# UDM Pro Configuration Checklist **Last Updated:** 2025-01-20 **UDM Pro IP:** 192.168.0.1 **Status:** Configuration Planning --- ## Overview This document provides a comprehensive checklist for configuring the UDM Pro to support the complete network architecture as defined in the Network Architecture documentation. **Reference:** [NETWORK_ARCHITECTURE.md](../../docs/02-architecture/NETWORK_ARCHITECTURE.md) --- ## Configuration Tasks ### Phase 1: VLAN Configuration (18 VLANs) All VLAN configurations can be done in parallel. #### Core Management Network - [ ] **VLAN 11 (MGMT-LAN)** - Subnet: 192.168.11.0/24 - Gateway: 192.168.11.1 - DHCP Range: 192.168.11.100-192.168.11.200 - DNS: 8.8.8.8, 1.1.1.1 - Purpose: Proxmox mgmt, switches mgmt, admin endpoints #### Besu Network VLANs - [ ] **VLAN 110 (BESU-VAL)** - Subnet: 10.110.0.0/24 - Gateway: 10.110.0.1 - Purpose: Validator-only network (no member access) - [ ] **VLAN 111 (BESU-SEN)** - Subnet: 10.111.0.0/24 - Gateway: 10.111.0.1 - Purpose: Sentry mesh - [ ] **VLAN 112 (BESU-RPC)** - Subnet: 10.112.0.0/24 - Gateway: 10.112.0.1 - Purpose: RPC / gateway tier #### Service VLANs - [ ] **VLAN 120 (BLOCKSCOUT)** - Subnet: 10.120.0.0/24 - Gateway: 10.120.0.1 - Purpose: Explorer + DB - [ ] **VLAN 121 (CACTI)** - Subnet: 10.121.0.0/24 - Gateway: 10.121.0.1 - Purpose: Interop middleware - [ ] **VLAN 130 (CCIP-OPS)** - Subnet: 10.130.0.0/24 - Gateway: 10.130.0.1 - Purpose: Ops/admin - [ ] **VLAN 132 (CCIP-COMMIT)** - Subnet: 10.132.0.0/24 - Gateway: 10.132.0.1 - Purpose: Commit-role DON - [ ] **VLAN 133 (CCIP-EXEC)** - Subnet: 10.133.0.0/24 - Gateway: 10.133.0.1 - Purpose: Execute-role DON - [ ] **VLAN 134 (CCIP-RMN)** - Subnet: 10.134.0.0/24 - Gateway: 10.134.0.1 - Purpose: Risk management network - [ ] **VLAN 140 (FABRIC)** - Subnet: 10.140.0.0/24 - Gateway: 10.140.0.1 - Purpose: Fabric - [ ] **VLAN 141 (FIREFLY)** - Subnet: 10.141.0.0/24 - Gateway: 10.141.0.1 - Purpose: FireFly - [ ] **VLAN 150 (INDY)** - Subnet: 10.150.0.0/24 - Gateway: 10.150.0.1 - Purpose: Identity - [ ] **VLAN 160 (SANKOFA-SVC)** - Subnet: 10.160.0.0/22 - Gateway: 10.160.0.1 - Purpose: Sankofa/Phoenix/PanTel service layer #### Sovereign Tenant VLANs - [ ] **VLAN 200 (PHX-SOV-SMOM)** - Subnet: 10.200.0.0/20 - Gateway: 10.200.0.1 - Purpose: Sovereign tenant - [ ] **VLAN 201 (PHX-SOV-ICCC)** - Subnet: 10.201.0.0/20 - Gateway: 10.201.0.1 - Purpose: Sovereign tenant - [ ] **VLAN 202 (PHX-SOV-DBIS)** - Subnet: 10.202.0.0/20 - Gateway: 10.202.0.1 - Purpose: Sovereign tenant - [ ] **VLAN 203 (PHX-SOV-AR)** - Subnet: 10.203.0.0/20 - Gateway: 10.203.0.1 - Purpose: Absolute Realms tenant --- ### Phase 2: DHCP Configuration - [ ] **VLAN 11 Static IP Reservations** - 192.168.11.1: UDM Pro (Gateway) - 192.168.11.10: ML110 (Proxmox) - 192.168.11.11: R630-01 - 192.168.11.12: R630-02 - 192.168.11.13: R630-03 - 192.168.11.14: R630-04 - [ ] **Other VLANs DHCP Configuration** - Configure DHCP ranges as needed for each VLAN - Or configure static IPs for all nodes (recommended for production) --- ### Phase 3: Firewall Rules Configuration - [ ] **Inter-VLAN Routing Rules** - Enable routing between VLANs - Configure default policies (deny by default, explicit allows) - [ ] **Sovereign Tenant Isolation** - Deny east-west traffic between VLANs 200-203 - Allow only specific paths if needed - [ ] **Management VLAN Access Rules** - Allow Management VLAN (11) → Service VLANs (specific ports) - SSH (TCP 22) - Database admin ports (e.g., PostgreSQL 5432) - Admin console ports (e.g., Keycloak 8080) - API monitoring ports - [ ] **Service VLAN Monitoring Rules** - Allow Service VLANs → Management VLAN (monitoring/logging ports) - SNMP, monitoring agents, logging - [ ] **WAN Access Rules** - Block WAN → LAN (default deny) - Allow LAN → WAN (with NAT) - Configure break-glass rules if needed (with strict IP allowlists) --- ### Phase 4: Port Profiles & Switching - [ ] **VLAN Trunk Port Profiles** - Configure 802.1Q trunk ports - Tagged VLANs: All service VLANs (11, 110-114, 120-121, 130-134, 140-141, 150, 160, 200-203) - Native VLAN: 11 (MGMT) for management ports - [ ] **Access Port Profiles** - Single VLAN, untagged - Native VLAN 11 for management ports - Service VLAN ports as needed - [ ] **Apply Port Profiles to Switch Ports** - Configure trunk ports for Proxmox uplinks - Configure