d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
4f97e27f698874070b419956d121cda27555072e
proxmox/docs/04-configuration/UDM_PRO_CONFIGURATION_CHECKLIST.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

8.9 KiB
Raw Blame History

UDM Pro Configuration Checklist

Last Updated: 2025-01-20
UDM Pro IP: 192.168.0.1
Status: Configuration Planning

Overview

This document provides a comprehensive checklist for configuring the UDM Pro to support the complete network architecture as defined in the Network Architecture documentation.

Reference: NETWORK_ARCHITECTURE.md

Configuration Tasks

Phase 1: VLAN Configuration (18 VLANs)

All VLAN configurations can be done in parallel.

Core Management Network

  • VLAN 11 (MGMT-LAN)
    • Subnet: 192.168.11.0/24
    • Gateway: 192.168.11.1
    • DHCP Range: 192.168.11.100-192.168.11.200
    • DNS: 8.8.8.8, 1.1.1.1
    • Purpose: Proxmox mgmt, switches mgmt, admin endpoints

Besu Network VLANs

  • VLAN 110 (BESU-VAL)

    • Subnet: 10.110.0.0/24
    • Gateway: 10.110.0.1
    • Purpose: Validator-only network (no member access)

  • VLAN 111 (BESU-SEN)

    • Subnet: 10.111.0.0/24
    • Gateway: 10.111.0.1
    • Purpose: Sentry mesh

  • VLAN 112 (BESU-RPC)

    • Subnet: 10.112.0.0/24
    • Gateway: 10.112.0.1
    • Purpose: RPC / gateway tier

Service VLANs

  • VLAN 120 (BLOCKSCOUT)

    • Subnet: 10.120.0.0/24
    • Gateway: 10.120.0.1
    • Purpose: Explorer + DB

  • VLAN 121 (CACTI)

    • Subnet: 10.121.0.0/24
    • Gateway: 10.121.0.1
    • Purpose: Interop middleware

  • VLAN 130 (CCIP-OPS)

    • Subnet: 10.130.0.0/24
    • Gateway: 10.130.0.1
    • Purpose: Ops/admin

  • VLAN 132 (CCIP-COMMIT)

    • Subnet: 10.132.0.0/24
    • Gateway: 10.132.0.1
    • Purpose: Commit-role DON

  • VLAN 133 (CCIP-EXEC)

    • Subnet: 10.133.0.0/24
    • Gateway: 10.133.0.1
    • Purpose: Execute-role DON

  • VLAN 134 (CCIP-RMN)

    • Subnet: 10.134.0.0/24
    • Gateway: 10.134.0.1
    • Purpose: Risk management network

  • VLAN 140 (FABRIC)

    • Subnet: 10.140.0.0/24
    • Gateway: 10.140.0.1
    • Purpose: Fabric

  • VLAN 141 (FIREFLY)

    • Subnet: 10.141.0.0/24
    • Gateway: 10.141.0.1
    • Purpose: FireFly

  • VLAN 150 (INDY)

    • Subnet: 10.150.0.0/24
    • Gateway: 10.150.0.1
    • Purpose: Identity

  • VLAN 160 (SANKOFA-SVC)

    • Subnet: 10.160.0.0/22
    • Gateway: 10.160.0.1
    • Purpose: Sankofa/Phoenix/PanTel service layer

Sovereign Tenant VLANs

  • VLAN 200 (PHX-SOV-SMOM)

    • Subnet: 10.200.0.0/20
    • Gateway: 10.200.0.1
    • Purpose: Sovereign tenant

  • VLAN 201 (PHX-SOV-ICCC)

    • Subnet: 10.201.0.0/20
    • Gateway: 10.201.0.1
    • Purpose: Sovereign tenant

  • VLAN 202 (PHX-SOV-DBIS)

    • Subnet: 10.202.0.0/20
    • Gateway: 10.202.0.1
    • Purpose: Sovereign tenant

  • VLAN 203 (PHX-SOV-AR)

    • Subnet: 10.203.0.0/20
    • Gateway: 10.203.0.1
    • Purpose: Absolute Realms tenant

Phase 2: DHCP Configuration

  • VLAN 11 Static IP Reservations

    • 192.168.11.1: UDM Pro (Gateway)
    • 192.168.11.10: ML110 (Proxmox)
    • 192.168.11.11: R630-01
    • 192.168.11.12: R630-02
    • 192.168.11.13: R630-03
    • 192.168.11.14: R630-04

  • Other VLANs DHCP Configuration

    • Configure DHCP ranges as needed for each VLAN
    • Or configure static IPs for all nodes (recommended for production)

Phase 3: Firewall Rules Configuration

  • Inter-VLAN Routing Rules

    • Enable routing between VLANs
    • Configure default policies (deny by default, explicit allows)

  • Sovereign Tenant Isolation

    • Deny east-west traffic between VLANs 200-203
    • Allow only specific paths if needed

