# Omada Hardware & Configuration Review **Last Updated:** 2026-01-31 **Document Version:** 1.0 **Status:** Active Documentation --- **Review Date:** 2025-01-20 **Reviewer:** Infrastructure Team **Status:** Comprehensive Review --- ## Executive Summary This document provides a comprehensive review of all Omada hardware and configuration in the environment. The review covers: - **Hardware Inventory**: 2× ER605 routers, 3× ES216G switches - **Controller Configuration**: Omada Controller on ml110 (192.168.11.8) - **Network Architecture**: Current flat LAN (192.168.11.0/24) with planned VLAN migration - **API Integration**: Omada API library and MCP server configured - **Configuration Status**: Partial deployment (Phase 0 complete, Phase 1+ pending) --- ## 1. Hardware Inventory ### 1.1 Routers #### ER605-A (Primary Edge Router) **Status:** ✅ Configured (Phase 0 Complete) **Configuration:** - **WAN1 (ER605):** Replaced by UDM Pro. - **UDM Pro (edge):** 76.53.10.34. Port forwarding: 76.53.10.36:80/443 → 192.168.11.167:80/443 (NPMplus LXC). Proxmox hosts: 192.168.11.10–12. NPMplus has .166 and .167; only .167 in UDM Pro. - **WAN2 (Failover):** - ISP: ISP #2 (to be configured) - Failover Mode: Pending configuration - Priority: Lower than WAN1 (planned) - **LAN:** - Connection: Trunk to ES216G-1 (core switch) - Current Network: 192.168.11.0/24 (flat LAN) - Planned: VLAN-aware trunk with 16+ VLANs **Role:** Active edge router, NAT pools, inter-VLAN routing **Configuration Status:** - ✅ WAN1 configured with Block #1 - ⏳ WAN2 failover configuration pending - ⏳ VLAN interfaces creation pending (16 VLANs planned) - ⏳ Role-based egress NAT pools pending (Blocks #2-6) #### ER605-B (Standby Edge Router) **Status:** ⏳ Pending Configuration **Planned Configuration:** - **WAN1:** ISP #2 (alternate/standby) - **WAN2:** Optional (if available) - **LAN:** Trunk to ES216G-1 (core switch) **Role Decision Required:** - **Option A:** Standby edge router (failover only) - **Option B:** Dedicated sovereign edge (separate policy domain) **Note:** ER605 does not support full stateful HA. This is **active/standby operational redundancy**, not automatic session-preserving HA. **Configuration Status:** - ⏳ Physical deployment status unknown - ⏳ Configuration not started - ⏳ Role decision pending --- ### 1.2 Switches #### ES216G-1 (Core Switch) **Status:** ⏳ Configuration Pending **Planned Role:** Core / uplinks / trunks **Configuration Requirements:** - Trunk ports to ES216G-2 and ES216G-3 - Trunk port to ER605-A (LAN) - VLAN trunking support for all VLANs (11, 110-112, 120-121, 130-134, 140-141, 150, 160, 200-203) - Native VLAN: 11 (MGMT-LAN) **Configuration Status:** - ⏳ Trunk ports configuration pending - ⏳ VLAN configuration pending - ⏳ Physical deployment status unknown #### ES216G-2 (Compute Rack Aggregation) **Status:** ⏳ Configuration Pending **Planned Role:** Compute rack aggregation **Configuration Requirements:** - Trunk ports to R630 compute nodes (4×) - Trunk port to ML110 (management node) - Trunk port to ES216G-1 (core) - VLAN trunking support for all VLANs - Native VLAN: 11 (MGMT-LAN) **Configuration Status:** - ⏳ Trunk ports configuration pending - ⏳ VLAN configuration pending - ⏳ Physical deployment status unknown #### ES216G-3 (Management & Out-of-Band) **Status:** ⏳ Configuration Pending **Planned Role:** Management + out-of-band / staging **Configuration Requirements:** - Management access ports (untagged VLAN 11) - Staging ports (untagged VLAN 11 or tagged staging VLAN) - Trunk port to ES216G-1 (core) - VLAN trunking support - Native VLAN: 11 (MGMT-LAN) **Configuration Status:** - ⏳ Configuration pending - ⏳ Physical