices
2. **Medium Priority:**
- Sovereign tenant VLANs (200-203)
- Advanced firewall rules
- Port profile configuration
- WAN configuration
3. **Lower Priority:**
- NAT pool configuration (if applicable)
- WAN failover (if dual WAN)
- SSL certificate installation
- Advanced monitoring/logging
---
## Implementation Notes
### Parallel Execution
Many tasks can be executed in parallel:
- **All VLAN configurations** (18 tasks) can be done simultaneously
- **System settings** (hostname, timezone, NTP) can be configured in parallel
- **Port profiles** can be configured independently
- **Firewall rules** can be configured after VLANs are set up
### Sequential Dependencies
Some tasks have dependencies:
- **Firewall rules** depend on VLANs being configured first
- **Port profiles** depend on VLANs being configured
- **NAT pools** depend on WAN configuration and available public IP blocks
- **Verification** should be done after all configurations are complete
### Testing & Validation
After each phase:
1. Verify VLANs are created correctly
2. Test connectivity within VLANs
3. Test inter-VLAN routing (if enabled)
4. Verify firewall rules are working as expected
5. Check DHCP assignments
6. Verify device connectivity
---
## Related Documentation
- [Network Architecture](../../docs/02-architecture/NETWORK_ARCHITECTURE.md) - Complete network architecture reference
- [UNIFI_API_SETUP.md](./UNIFI_API_SETUP.md) - API setup and configuration
- [UNIFI_CONFIGURATION_STATUS.md](./UNIFI_CONFIGURATION_STATUS.md) - Current configuration status
- [UNIFI_ENDPOINTS_REFERENCE.md](./UNIFI_ENDPOINTS_REFERENCE.md) - API endpoints reference
---
## Current Status
**API Integration:** ✅ Configured and working (Private API mode)
**Local Admin Account:** ✅ Created (`unifi_api`)
**VLAN Configuration:** ⏳ Pending (0/18 VLANs configured)
**Firewall Rules:** ⏳ Pending
**Port Profiles:** ⏳ Pending
**System Settings:** ⏳ Pending
---
**Last Updated:** 2025-01-20
Reference in New Issue Copy Permalink