d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
4f85e0bf0e59e78511998aefc5d2076ed13b0a14
proxmox/docs/04-configuration/UDM_PRO_VLAN_PLAN_COMPLETE.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

6.7 KiB
Raw Blame History

UDM Pro VLAN Plan - 100% Complete! 🎉

Last Updated: 2026-01-14
Status: ALL 19 VLANs CONFIGURED

🎉 Achievement Unlocked: Complete VLAN Plan

All VLANs from the Network Architecture plan are now configured on the UDM Pro!

Complete VLAN Configuration (19 Networks)

Core Networks

VLAN ID Name Subnet Status
1 Default 192.168.0.0/24 Configured
11 MGMT-LAN 192.168.11.0/24 Configured

Besu Networks

VLAN ID Name Subnet Status
110 BESU-VAL 10.110.0.0/24 Configured
111 BESU-SEN 10.111.0.0/24 Configured
112 BESU-RPC 10.112.0.0/24 Configured

Service VLANs

VLAN ID Name Subnet Status
120 BLOCKSCOUT 10.120.0.0/24 Configured
121 CACTI 10.121.0.0/24 Configured
130 CCIP-OPS 10.130.0.0/24 Configured
132 CCIP-COMMIT 10.132.0.0/24 Configured
133 CCIP-EXEC 10.133.0.0/24 Configured
134 CCIP-RMN 10.134.0.0/24 Configured
140 FABRIC 10.140.0.0/24 Configured
141 FIREFLY 10.141.0.0/24 Configured
150 INDY 10.150.0.0/24 Configured
160 SANKOFA-SVC 10.160.0.0/22 Configured

Sovereign Tenant VLANs

VLAN ID Name Subnet Status Note
200 PHX-SOV-SMOM 10.200.0.0/20 Configured
201 PHX-SOV-ICCC 10.201.0.0/20 Configured
202 PHX-SOV-DBIS 10.202.0.0/24 Configured ⚠️ Shows /24, plan had /20
203 PHX-SOV-AR 10.203.0.0/20 Configured

Total: 19/19 Networks (100%)

Configuration Verification Checklist

Network Configuration

  • All 19 VLANs created
  • Subnets match plan (except PHX-SOV-DBIS - verify /24 vs /20)
  • DHCP Server enabled on all VLANs
  • All VLANs show "UDM Pro" as router

Settings Verification (Next Steps)

  • Network Isolation: Verify "Isolate Network" is UNCHECKED for all VLANs
  • Zone Assignment: Verify all VLANs are in "Internal" zone
  • Zone Matrix: Verify Internal → Internal = "Allow All"
  • Gateway IPs: Verify gateway IPs match plan (e.g., 10.110.0.1 for BESU-VAL)
  • DHCP Ranges: Verify DHCP ranges are configured appropriately

Testing & Utilization

  • Inter-VLAN Routing: Test routing between VLANs
  • Firewall Rules: Configure inter-VLAN firewall rules
  • VM/Container Assignment: Assign VMs/containers to VLANs
  • Connectivity Testing: Test connectivity from each VLAN

Critical Settings to Verify

1. Network Isolation (CRITICAL)

For each VLAN:

  1. Navigate: Settings → Networks → [VLAN Name]
  2. Scroll to "Network" section
  3. Ensure "Isolate Network" is UNCHECKED
  4. Save if changed

Why: Network Isolation blocks inter-VLAN routing. Must be disabled for VLANs to communicate.

2. Zone Matrix (CRITICAL)

  1. Navigate: Policy Engine → Zone Matrix
  2. Find: Internal → Internal
  3. Verify it says "Allow All"
  4. If not, click and change to "Allow All"

Why: Zone Matrix controls inter-zone communication. Internal → Internal = Allow All enables inter-VLAN routing.