deployment status unknown --- ### 1.3 Omada Controller **Location:** ML110 Gen9 (Bootstrap & Management node) **IP Address:** `192.168.11.8:8043` (actual) / `192.168.11.10` (documented) **Status:** ✅ Operational **Note:** There is a discrepancy between documented IP (192.168.11.10) and configured IP (192.168.11.8). The actual controller is accessible at 192.168.11.8:8043. **Configuration:** - **Base URL:** `https://192.168.11.8:8043` - **SSL Verification:** Disabled (OMADA_VERIFY_SSL=false) - **Site ID:** `090862bebcb1997bb263eea9364957fe` - **API Credentials:** Configured (Client ID/Secret) **API Configuration:** - **Client ID:** `273615420c01452a8a2fd2e00a177eda` - **Client Secret:** `8d3dc336675e4b04ad9c1614a5b939cc` - **Authentication Note:** See `OMADA_AUTH_NOTE.md` for authentication method details **Features:** - ✅ Open API enabled - ✅ API credentials configured - ⏳ Device adoption status unknown (needs verification) - ⏳ Device management status unknown (needs verification) --- ## 2. Network Architecture ### 2.1 Current State (Flat LAN) **Network:** 192.168.11.0/24 **Gateway:** 192.168.11.1 (ER605-A) **DHCP:** Configured (if applicable) **Status:** ✅ Operational (Phase 0) **Current Services:** - 12 Besu containers (validators, sentries, RPC nodes) - All services on flat LAN (192.168.11.0/24) - No VLAN segmentation ### 2.2 Planned State (VLAN-based) **Migration Status:** ⏳ Pending (Phase 1) **VLAN Plan:** 16+ VLANs planned #### Key VLANs: | VLAN ID | VLAN Name | Subnet | Gateway | Purpose | Status | |--------:|-----------|--------|---------|---------|--------| | 11 | MGMT-LAN | 192.168.11.0/24 | 192.168.11.1 | Proxmox mgmt, switches mgmt | ⏳ Pending | | 110 | BESU-VAL | 10.110.0.0/24 | 10.110.0.1 | Validator-only network | ⏳ Pending | | 111 | BESU-SEN | 10.111.0.0/24 | 10.111.0.1 | Sentry mesh | ⏳ Pending | | 112 | BESU-RPC | 10.112.0.0/24 | 10.112.0.1 | RPC / gateway tier | ⏳ Pending | | 120 | BLOCKSCOUT | 10.120.0.0/24 | 10.120.0.1 | Explorer + DB | ⏳ Pending | | 121 | CACTI | 10.121.0.0/24 | 10.121.0.1 | Interop middleware | ⏳ Pending | | 130 | CCIP-OPS | 10.130.0.0/24 | 10.130.0.1 | Ops/admin | ⏳ Pending | | 132 | CCIP-COMMIT | 10.132.0.0/24 | 10.132.0.1 | Commit-role DON | ⏳ Pending | | 133 | CCIP-EXEC | 10.133.0.0/24 | 10.133.0.1 | Execute-role DON | ⏳ Pending | | 134 | CCIP-RMN | 10.134.0.0/24 | 10.134.0.1 | Risk management network | ⏳ Pending | | 140 | FABRIC | 10.140.0.0/24 | 10.140.0.1 | Fabric | ⏳ Pending | | 141 | FIREFLY | 10.141.0.0/24 | 10.141.0.1 | FireFly | ⏳ Pending | | 150 | INDY | 10.150.0.0/24 | 10.150.0.1 | Identity | ⏳ Pending | | 160 | SANKOFA-SVC | 10.160.0.0/22 | 10.160.0.1 | Service layer | ⏳ Pending | | 200 | PHX-SOV-SMOM | 10.200.0.0/20 | 10.200.0.1 | Sovereign tenant | ⏳ Pending | | 201 | PHX-SOV-ICCC | 10.201.0.0/20 | 10.201.0.1 | Sovereign tenant | ⏳ Pending | | 202 | PHX-SOV-DBIS | 10.202.0.0/20 | 10.202.0.1 | Sovereign tenant | ⏳ Pending | | 203 | PHX-SOV-AR | 10.203.0.0/20 | 10.203.0.1 | Sovereign tenant | ⏳ Pending | **Migration Requirements:** - Configure VLAN interfaces on ER605-A for all VLANs - Configure trunk ports on all ES216G switches - Enable VLAN-aware bridge on Proxmox hosts - Migrate services from flat LAN to appropriate VLANs --- ## 3. Public IP Blocks & NAT Configuration ### 3.1 Public IP Block #1 (Configured) **Network:** 76.53.10.32/28 **Gateway:** 76.53.10.33 **Usable Range:** 76.53.10.33–76.53.10.46 **Broadcast:** 76.53.10.47 **UDM Pro (edge):** 76.53.10.34 (replaced ER605). Port forward: 76.53.10.36:80/443 → 192.168.11.167:80/443. **Status:** ✅ Active **Usage:** - ER605-A WAN1 interface - Break-glass emergency VIPs (planned) - 76.53.10.35: Emergency