d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
6b540aff52441d52a9f2287429dcaabc2d06ab02
proxmox/docs/04-configuration/ER605_ROUTER_CONFIGURATION.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

9.6 KiB
Raw Blame History

ER605 Router Configuration Guide

Last Updated: 2025-01-20
Document Version: 1.0
Status: Active Documentation Hardware: 2× TP-Link ER605 (v1 or v2)

Overview

This guide provides step-by-step configuration for the ER605 routers in the enterprise orchestration setup, including:

  • Dual router roles (ER605-A primary, ER605-B standby)
  • WAN configuration with 6× /28 public IP blocks
  • VLAN routing and inter-VLAN communication
  • Role-based egress NAT pools
  • Break-glass inbound NAT rules

Hardware Setup

ER605-A (Primary Edge Router)

Physical Connections:

  • WAN1: Spectrum ISP (Block #1: 76.53.10.32/28)
  • WAN2: ISP #2 (failover/alternate)
  • LAN: Trunk to ES216G-1 (core switch)

WAN1 (ER605): Replaced by UDM Pro. UDM Pro is now the edge at 76.53.10.34. Port forwarding: 76.53.10.36:80/443 → 192.168.11.167:80/443 (NPMplus).

ER605-B (Standby Edge Router)

Physical Connections:

  • WAN1: ISP #2 (alternate/standby)
  • WAN2: (optional, if available)
  • LAN: Trunk to ES216G-1 (core switch)

Role Decision Required:

  • Option A: Standby edge (failover only)
  • Option B: Dedicated sovereign edge (separate policy domain)

WAN Configuration

ER605-A WAN1 (Primary - Block #1)

Interface: WAN1
Connection Type: Static IP
IP Address: 76.53.10.34
Subnet Mask: 255.255.255.240 (/28)
Gateway: 76.53.10.33
Primary DNS: 8.8.8.8
Secondary DNS: 1.1.1.1
MTU: 1500

ER605-A WAN2 (Failover - ISP #2)

Interface: WAN2
Connection Type: [DHCP/Static as per ISP]
Failover Mode: Enabled
Priority: Lower than WAN1

ER605-B Configuration

If Standby:

  • Configure same as ER605-A but with lower priority
  • Enable failover monitoring

If Dedicated Sovereign Edge:

  • Configure separate policy domain
  • Independent NAT pools for sovereign tenants

VLAN Configuration

Create VLAN Interfaces

For each VLAN, create a VLAN interface on ER605:

VLAN ID VLAN Name Interface IP Subnet Gateway
11 MGMT-LAN 192.168.11.1 192.168.11.0/24 192.168.11.1
110 BESU-VAL 10.110.0.1 10.110.0.0/24 10.110.0.1
111 BESU-SEN 10.111.0.1 10.111.0.0/24 10.111.0.1
112 BESU-RPC 10.112.0.1 10.112.0.0/24 10.112.0.1
120 BLOCKSCOUT 10.120.0.1 10.120.0.0/24 10.120.0.1
121 CACTI 10.121.0.1 10.121.0.0/24 10.121.0.1
130 CCIP-OPS 10.130.0.1 10.130.0.0/24 10.130.0.1
132 CCIP-COMMIT 10.132.0.1 10.132.0.0/24 10.132.0.1
133 CCIP-EXEC 10.133.0.1 10.133.0.0/24 10.133.0.1
134 CCIP-RMN 10.134.0.1 10.134.0.0/24 10.134.0.1
140 FABRIC 10.140.0.1 10.140.0.0/24 10.140.0.1
141 FIREFLY 10.141.0.1 10.141.0.0/24 10.141.0.1
150 INDY 10.150.0.1 10.150.0.0/24 10.150.0.1
160 SANKOFA-SVC 10.160.0.1 10.160.0.0/22 10.160.0.1
200 PHX-SOV-SMOM 10.200.0.1 10.200.0.0/20 10.200.0.1
201 PHX-SOV-ICCC 10.201.0.1 10.201.0.0/20 10.201.0.1
202 PHX-SOV-DBIS 10.202.0.1 10.202.0.0/20 10.202.0.1
203 PHX-SOV-AR 10.203.0.1 10.203.0.0/20 10.203.0.1

Configuration Steps

Click to expand detailed VLAN configuration steps

  1. Access ER605 Web Interface:

    • Default: http://192.168.0.1 or http://tplinkrouter.net
    • Login with admin credentials

  2. Enable VLAN Support:

    • Navigate to: AdvancedVLANVLAN Settings
    • Enable VLAN support

  3. Create VLAN Interfaces:

    • For each VLAN, create a VLAN interface:
      • VLAN ID: [VLAN ID]
      • Interface IP: [Gateway IP]
      • Subnet Mask: [Corresponding subnet mask]

  4. Configure DHCP (Optional):

    • For each VLAN, configure DHCP server if needed
    • DHCP range: Exclude gateway (.1) and reserved IPs

Routing Configuration

Static Routes

Default Route:

  • Destination: 0.0.0.0/0
  • Gateway: 76.53.10.33 (WAN1 gateway)
  • Interface: WAN1

Inter-VLAN Routing:

  • ER605 automatically routes between VLANs
  • Ensure VLAN interfaces are configured

Route Priority

  • WAN1: Primary (higher priority)
  • WAN2: Failover (lower priority)

NAT Configuration

Outbound NAT (Role-based Egress Pools)

Critical: Configure outbound NAT pools using the /28 blocks for role-based egress.

