fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
10 KiB
10 KiB
UDM Pro VLAN Utilization - Complete Guide
Last Updated: 2026-01-14
Status: ✅ READY FOR UTILIZATION - All Steps Documented
🎉 Achievement: VLAN Plan 100% Complete
All 19 VLANs are configured and ready for utilization!
Quick Start Checklist
✅ Phase 1: Verification (Required)
- Verify Network Isolation - Disabled for all VLANs
- Verify Zone Matrix - Internal → Internal = Allow All
- Test Inter-VLAN Routing - Verify connectivity between VLANs
⏳ Phase 2: Configuration (Next Steps)
- Configure Firewall Rules - Inter-VLAN communication rules
- Assign VMs/Containers - Move services to appropriate VLANs
- Test Connectivity - Verify services work on assigned VLANs
Step-by-Step Guide
Step 1: Verify Network Isolation (CRITICAL)
Why: Network Isolation blocks inter-VLAN routing. Must be disabled.
Steps:
- Access UDM Pro: https://192.168.0.1
- Navigate: Settings → Networks → Networks
- For EACH of the 19 VLANs:
- Click on the VLAN name
- Scroll to "Network" section
- Ensure "Isolate Network" is UNCHECKED ❌
- If checked, uncheck it and Save
VLANs to Check:
- Default (VLAN 1)
- MGMT-LAN (VLAN 11)
- BESU-VAL (VLAN 110)
- BESU-SEN (VLAN 111)
- BESU-RPC (VLAN 112)
- BLOCKSCOUT (VLAN 120)
- CACTI (VLAN 121)
- CCIP-OPS (VLAN 130)
- CCIP-COMMIT (VLAN 132)
- CCIP-EXEC (VLAN 133)
- CCIP-RMN (VLAN 134)
- FABRIC (VLAN 140)
- FIREFLY (VLAN 141)
- INDY (VLAN 150)
- SANKOFA-SVC (VLAN 160)
- PHX-SOV-SMOM (VLAN 200)
- PHX-SOV-ICCC (VLAN 201)
- PHX-SOV-DBIS (VLAN 202)
- PHX-SOV-AR (VLAN 203)
Automated Verification:
./scripts/unifi/verify-vlan-settings.sh
Step 2: Verify Zone Matrix (CRITICAL)
Why: Zone Matrix controls inter-zone communication. Internal → Internal = Allow All enables inter-VLAN routing.
Steps:
- Access UDM Pro: https://192.168.0.1
- Navigate: Policy Engine → Zone Matrix
- Find: Internal → Internal
- Verify it says "Allow All" ✅
- If not, click and change to "Allow All"
- Save
Automated Verification:
./scripts/unifi/verify-vlan-settings.sh
Step 3: Test Inter-VLAN Routing
Why: Verify that routing between VLANs is working.
From VLAN 11 (MGMT-LAN), test routing to other VLANs:
# Test Besu networks
ping -c 3 10.110.0.1 # BESU-VAL
ping -c 3 10.111.0.1 # BESU-SEN
ping -c 3 10.112.0.1 # BESU-RPC
# Test service VLANs
ping -c 3 10.120.0.1 # BLOCKSCOUT
ping -c 3 10.121.0.1 # CACTI
ping -c 3 10.130.0.1 # CCIP-OPS
ping -c 3 10.132.0.1 # CCIP-COMMIT
ping -c 3 10.133.0.1 # CCIP-EXEC
ping -c 3 10.134.0.1 # CCIP-RMN
ping -c 3 10.140.0.1 # FABRIC
ping -c 3 10.141.0.1 # FIREFLY
ping -c 3 10.150.0.1 # INDY
ping -c 3 10.160.0.1 # SANKOFA-SVC
# Test sovereign tenants
ping -c 3 10.200.0.1 # PHX-SOV-SMOM
ping -c 3 10.201.0.1 # PHX-SOV-ICCC
ping -c 3 10.202.0.1 # PHX-SOV-DBIS
ping -c 3 10.203.0.1 # PHX-SOV-AR
Automated Testing:
./scripts/unifi/verify-vlan-settings.sh
Expected Result: All gateways should be reachable (if Network Isolation is disabled and Zone Matrix is configured).
Step 4: Configure Firewall Rules
Why: Control inter-VLAN communication and security.
Required Rules:
4.1 Management VLAN (11) → Service VLANs
Allow:
- SSH (TCP 22)
- HTTPS (TCP 443)
- Database admin (PostgreSQL 5432, MySQL 3306)
- Admin consoles (Keycloak 8080, etc.)
