Files

Deploy to Phoenix / deploy (push) Has been cancelled

Details

docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates

- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>

2026-02-12 15:46:57 -08:00

9.0 KiB

Raw Blame History

VLAN 11 (MGMT-LAN) Settings Reference

Last Updated: 2026-01-13
Status: Active Documentation Network: MGMT-LAN
VLAN ID: 11
Purpose: Proxmox management, switches management, admin endpoints

Network Configuration

Basic Settings

Setting	Value
Network Name	MGMT-LAN
VLAN ID	11
Subnet	192.168.11.0/24
Gateway IP	192.168.11.1
Subnet Mask	255.255.255.0
DHCP Mode	DHCP Server
DHCP Range	192.168.11.100 - 192.168.11.200

DNS Configuration

Setting	Value
Primary DNS	8.8.8.8
Secondary DNS	1.1.1.1
DNS Server	192.168.11.1 (UDM Pro)

Gateway Configuration

Gateway IP: 192.168.11.1
Gateway Device: UDM Pro
Interface: VLAN 11 interface on UDM Pro

Static IP Reservations (DHCP Reservations)

The following static IP reservations are required for VLAN 11:

IP Address	Device/Hostname	MAC Address	Purpose
192.168.11.1	UDM Pro (Gateway)	[UDM Pro MAC]	Gateway address
192.168.11.10	ML110 (Proxmox)	[ML110 MAC]	Proxmox host
192.168.11.11	R630-01	[R630-01 MAC]	R630 node 1
192.168.11.12	R630-02	[R630-02 MAC]	R630 node 2
192.168.11.13	R630-03	[R630-03 MAC]	R630 node 3
192.168.11.14	R630-04	[R630-04 MAC]	R630 node 4

Note: MAC addresses need to be obtained from the devices or UniFi Controller.

Firewall Configuration

Zone-Based Firewall

Status: ✅ Zone-Based Firewall migration completed on January 13, 2026 at 14:15

VLAN 11 Zone Assignment:

Zone: Internal
Network: MGMT-LAN (VLAN 11)
Note: Zone-Based Firewall simplifies firewall management by grouping network areas

Important Zone Rules:

Networks can only be placed in a single zone
Newly created zones are blocked from accessing all other zones except External and Gateway by default
This provides additional segmentation for security
Zone policies control traffic between zones, not within zones

Internal Zone Networks:

Default (192.168.0.0/24)
MGMT-LAN (VLAN 11 - 192.168.11.0/24)
BESU-VAL (VLAN 110)
BESU-SEN (VLAN 111)
BESU-RPC (VLAN 112)
BLOCKSCOUT (VLAN 120)
CACTI (VLAN 121)
+12 additional networks

Zone Segmentation Note: Since both the Default network (192.168.0.0/24) and MGMT-LAN (VLAN 11) are in the Internal zone, they should be able to communicate with each other based on the "Internal → Internal: Allow All" policy. If routing is still failing, the issue is likely at the routing layer, not the firewall/zone policy layer.

Zone Matrix (Internal Zone Policies):

Source Zone	Destination Zone	Policy
Internal	Internal	Allow All
Internal	External	Allow All (2 rules)
Internal	Gateway	Allow All (2 rules)
Internal	VPN	Allow All
Internal	Hotspot	Allow All
Internal	DMZ	Allow All
External	Internal	Allow Return (3 rules)
Gateway	Internal	Allow All
VPN	Internal	Allow All (2 rules)
Hotspot	Internal	Allow Return
DMZ	Internal	Allow Return

Note: An automatic backup was created prior to the Zone-Based Firewall migration, allowing for restoration if needed.

Custom ACL Rules (VLAN 11 Specific)

Rules Allowing Access TO VLAN 11

Rule Name	Priority	Source	Destination	Protocol	Status
Allow Default Network to Management VLAN	5	192.168.0.0/24	VLAN 11	All	✅ Enabled
Allow Monitoring to Management VLAN	20	Service VLANs (110-160)	VLAN 11	TCP, UDP	✅ Enabled

Rules Allowing Access FROM VLAN 11

Rule Name	Priority	Source	Destination	Protocol	Status
Allow Management to Service VLANs (TCP)	10	VLAN 11	Service VLANs (110-160)	TCP	✅ Enabled

Default System Firewall Rules (UDM Pro)

These are the default system firewall rules configured on the UDM Pro:

Rule Name	Action	IP Version	Protocol	Direction	Source	Source Port	Destination	Destination Port	Priority
Allow Neighbor Advertisements	Allow	IPv6	ICMPv6	External	Any	Any	Gateway	Any	30005
Allow Neighbor Solicitations	Allow	IPv6	ICMPv6	External	Any	Any	Gateway	Any	30004
Allow OpenVPN Server	Allow	IPv4	TCP	External	Any	Any	Gateway	1194	30002
Allow Return Traffic	Allow	Both	All	Multiple	Any	Any	Multiple	Any	30000
Allow WireGuard VPNs	Allow	IPv4	UDP	External	Any	Any	Gateway	51820	30003
Allow mDNS	Allow	Both	UDP	Internal	Any	5353	Gateway	5353 (2 IPs)	30000
Block Invalid Traffic	Block	Both	All	Multiple	Any	Any	Multiple	Any	Multiple
Allow All Traffic	Allow	Both	All	Multiple	Any	Any	Multiple	Any	1
Block All Traffic	Block	Both	All	Multiple	Any	Any	Multiple	Any	1

Note: These are system-level firewall rules that apply globally, not specific to VLAN 11. They are evaluated in priority order (lower numbers = higher priority).

Zone-Based Firewall Context:

Rules are applied based on source and destination zones
Internal zone (including MGMT-LAN/VLAN 11) has "Allow All" policies for inter-zone communication
External zone has "Allow Return" policies for established connections
Zone-based policies simplify firewall management by grouping network areas

Routing Configuration

Inter-VLAN Routing

Status: ✅ Enabled by default on UDM Pro
Note: Firewall rules control access between VLANs
Default Policy: Allow inter-VLAN routing (controlled by ACL rules)

Static Routes (if needed)

If routing from 192.168.0.0/24 to 192.168.11.0/24 fails:

Route Name	Destination	Gateway	Interface	Status
Route to VLAN 11	192.168.11.0/24	192.168.11.1	VLAN 11	⏳ May be needed

Network ID (UniFi API)

Network ID: 5797bd48-6955-4a7c-8cd0-72d8106d3ab2
Used for: API calls, ACL rule configuration

Port Profile Configuration

Trunk Ports (Proxmox Uplinks)

Native VLAN: 11 (MGMT-LAN)
Tagged VLANs: All service VLANs (11, 110-203)
Purpose: Proxmox hosts need trunk ports to access multiple VLANs

Access Ports

VLAN: 11 (untagged)
Purpose: Management devices, admin workstations

Devices on VLAN 11

Proxmox Hosts

Hostname	IP Address	Purpose
ml110-01	192.168.11.10	Proxmox management + seed services
r630-01	192.168.11.11	R630 node 1
r630-02	192.168.11.12	R630 node 2
r630-03	192.168.11.13	R630 node 3
r630-04	192.168.11.14	R630 node 4

Other Services

Service	IP Address	Port	Purpose
UDM Pro	192.168.11.1	443	Gateway/Management
Omada Controller	192.168.11.8	8043	Network Controller

Access Patterns

Allowed Access TO VLAN 11

From Default Network (192.168.0.0/24):
- ✅ All protocols (ICMP, TCP, UDP)
- Purpose: Management access from UDM Pro default network
From Service VLANs (110-160):
- ✅ TCP, UDP (monitoring ports: 161, 9090, 9091)
- Purpose: Monitoring and logging

Allowed Access FROM VLAN 11

To Service VLANs (110-160):
- ✅ TCP (SSH, HTTPS, database admin ports)
- Purpose: Administrative access

Troubleshooting

Common Issues

Cannot reach VLAN 11 from 192.168.0.0/24:
- Check firewall rule: "Allow Default Network to Management VLAN" (Priority 5)
- Verify inter-VLAN routing is enabled
- Check if static route is needed
DHCP not working:
- Verify DHCP range: 192.168.11.100-192.168.11.200
- Check DHCP server is enabled
- Verify DNS settings
Static IP reservations not working:
- Verify MAC addresses are correct
- Check IP addresses are within allowed range
- Ensure reservations are saved and applied

Verification Commands

# List current ACL rules affecting VLAN 11
cd /home/intlc/projects/proxmox
NODE_TLS_REJECT_UNAUTHORIZED=0 node scripts/unifi/list-acl-rules-node.js

# Test connectivity
ping -c 3 192.168.11.10
ping -c 3 192.168.11.1

UDM_PRO_DHCP_RESERVATIONS_GUIDE.md - DHCP reservations setup
UDM_PRO_ROUTING_TROUBLESHOOTING.md - Routing troubleshooting
UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.md - Firewall configuration
NETWORK_ARCHITECTURE.md - Overall network architecture

Last Updated: 2026-01-13

9.0 KiB Raw Blame History