access ports for management devices --- ### Phase 5: WAN & NAT Configuration - [ ] **Primary WAN Configuration** - Configure WAN interface - DNS: 8.8.8.8, 1.1.1.1 - Gateway configuration - [ ] **WAN Failover (if dual WAN available)** - Configure secondary WAN interface - Enable failover with health checks - Failover threshold: 3 failed pings - Health check: Ping 8.8.8.8 every 30 seconds - [ ] **Egress NAT Pools (if public IP blocks available)** - VLAN 132 (CCIP-COMMIT) → Public Block #2 - VLAN 133 (CCIP-EXEC) → Public Block #3 - VLAN 134 (CCIP-RMN) → Public Block #4 - VLAN 160 (SANKOFA-SVC) → Public Block #5 - VLANs 200-203 (Sovereign tenants) → Public Block #6 **Note:** NAT pool configuration depends on UDM Pro capabilities and available public IP blocks. --- ### Phase 6: System Settings - [ ] **Hostname Configuration** - Set appropriate hostname for UDM Pro - [ ] **Timezone Configuration** - Set timezone (America/Los_Angeles or as appropriate) - [ ] **NTP Configuration** - Configure NTP time synchronization - Use reliable NTP servers - [ ] **SSL Certificate** - Install proper SSL certificate (recommended) - Or document self-signed certificate usage for internal networks - Reference: [UNIFI_API_SETUP.md](./UNIFI_API_SETUP.md#production-ssl-certificate-setup) --- ### Phase 7: Device Management - [ ] **UniFi Device Adoption** - Adopt UniFi switches if present - Adopt UniFi APs if present - Configure switch ports for VLAN trunking - Configure APs with appropriate WLANs - [ ] **Switch Port Configuration** - Configure ports for VLAN trunking (802.1Q) - Apply port profiles to appropriate ports --- ### Phase 8: Backup & Documentation - [ ] **Configuration Backup** - Enable automatic backups - Export initial configuration - Store backups securely - [ ] **Verification** - Verify all VLAN configurations using Private API - Test connectivity between VLANs - Test routing functionality - Verify firewall rules - [ ] **Documentation** - Document final UDM Pro configuration - Update configuration status documents - Create network topology diagram --- ## Configuration Summary **Total Tasks:** 35 tasks across 8 phases **Priority Levels:** 1. **High Priority:** - VLAN 11 (MGMT-LAN) - Critical for management access - Core service VLANs (110-114, 120-121, 130-134, 140-141, 150, 160) - Basic firewall rules for security - DHCP reservations for critical devices 2. **Medium Priority:** - Sovereign tenant VLANs (200-203) - Advanced firewall rules - Port profile configuration - WAN configuration 3. **Lower Priority:** - NAT pool configuration (if applicable) - WAN failover (if dual WAN) - SSL certificate installation - Advanced monitoring/logging --- ## Implementation Notes ### Parallel Execution Many tasks can be executed in parallel: - **All VLAN configurations** (18 tasks) can be done simultaneously - **System settings** (hostname, timezone, NTP) can be configured in parallel - **Port profiles** can be configured independently - **Firewall rules** can be configured after VLANs are set up ### Sequential Dependencies Some tasks have dependencies: - **Firewall rules** depend on VLANs being configured first - **Port profiles** depend on VLANs being configured - **NAT pools** depend on WAN configuration and available public IP blocks - **Verification** should be done after all configurations are complete ### Testing & Validation After each phase: 1. Verify VLANs are created correctly 2. Test connectivity within VLANs 3. Test inter-VLAN routing (if enabled) 4. Verify firewall rules are working as expected 5. Check DHCP assignments 6. Verify device connectivity --- ## Related Documentation - [Network Architecture](../../docs/02-architecture/NETWORK_ARCHITECTURE.md) - Complete network architecture reference - [UNIFI_API_SETUP.md](./UNIFI_API_SETUP.md) - API setup and configuration - [UNIFI_CONFIGURATION_STATUS.md](./UNIFI_CONFIGURATION_STATUS.md) - Current configuration status - [UNIFI_ENDPOINTS_REFERENCE.md](./UNIFI_ENDPOINTS_REFERENCE.md) - API endpoints reference --- ## Current Status **API Integration:** ✅ Configured and working (Private API mode) **Local Admin Account:** ✅ Created (`unifi_api`) **VLAN Configuration:** ⏳ Pending (0/18 VLANs configured) **Firewall Rules:** ⏳ Pending **Port Profiles:** ⏳ Pending **System Settings:** ⏳ Pending --- **Last Updated:** 2025-01-20