3. Zone Assignment

For each VLAN:

  1. Navigate: Settings → Networks → [VLAN Name]
  2. Verify: Zone = "Internal"
  3. All VLANs should be in Internal zone

Next Steps for VLAN Utilization

Immediate (Today)

  1. Verify Network Isolation

    • Check all 19 VLANs
    • Ensure "Isolate Network" is unchecked

  2. Verify Zone Matrix

    • Policy Engine → Zone Matrix
    • Internal → Internal = Allow All

  3. Verify PHX-SOV-DBIS Subnet

    • Currently shows /24 (10.202.0.0/24)
    • Plan had /20 (10.202.0.0/20)
    • Verify if /24 is intentional or needs update

Short-term (This Week)

  1. Test Inter-VLAN Routing

    # From VLAN 11, test routing to other VLANs
ping 10.110.0.1  # BESU-VAL
ping 10.111.0.1  # BESU-SEN
ping 10.120.0.1  # BLOCKSCOUT
# etc.

  2. Configure Firewall Rules

    • Management → Service VLANs
    • Service VLANs → Management
    • Sovereign tenant isolation

  3. Assign VMs/Containers to VLANs

    • Via Proxmox Web UI or CLI
    • Test connectivity

Long-term (This Month)

  1. Migrate Services to VLANs

    • Move VMs/containers to appropriate VLANs
    • Update service configurations

  2. Document VLAN Assignments

    • Document which services are on which VLANs
    • Update architecture documentation

  3. Monitor and Optimize

    • Monitor inter-VLAN traffic
    • Optimize firewall rules
    • Adjust as needed

VLAN Utilization Guide

Assigning VMs/Containers to VLANs

Via Proxmox Web UI:

  1. Go to: Datacenter → [Host] → VMs/Containers → [VM/Container ID]
  2. Click: Hardware → Network Device
  3. Edit: Bridge = vmbr0, VLAN Tag = [VLAN ID]
  4. Save

Via CLI:

# For containers
pct set <CTID> -net0 name=eth0,bridge=vmbr0,tag=<VLAN_ID>

# For VMs
qm set <VMID> --net0 virtio,bridge=vmbr0,tag=<VLAN_ID>

Example VLAN Assignments

Besu Validators:

  • VLAN: 110 (BESU-VAL)
  • Subnet: 10.110.0.0/24

Besu Sentries:

  • VLAN: 111 (BESU-SEN)
  • Subnet: 10.111.0.0/24

Besu RPC:

  • VLAN: 112 (BESU-RPC)
  • Subnet: 10.112.0.0/24

Blockscout:

  • VLAN: 120 (BLOCKSCOUT)
  • Subnet: 10.120.0.0/24

FireFly:

  • VLAN: 141 (FIREFLY)
  • Subnet: 10.141.0.0/24

Sovereign Tenants:

  • VLANs: 200-203
  • Subnets: 10.200.0.0/20, 10.201.0.0/20, 10.202.0.0/24, 10.203.0.0/20

Testing Inter-VLAN Routing

Test 1: Gateway Connectivity

# From VLAN 11, test routing to other VLAN gateways
ping 10.110.0.1  # BESU-VAL
ping 10.111.0.1  # BESU-SEN
ping 10.112.0.1  # BESU-RPC
ping 10.120.0.1  # BLOCKSCOUT
# etc.

Test 2: VM/Container Connectivity

# After assigning VMs/containers to VLANs
# Test connectivity between VLANs
ping <VM_IP_ON_VLAN_110>  # From VLAN 11
ping <VM_IP_ON_VLAN_120>  # From VLAN 11
# etc.

Test 3: Firewall Rules

# Test firewall rules
# Should allow: Management → Service VLANs (SSH, monitoring)
# Should block: Sovereign tenants → Each other

Summary

Status: 100% COMPLETE

Achievement:

  • All 19 VLANs configured
  • Complete VLAN plan implemented
  • Ready for VLAN utilization

Next Steps:

  1. Verify Network Isolation settings
  2. Verify Zone Matrix configuration
  3. Test inter-VLAN routing
  4. Configure firewall rules
  5. Assign VMs/containers to VLANs

VLAN Plan Utilization: READY TO PROCEED

Last Updated: 2026-01-14

Reference in New Issue View Git Blame Copy Permalink