SSH/Jumpbox (planned) - 76.53.10.36: Emergency Besu RPC (planned) - 76.53.10.37: Emergency FireFly (planned) - 76.53.10.38: Sankofa/Phoenix/PanTel VIP (planned) - 76.53.10.39: Indy DID endpoints (planned) ### 3.2 Public IP Blocks #2-6 (Pending) **Status:** ⏳ To Be Configured (when assigned) | Block | Network | Gateway | Designated Use | NAT Pool Target | Status | |-------|---------|---------|----------------|-----------------|--------| | #2 | `/28` | `` | CCIP Commit egress NAT pool | 10.132.0.0/24 (VLAN 132) | ⏳ Pending | | #3 | `/28` | `` | CCIP Execute egress NAT pool | 10.133.0.0/24 (VLAN 133) | ⏳ Pending | | #4 | `/28` | `` | RMN egress NAT pool | 10.134.0.0/24 (VLAN 134) | ⏳ Pending | | #5 | `/28` | `` | Sankofa/Phoenix/PanTel service egress | 10.160.0.0/22 (VLAN 160) | ⏳ Pending | | #6 | `/28` | `` | Sovereign Cloud Band tenant egress | 10.200.0.0/20-10.203.0.0/20 (VLANs 200-203) | ⏳ Pending | **Configuration Requirements:** - Configure outbound NAT pools on ER605-A - Map each private subnet to its designated public IP block - Enable PAT (Port Address Translation) - Configure firewall rules for egress traffic - Document IP allowlisting requirements --- ## 4. API Integration & Automation ### 4.1 Omada API Library **Location:** `/home/intlc/projects/proxmox/omada-api/` **Status:** ✅ Implemented **Features:** - TypeScript library for Omada Controller REST API - OAuth2 authentication with automatic token refresh - Support for all Omada devices (ER605, ES216G, EAP) - Device management (list, configure, reboot, adopt) - Network configuration (VLANs, DHCP, routing) - Firewall and NAT rule management - Switch port configuration and PoE management - Router WAN/LAN configuration ### 4.2 MCP Server **Location:** `/home/intlc/projects/proxmox/mcp-omada/` **Status:** ✅ Implemented **Features:** - Model Context Protocol server for Omada devices - Claude Desktop integration - Available tools: - `omada_list_devices` - List all devices - `omada_get_device` - Get device details - `omada_list_vlans` - List VLAN configurations - `omada_get_vlan` - Get VLAN details - `omada_reboot_device` - Reboot a device - `omada_get_device_statistics` - Get device statistics - `omada_list_firewall_rules` - List firewall rules - `omada_get_switch_ports` - Get switch port configuration - `omada_get_router_wan` - Get router WAN configuration - `omada_list_sites` - List all sites **Configuration:** - Environment variables loaded from `~/.env` - Base URL: `https://192.168.11.8:8043` - Client ID: Configured - Client Secret: Configured - Site ID: `090862bebcb1997bb263eea9364957fe` - SSL Verification: Disabled **Connection Status:** ⚠️ Cannot connect to controller (network issue or controller offline) ### 4.3 Test Script **Location:** `/home/intlc/projects/proxmox/test-omada-connection.js` **Status:** ✅ Implemented **Purpose:** Test Omada API connection and authentication **Last Test Result:** ❌ Failed (Network error: Failed to connect) **Possible Causes:** - Controller not accessible from current environment - Network connectivity issue - Firewall blocking connection - Controller service offline --- ## 5. Configuration Issues & Discrepancies ### 5.1 IP Address Discrepancy **Issue:** Omada Controller IP mismatch - **Documented:** 192.168.11.10 (ML110 management IP) - **Actual Configuration:** 192.168.11.8:8043 **Impact:** - API connections may fail if using documented IP - Documentation inconsistency **Recommendation:** - Verify actual controller IP and update documentation - Clarify if controller runs on different host or if IP changed - Update all references in documentation ### 5.2 Authentication Method **Issue:** Authentication method confusion **Documented:** OAuth Client Credentials mode **Actual:** May require admin username/password (see `OMADA_AUTH_NOTE.md`) **Note:** The Omada Controller API `/api/v2/login` endpoint may require admin username/password, not OAuth Client ID/Secret. **Recommendation:** - Verify actual authentication method required - Update code or configuration accordingly - Document correct authentication approach ### 5.3 Device Adoption Status **Issue:** Unknown device adoption status **Status:** Not verified **Questions:** - Are ER605-A and ER605-B adopted in Omada Controller? - Are ES216G-1, ES216G-2, and ES216G-3 adopted? - What is the actual device inventory? **Recommendation:** - Query Omada Controller to list all adopted devices - Verify device names, IPs, firmware versions - Document actual hardware inventory - Verify device connectivity and status ### 5.4 Configuration Completeness **Issue:** Many configurations are planned but not implemented **Missing Configurations:** - ER605-A: VLAN interfaces (16+ VLANs) - ER605-A: WAN2 failover configuration - ER605-A: Role-based egress NAT pools (Blocks #2-6) - ER605-B: Complete configuration - ES216G switches: Trunk port configuration - ES216G switches: VLAN configuration - Proxmox: VLAN-aware bridge configuration - Services: VLAN migration from flat LAN **Recommendation:** - Prioritize Phase 1 (VLAN Enablement) - Create detailed implementation checklist - Execute configurations in logical order - Verify each step before proceeding --- ## 6. Deployment Status Summary ### Phase 0 — Foundation ✅ - [x] ER605 replaced by UDM Pro (76.53.10.34); port forward 76.53.10.36:80/443 → 192.168.11.167 - [x] Proxmox mgmt accessible - [x] Basic containers deployed - [x] Omada Controller operational - [x] API integration code implemented ### Phase 1 — VLAN Enablement ⏳ - [ ] ES216G trunk ports configured - [ ] VLAN-aware bridge enabled on Proxmox - [ ] VLAN interfaces created on ER605-A - [ ] Services migrated to VLANs - [ ] VLAN routing verified ### Phase 2 — Observability ⏳ - [ ] Monitoring stack deployed - [ ] Grafana published via Cloudflare Access - [ ] Alerts configured - [ ] Device monitoring enabled ### Phase 3 — CCIP Fleet ⏳ - [ ] CCIP Ops/Admin deployed - [ ] 16 commit nodes deployed - [ ] 16 execute nodes deployed - [ ] 7 RMN nodes deployed - [ ] NAT pools configured (Blocks #2-4) ### Phase 4 — Sovereign Tenants ⏳ - [ ] Sovereign VLANs configured - [ ] Tenant isolation enforced - [ ] Access control configured - [ ] NAT pools configured (Block #6) --- ## 7. Recommendations ### 7.1 Immediate Actions (This Week) 1. **Verify Device Inventory** - Connect to Omada Controller web interface - Document all adopted devices (routers, switches, APs) - Verify device names, IPs, firmware versions - Check device connectivity status 2. **Resolve IP Discrepancy** - Verify actual Omada Controller IP (192.168.11.8 vs 192.168.11.10) - Update documentation with correct IP - Verify API connectivity from management host 3. **Fix API Authentication** - Verify required authentication method (OAuth vs admin credentials) - Update code/configuration accordingly - Test API connection successfully 4. **Document Current Configuration** - Export ER605-A configuration - Document actual VLAN configuration (if any) - Document actual switch configuration (if any) - Create baseline configuration document ### 7.2 Short-term Actions (This Month) 1. **Complete ER605-A Configuration** - Configure WAN2 failover - Create VLAN interfaces for all planned VLANs - Configure DHCP for each VLAN (if needed) - Test inter-VLAN routing 2. **Configure ES216G Switches** - Configure trunk ports (802.1Q) - Configure VLANs on switches - Verify