proxmox/docs/04-configuration/ER605_ROUTER_CONFIGURATION.md

# ER605 Router Configuration Guide

**Last Updated:** 2025-01-20  
**Document Version:** 1.0  
**Status:** Active Documentation
**Hardware:** 2× TP-Link ER605 (v1 or v2)

---

## Overview

This guide provides step-by-step configuration for the ER605 routers in the enterprise orchestration setup, including:

- Dual router roles (ER605-A primary, ER605-B standby)
- WAN configuration with 6× /28 public IP blocks
- VLAN routing and inter-VLAN communication
- Role-based egress NAT pools
- Break-glass inbound NAT rules

---

## Hardware Setup

### ER605-A (Primary Edge Router)

**Physical Connections:**
- WAN1: Spectrum ISP (Block #1: 76.53.10.32/28)
- WAN2: ISP #2 (failover/alternate)
- LAN: Trunk to ES216G-1 (core switch)

**WAN1 (ER605):** Replaced by UDM Pro. UDM Pro is now the edge at 76.53.10.34. Port forwarding: 76.53.10.36:80/443 → 192.168.11.167:80/443 (NPMplus).

### ER605-B (Standby Edge Router)

**Physical Connections:**
- WAN1: ISP #2 (alternate/standby)
- WAN2: (optional, if available)
- LAN: Trunk to ES216G-1 (core switch)

**Role Decision Required:**
- **Option A:** Standby edge (failover only)
- **Option B:** Dedicated sovereign edge (separate policy domain)

---

## WAN Configuration

### ER605-A WAN1 (Primary - Block #1)

```
Interface: WAN1
Connection Type: Static IP
IP Address: 76.53.10.34
Subnet Mask: 255.255.255.240 (/28)
Gateway: 76.53.10.33
Primary DNS: 8.8.8.8
Secondary DNS: 1.1.1.1
MTU: 1500
```

### ER605-A WAN2 (Failover - ISP #2)

```
Interface: WAN2
Connection Type: [DHCP/Static as per ISP]
Failover Mode: Enabled
Priority: Lower than WAN1
```

### ER605-B Configuration

**If Standby:**
- Configure same as ER605-A but with lower priority
- Enable failover monitoring

**If Dedicated Sovereign Edge:**
- Configure separate policy domain
- Independent NAT pools for sovereign tenants

---

## VLAN Configuration

### Create VLAN Interfaces

For each VLAN, create a VLAN interface on ER605:

| VLAN ID | VLAN Name | Interface IP | Subnet | Gateway |
|--------:|-----------|--------------|--------|---------|
| 11 | MGMT-LAN | 192.168.11.1 | 192.168.11.0/24 | 192.168.11.1 |
| 110 | BESU-VAL | 10.110.0.1 | 10.110.0.0/24 | 10.110.0.1 |
| 111 | BESU-SEN | 10.111.0.1 | 10.111.0.0/24 | 10.111.0.1 |
| 112 | BESU-RPC | 10.112.0.1 | 10.112.0.0/24 | 10.112.0.1 |
| 120 | BLOCKSCOUT | 10.120.0.1 | 10.120.0.0/24 | 10.120.0.1 |
| 121 | CACTI | 10.121.0.1 | 10.121.0.0/24 | 10.121.0.1 |
| 130 | CCIP-OPS | 10.130.0.1 | 10.130.0.0/24 | 10.130.0.1 |
| 132 | CCIP-COMMIT | 10.132.0.1 | 10.132.0.0/24 | 10.132.0.1 |
| 133 | CCIP-EXEC | 10.133.0.1 | 10.133.0.0/24 | 10.133.0.1 |
| 134 | CCIP-RMN | 10.134.0.1 | 10.134.0.0/24 | 10.134.0.1 |
| 140 | FABRIC | 10.140.0.1 | 10.140.0.0/24 | 10.140.0.1 |
| 141 | FIREFLY | 10.141.0.1 | 10.141.0.0/24 | 10.141.0.1 |
| 150 | INDY | 10.150.0.1 | 10.150.0.0/24 | 10.150.0.1 |
| 160 | SANKOFA-SVC | 10.160.0.1 | 10.160.0.0/22 | 10.160.0.1 |
| 200 | PHX-SOV-SMOM | 10.200.0.1 | 10.200.0.0/20 | 10.200.0.1 |
| 201 | PHX-SOV-ICCC | 10.201.0.1 | 10.201.0.0/20 | 10.201.0.1 |
| 202 | PHX-SOV-DBIS | 10.202.0.1 | 10.202.0.0/20 | 10.202.0.1 |
| 203 | PHX-SOV-AR | 10.203.0.1 | 10.203.0.0/20 | 10.203.0.1 |