  • Management VLAN Access Rules

    • Allow Management VLAN (11) → Service VLANs (specific ports)
      • SSH (TCP 22)
      • Database admin ports (e.g., PostgreSQL 5432)
      • Admin console ports (e.g., Keycloak 8080)
      • API monitoring ports

  • Service VLAN Monitoring Rules

    • Allow Service VLANs → Management VLAN (monitoring/logging ports)
    • SNMP, monitoring agents, logging

  • WAN Access Rules

    • Block WAN → LAN (default deny)
    • Allow LAN → WAN (with NAT)
    • Configure break-glass rules if needed (with strict IP allowlists)

Phase 4: Port Profiles & Switching

  • VLAN Trunk Port Profiles

    • Configure 802.1Q trunk ports
    • Tagged VLANs: All service VLANs (11, 110-114, 120-121, 130-134, 140-141, 150, 160, 200-203)
    • Native VLAN: 11 (MGMT) for management ports

  • Access Port Profiles

    • Single VLAN, untagged
    • Native VLAN 11 for management ports
    • Service VLAN ports as needed

  • Apply Port Profiles to Switch Ports

    • Configure trunk ports for Proxmox uplinks
    • Configure access ports for management devices

Phase 5: WAN & NAT Configuration

  • Primary WAN Configuration

    • Configure WAN interface
    • DNS: 8.8.8.8, 1.1.1.1
    • Gateway configuration

  • WAN Failover (if dual WAN available)

    • Configure secondary WAN interface
    • Enable failover with health checks
    • Failover threshold: 3 failed pings
    • Health check: Ping 8.8.8.8 every 30 seconds

  • Egress NAT Pools (if public IP blocks available)

    • VLAN 132 (CCIP-COMMIT) → Public Block #2
    • VLAN 133 (CCIP-EXEC) → Public Block #3
    • VLAN 134 (CCIP-RMN) → Public Block #4
    • VLAN 160 (SANKOFA-SVC) → Public Block #5
    • VLANs 200-203 (Sovereign tenants) → Public Block #6

Note: NAT pool configuration depends on UDM Pro capabilities and available public IP blocks.

Phase 6: System Settings

  • Hostname Configuration

    • Set appropriate hostname for UDM Pro

  • Timezone Configuration

    • Set timezone (America/Los_Angeles or as appropriate)

  • NTP Configuration

    • Configure NTP time synchronization
    • Use reliable NTP servers

  • SSL Certificate

    • Install proper SSL certificate (recommended)
    • Or document self-signed certificate usage for internal networks
    • Reference: UNIFI_API_SETUP.md

Phase 7: Device Management

  • UniFi Device Adoption

    • Adopt UniFi switches if present
    • Adopt UniFi APs if present
    • Configure switch ports for VLAN trunking
    • Configure APs with appropriate WLANs

  • Switch Port Configuration

    • Configure ports for VLAN trunking (802.1Q)
    • Apply port profiles to appropriate ports

Phase 8: Backup & Documentation

  • Configuration Backup

    • Enable automatic backups
    • Export initial configuration
    • Store backups securely

  • Verification

    • Verify all VLAN configurations using Private API
    • Test connectivity between VLANs
    • Test routing functionality
    • Verify firewall rules

  • Documentation

    • Document final UDM Pro configuration
    • Update configuration status documents
    • Create network topology diagram

Configuration Summary

Total Tasks: 35 tasks across 8 phases

Priority Levels:

  1. High Priority:

    • VLAN 11 (MGMT-LAN) - Critical for management access
    • Core service VLANs (110-114, 120-121, 130-134, 140-141, 150, 160)
    • Basic firewall rules for security
    • DHCP reservations for critical devices

  2. Medium Priority:

    • Sovereign tenant VLANs (200-203)
    • Advanced firewall rules
    • Port profile configuration
    • WAN configuration

  3. Lower Priority:

    • NAT pool configuration (if applicable)
    • WAN failover (if dual WAN)
    • SSL certificate installation
    • Advanced monitoring/logging

Implementation Notes

Parallel Execution

Many tasks can be executed in parallel:

  • All VLAN configurations (18 tasks) can be done simultaneously
  • System settings (hostname, timezone, NTP) can be configured in parallel
  • Port profiles can be configured independently
  • Firewall rules can be configured after VLANs are set up

Sequential Dependencies

Some tasks have dependencies:

  • Firewall rules depend on VLANs being configured first
  • Port profiles depend on VLANs being configured
  • NAT pools depend on WAN configuration and available public IP blocks
  • Verification should be done after all configurations are complete

Testing & Validation

After each phase:

  1. Verify VLANs are created correctly
  2. Test connectivity within VLANs
  3. Test inter-VLAN routing (if enabled)
  4. Verify firewall rules are working as expected
  5. Check DHCP assignments
  6. Verify device connectivity

Related Documentation

Current Status

API Integration: Configured and working (Private API mode)
Local Admin Account: Created (unifi_api)
VLAN Configuration: Pending (0/18 VLANs configured)
Firewall Rules: Pending
Port Profiles: Pending
System Settings: Pending

Last Updated: 2025-01-20

Reference in New Issue View Git Blame Copy Permalink