VLAN tagging - Test connectivity between switches 3. **Enable VLAN-aware Bridge on Proxmox** - Configure vmbr0 for VLAN-aware mode - Test VLAN tagging on container interfaces - Verify connectivity to ER605 VLAN interfaces 4. **Begin VLAN Migration** - Migrate one service VLAN as pilot - Verify routing and connectivity - Migrate remaining services systematically ### 7.3 Medium-term Actions (This Quarter) 1. **Configure NAT Pools** - Obtain public IP blocks #2-6 - Configure role-based egress NAT pools - Test allowlisting functionality - Document IP usage per role 2. **Configure ER605-B** - Decide on role (standby vs dedicated sovereign edge) - Configure according to chosen role - Test failover (if standby) 3. **Implement Monitoring** - Deploy monitoring stack - Configure device monitoring - Set up alerts for device failures - Create dashboards for network status 4. **Complete CCIP Fleet Deployment** - Deploy all CCIP nodes - Configure NAT pools for CCIP VLANs - Verify connectivity and routing --- ## 8. Configuration Files Reference ### 8.1 Environment Configuration **Location:** `~/.env` ```bash OMADA_CONTROLLER_URL=https://192.168.11.8:8043 OMADA_API_KEY=273615420c01452a8a2fd2e00a177eda OMADA_API_SECRET=8d3dc336675e4b04ad9c1614a5b939cc OMADA_SITE_ID=090862bebcb1997bb263eea9364957fe OMADA_VERIFY_SSL=false ``` ### 8.2 Documentation Files - **Network Architecture:** `docs/02-architecture/NETWORK_ARCHITECTURE.md` - **ER605 Configuration Guide:** `docs/04-configuration/ER605_ROUTER_CONFIGURATION.md` - **Omada API Setup:** `docs/04-configuration/OMADA_API_SETUP.md` - **Deployment Status:** `docs/03-deployment/DEPLOYMENT_STATUS_CONSOLIDATED.md` - **Authentication Notes:** `OMADA_AUTH_NOTE.md` ### 8.3 Code Locations - **Omada API Library:** `omada-api/` - **MCP Server:** `mcp-omada/` - **Test Script:** `test-omada-connection.js` --- ## 9. Verification Checklist Use this checklist to verify current configuration: ### Hardware Verification - [ ] ER605-A is adopted in Omada Controller - [ ] UDM Pro port forward: 76.53.10.36:80/443 → 192.168.11.167:80/443 (NPMplus) - [ ] ER605-A can reach internet via WAN1 - [ ] ER605-B is adopted (if deployed) - [ ] ES216G-1 is adopted and accessible - [ ] ES216G-2 is adopted and accessible - [ ] ES216G-3 is adopted and accessible - [ ] All switches are manageable via Omada Controller ### Network Verification - [ ] Current flat LAN (192.168.11.0/24) is operational - [ ] Gateway (192.168.11.1) is reachable - [ ] DNS resolution works - [ ] Inter-VLAN routing works (if VLANs configured) - [ ] Switch trunk ports are configured correctly ### API Verification - [ ] Omada Controller API is accessible - [ ] API authentication works - [ ] Can list devices via API - [ ] Can query device details via API - [ ] Can list VLANs via API - [ ] MCP server can connect and function ### Configuration Verification - [ ] ER605-A configuration matches documentation - [ ] VLAN interfaces exist (if VLANs configured) - [ ] Switch VLANs match router VLANs - [ ] Proxmox VLAN-aware bridge is configured (if VLANs configured) - [ ] NAT pools are configured (if public blocks assigned) --- ## 10. Next Steps 1. **Verify actual hardware inventory** by querying Omada Controller 2. **Resolve IP discrepancy** and update documentation 3. **Fix API connectivity** and authentication 4. **Create detailed implementation plan** for Phase 1 (VLAN Enablement) 5. **Execute Phase 1** systematically with verification at each step 6. **Document actual configuration** as implementation progresses --- **Document Status:** Complete (Initial Review) **Maintained By:** Infrastructure Team **Review Cycle:** Monthly **Last Updated:** 2025-01-20