### Configuration Steps

<details>
<summary>Click to expand detailed VLAN configuration steps</summary>

1. **Access ER605 Web Interface:**
   - Default: `http://192.168.0.1` or `http://tplinkrouter.net`
   - Login with admin credentials

2. **Enable VLAN Support:**
   - Navigate to: **Advanced** → **VLAN** → **VLAN Settings**
   - Enable VLAN support

3. **Create VLAN Interfaces:**
   - For each VLAN, create a VLAN interface:
     - **VLAN ID**: [VLAN ID]
     - **Interface IP**: [Gateway IP]
     - **Subnet Mask**: [Corresponding subnet mask]

4. **Configure DHCP (Optional):**
   - For each VLAN, configure DHCP server if needed
   - DHCP range: Exclude gateway (.1) and reserved IPs

</details>

---

## Routing Configuration

### Static Routes

**Default Route:**
- Destination: 0.0.0.0/0
- Gateway: 76.53.10.33 (WAN1 gateway)
- Interface: WAN1

**Inter-VLAN Routing:**
- ER605 automatically routes between VLANs
- Ensure VLAN interfaces are configured

### Route Priority

- WAN1: Primary (higher priority)
- WAN2: Failover (lower priority)

---

## NAT Configuration

### Outbound NAT (Role-based Egress Pools)

**Critical:** Configure outbound NAT pools using the /28 blocks for role-based egress.

#### CCIP Commit (VLAN 132) → Block #2

```
Source Network: 10.132.0.0/24
NAT Type: PAT (Port Address Translation)
NAT Pool: <PUBLIC_BLOCK_2>/28
Interface: WAN1
```

#### CCIP Execute (VLAN 133) → Block #3

```
Source Network: 10.133.0.0/24
NAT Type: PAT
NAT Pool: <PUBLIC_BLOCK_3>/28
Interface: WAN1
```

#### RMN (VLAN 134) → Block #4

```
Source Network: 10.134.0.0/24
NAT Type: PAT
NAT Pool: <PUBLIC_BLOCK_4>/28
Interface: WAN1
```

#### Sankofa/Phoenix/PanTel (VLAN 160) → Block #5

```
Source Network: 10.160.0.0/22
NAT Type: PAT
NAT Pool: <PUBLIC_BLOCK_5>/28
Interface: WAN1
```

#### Sovereign Tenants (VLAN 200-203) → Block #6

```
Source Network: 10.200.0.0/20, 10.201.0.0/20, 10.202.0.0/20, 10.203.0.0/20
NAT Type: PAT
NAT Pool: <PUBLIC_BLOCK_6>/28
Interface: WAN1
```

#### Management (VLAN 11) → Block #1 (Restricted)

```
Source Network: 192.168.11.0/24
NAT Type: PAT
NAT Pool: 76.53.10.32/28 (restricted, tightly controlled)
Interface: WAN1
```

### Inbound NAT (Break-glass Only)

**Default: None**

**Optional Break-glass Rules:**

#### Emergency SSH/Jumpbox

```
Rule Name: Break-glass SSH
External IP: 76.53.10.35 (or other VIP from Block #1)
External Port: 22
Internal IP: [Jumpbox IP on VLAN 11]
Internal Port: 22
Protocol: TCP
Access Control: IP allowlist (restrict to admin IPs)
```

#### Emergency RPC (if needed)

```
Rule Name: Emergency Besu RPC
External IP: 76.53.10.36
External Port: 8545
Internal IP: [RPC node IP on VLAN 112]
Internal Port: 8545
Protocol: TCP
Access Control: IP allowlist (restrict to known clients)
```

**Note:** All break-glass rules should have strict IP allowlists and be disabled by default.

---

## Firewall Rules

### Default Policy

- **WAN → LAN**: Deny (default)
- **LAN → WAN**: Allow (with NAT)
- **Inter-VLAN**: Allow (for routing)