CCIP Commit (VLAN 132) → Block #2

Source Network: 10.132.0.0/24
NAT Type: PAT (Port Address Translation)
NAT Pool: <PUBLIC_BLOCK_2>/28
Interface: WAN1

CCIP Execute (VLAN 133) → Block #3

Source Network: 10.133.0.0/24
NAT Type: PAT
NAT Pool: <PUBLIC_BLOCK_3>/28
Interface: WAN1

RMN (VLAN 134) → Block #4

Source Network: 10.134.0.0/24
NAT Type: PAT
NAT Pool: <PUBLIC_BLOCK_4>/28
Interface: WAN1

Sankofa/Phoenix/PanTel (VLAN 160) → Block #5

Source Network: 10.160.0.0/22
NAT Type: PAT
NAT Pool: <PUBLIC_BLOCK_5>/28
Interface: WAN1

Sovereign Tenants (VLAN 200-203) → Block #6

Source Network: 10.200.0.0/20, 10.201.0.0/20, 10.202.0.0/20, 10.203.0.0/20
NAT Type: PAT
NAT Pool: <PUBLIC_BLOCK_6>/28
Interface: WAN1

Management (VLAN 11) → Block #1 (Restricted)

Source Network: 192.168.11.0/24
NAT Type: PAT
NAT Pool: 76.53.10.32/28 (restricted, tightly controlled)
Interface: WAN1

Inbound NAT (Break-glass Only)

Default: None

Optional Break-glass Rules:

Emergency SSH/Jumpbox

Rule Name: Break-glass SSH
External IP: 76.53.10.35 (or other VIP from Block #1)
External Port: 22
Internal IP: [Jumpbox IP on VLAN 11]
Internal Port: 22
Protocol: TCP
Access Control: IP allowlist (restrict to admin IPs)

Emergency RPC (if needed)

Rule Name: Emergency Besu RPC
External IP: 76.53.10.36
External Port: 8545
Internal IP: [RPC node IP on VLAN 112]
Internal Port: 8545
Protocol: TCP
Access Control: IP allowlist (restrict to known clients)

Note: All break-glass rules should have strict IP allowlists and be disabled by default.

Firewall Rules

Default Policy

  • WAN → LAN: Deny (default)
  • LAN → WAN: Allow (with NAT)
  • Inter-VLAN: Allow (for routing)

Security Rules

Block Public Access to Proxmox

Rule: Block Proxmox Web UI from WAN
Source: Any (WAN)
Destination: 192.168.11.0/24
Port: 8006
Action: Deny

Allow Cloudflare Tunnel Traffic

Rule: Allow Cloudflare Tunnel
Source: Cloudflare IP ranges
Destination: [Cloudflare tunnel endpoints]
Port: [Tunnel ports]
Action: Allow

Inter-VLAN Isolation (Sovereign Tenants)

Rule: Deny East-West for Sovereign Tenants
Source: 10.200.0.0/20, 10.201.0.0/20, 10.202.0.0/20, 10.203.0.0/20
Destination: 10.200.0.0/20, 10.201.0.0/20, 10.202.0.0/20, 10.203.0.0/20
Action: Deny (except for specific allowed paths)

DHCP Configuration

VLAN 11 (MGMT-LAN)

VLAN: 11
DHCP Range: 192.168.11.100-192.168.11.200
Gateway: 192.168.11.1
DNS: 8.8.8.8, 1.1.1.1
Lease Time: 24 hours
Reserved IPs:
  - 192.168.11.1: Gateway
  - 192.168.11.10: ML110 (Proxmox)
  - 192.168.11.11-14: R630 nodes (if needed)

Other VLANs

Configure DHCP as needed for each VLAN, or use static IPs for all nodes.

Failover Configuration

ER605-A WAN Failover

Primary WAN: UDM Pro (76.53.10.34; replaced ER605). Port forward 76.53.10.36:80/443 → 192.168.11.167.
Backup WAN: WAN2
Failover Mode: Auto
Health Check: Ping 8.8.8.8 every 30 seconds
Failover Threshold: 3 failed pings

ER605-B Standby (if configured)

  • Monitor ER605-A health
  • Activate if ER605-A fails
  • Use same configuration as ER605-A

Monitoring & Logging

Enable Logging

  • System Logs: Enable
  • Firewall Logs: Enable
  • NAT Logs: Enable (for egress tracking)

SNMP (Optional)

SNMP Version: v2c or v3
Community: [Secure community string]
Trap Receivers: [Monitoring system IPs]

Backup & Recovery

Configuration Backup

  1. Export Configuration:

    • Navigate to: System ToolsBackup & Restore
    • Click Backup to download configuration file
    • Store securely (encrypted)

  2. Regular Backups:

    • Schedule weekly backups
    • Store in multiple locations
    • Version control configuration changes

Configuration Restore

  1. Restore from Backup:
    • Navigate to: System ToolsBackup & Restore
    • Upload configuration file
    • Restore and reboot

Troubleshooting

Common Issues

VLAN Not Routing

  • Check: VLAN interface is created and enabled
  • Check: VLAN ID matches switch configuration
  • Check: Subnet mask is correct

NAT Not Working

  • Check: NAT pool IPs are in the correct /28 block
  • Check: Source network matches VLAN subnet
  • Check: Firewall rules allow traffic

Failover Not Working

  • Check: WAN2 is configured and connected
  • Check: Health check settings
  • Check: Failover priority settings

Security Best Practices

  1. Change Default Credentials: Immediately change admin password
  2. Disable Remote Management: Only allow LAN access to web interface
  3. Enable Firewall Logging: Monitor for suspicious activity
  4. Regular Firmware Updates: Keep ER605 firmware up to date
  5. Restrict Break-glass Rules: Use IP allowlists for all inbound NAT
  6. Monitor NAT Pools: Track egress IP usage by role

References

Document Status: Complete (v1.0)
Maintained By: Infrastructure Team
Review Cycle: Quarterly
Last Updated: 2025-01-20

Reference in New Issue View Git Blame Copy Permalink