### Security Rules

#### Block Public Access to Proxmox

```
Rule: Block Proxmox Web UI from WAN
Source: Any (WAN)
Destination: 192.168.11.0/24
Port: 8006
Action: Deny
```

#### Allow Cloudflare Tunnel Traffic

```
Rule: Allow Cloudflare Tunnel
Source: Cloudflare IP ranges
Destination: [Cloudflare tunnel endpoints]
Port: [Tunnel ports]
Action: Allow
```

#### Inter-VLAN Isolation (Sovereign Tenants)

```
Rule: Deny East-West for Sovereign Tenants
Source: 10.200.0.0/20, 10.201.0.0/20, 10.202.0.0/20, 10.203.0.0/20
Destination: 10.200.0.0/20, 10.201.0.0/20, 10.202.0.0/20, 10.203.0.0/20
Action: Deny (except for specific allowed paths)
```

---

## DHCP Configuration

### VLAN 11 (MGMT-LAN)

```
VLAN: 11
DHCP Range: 192.168.11.100-192.168.11.200
Gateway: 192.168.11.1
DNS: 8.8.8.8, 1.1.1.1
Lease Time: 24 hours
Reserved IPs:
  - 192.168.11.1: Gateway
  - 192.168.11.10: ML110 (Proxmox)
  - 192.168.11.11-14: R630 nodes (if needed)
```

### Other VLANs

Configure DHCP as needed for each VLAN, or use static IPs for all nodes.

---

## Failover Configuration

### ER605-A WAN Failover

```
Primary WAN: UDM Pro (76.53.10.34; replaced ER605). Port forward 76.53.10.36:80/443 → 192.168.11.167.
Backup WAN: WAN2
Failover Mode: Auto
Health Check: Ping 8.8.8.8 every 30 seconds
Failover Threshold: 3 failed pings
```

### ER605-B Standby (if configured)

- Monitor ER605-A health
- Activate if ER605-A fails
- Use same configuration as ER605-A

---

## Monitoring & Logging

### Enable Logging

- **System Logs**: Enable
- **Firewall Logs**: Enable
- **NAT Logs**: Enable (for egress tracking)

### SNMP (Optional)

```
SNMP Version: v2c or v3
Community: [Secure community string]
Trap Receivers: [Monitoring system IPs]
```

---

## Backup & Recovery

### Configuration Backup

1. **Export Configuration:**
   - Navigate to: **System Tools** → **Backup & Restore**
   - Click **Backup** to download configuration file
   - Store securely (encrypted)

2. **Regular Backups:**
   - Schedule weekly backups
   - Store in multiple locations
   - Version control configuration changes

### Configuration Restore

1. **Restore from Backup:**
   - Navigate to: **System Tools** → **Backup & Restore**
   - Upload configuration file
   - Restore and reboot

---

## Troubleshooting

### Common Issues

#### VLAN Not Routing

- **Check:** VLAN interface is created and enabled
- **Check:** VLAN ID matches switch configuration
- **Check:** Subnet mask is correct

#### NAT Not Working

- **Check:** NAT pool IPs are in the correct /28 block
- **Check:** Source network matches VLAN subnet
- **Check:** Firewall rules allow traffic

#### Failover Not Working

- **Check:** WAN2 is configured and connected
- **Check:** Health check settings
- **Check:** Failover priority settings

---

## Security Best Practices

1. **Change Default Credentials:** Immediately change admin password
2. **Disable Remote Management:** Only allow LAN access to web interface
3. **Enable Firewall Logging:** Monitor for suspicious activity
4. **Regular Firmware Updates:** Keep ER605 firmware up to date
5. **Restrict Break-glass Rules:** Use IP allowlists for all inbound NAT
6. **Monitor NAT Pools:** Track egress IP usage by role

---

## References

- **[NETWORK_ARCHITECTURE.md](../02-architecture/NETWORK_ARCHITECTURE.md)** - Complete network architecture
- **[ORCHESTRATION_DEPLOYMENT_GUIDE.md](../02-architecture/ORCHESTRATION_DEPLOYMENT_GUIDE.md)** - Deployment guide
- [ER605 User Guide](https://www.tp-link.com/us/support/download/er605/)

---

**Document Status:** Complete (v1.0)  
**Maintained By:** Infrastructure Team  
**Review Cycle:** Quarterly  
**Last Updated:** 2025-01-20