- Monitoring (SNMP 161, Prometheus 9090, etc.)
Via UDM Pro Web UI:
- Navigate: Settings → Firewall & Security → Firewall Rules
- Create new rule:
- Name: "MGMT to Service VLANs"
- Source: 192.168.11.0/24 (MGMT-LAN)
- Destination: Service VLANs (10.110.0.0/24, 10.111.0.0/24, etc.)
- Protocol: TCP
- Ports: 22, 443, 5432, 3306, 8080, 161, 9090
- Action: Allow
- Save
4.2 Service VLANs → Management VLAN (11)
Allow:
- Monitoring agents
- Logging (Syslog 514, etc.)
- Health checks
Via UDM Pro Web UI:
- Create new rule:
- Name: "Service VLANs to MGMT"
- Source: Service VLANs (10.110.0.0/24, 10.111.0.0/24, etc.)
- Destination: 192.168.11.0/24 (MGMT-LAN)
- Protocol: TCP/UDP
- Ports: 514, 9090, 9091 (monitoring/logging)
- Action: Allow
- Save
4.3 Sovereign Tenant Isolation
Block inter-tenant communication:
- VLAN 200 ↔ VLAN 201
- VLAN 200 ↔ VLAN 202
- VLAN 200 ↔ VLAN 203
- VLAN 201 ↔ VLAN 202
- VLAN 201 ↔ VLAN 203
- VLAN 202 ↔ VLAN 203
Allow:
- Each tenant → Management VLAN (monitoring only)
- Each tenant → External (internet)
Via UDM Pro Web UI:
- Create deny rules for each tenant pair
- Create allow rules for tenant → MGMT (monitoring)
- Create allow rules for tenant → External
Configuration Guide:
./scripts/unifi/configure-inter-vlan-firewall-rules.sh
Step 5: Assign VMs/Containers to VLANs
Why: Move services to appropriate VLANs for network segmentation.
5.1 Assign Container to VLAN
Via CLI:
# Assign container 100 to VLAN 110 (BESU-VAL)
./scripts/proxmox/assign-vlan-to-container.sh 100 110
# Assign container 200 to VLAN 120 on specific host
./scripts/proxmox/assign-vlan-to-container.sh 200 120 ml110
Via Proxmox Web UI:
- Go to: Datacenter → [Host] → Containers → [Container ID]
- Click: Hardware → Network Device
- Edit: Bridge =
vmbr0, VLAN Tag = [VLAN ID] - Save
Manual CLI:
ssh root@192.168.11.10 "pct set <CTID> -net0 name=eth0,bridge=vmbr0,tag=<VLAN_ID>"
5.2 Assign VM to VLAN
Via CLI:
# Assign VM 1000 to VLAN 110 (BESU-VAL)
./scripts/proxmox/assign-vlan-to-vm.sh 1000 110
# Assign VM 2000 to VLAN 120 on specific host
./scripts/proxmox/assign-vlan-to-vm.sh 2000 120 ml110
Via Proxmox Web UI:
- Go to: Datacenter → [Host] → VMs → [VM ID]
- Click: Hardware → Network Device
- Edit: Bridge =
vmbr0, VLAN Tag = [VLAN ID] - Save
Manual CLI:
ssh root@192.168.11.10 "qm set <VMID> --net0 virtio,bridge=vmbr0,tag=<VLAN_ID>"
5.3 VLAN Assignment Reference
| Service Type | VLAN ID | VLAN Name | Subnet |
|---|---|---|---|
| Proxmox Management | 11 | MGMT-LAN | 192.168.11.0/24 |
| Besu Validators | 110 | BESU-VAL | 10.110.0.0/24 |
| Besu Sentries | 111 | BESU-SEN | 10.111.0.0/24 |
| Besu RPC | 112 | BESU-RPC | 10.112.0.0/24 |
| Blockscout | 120 | BLOCKSCOUT | 10.120.0.0/24 |
| Cacti | 121 | CACTI | 10.121.0.0/24 |
| CCIP Ops | 130 | CCIP-OPS | 10.130.0.0/24 |
| CCIP Commit | 132 | CCIP-COMMIT | 10.132.0.0/24 |
| CCIP Exec | 133 | CCIP-EXEC | 10.133.0.0/24 |
| CCIP RMN | 134 | CCIP-RMN | 10.134.0.0/24 |
| Fabric | 140 | FABRIC | 10.140.0.0/24 |
| FireFly | 141 | FIREFLY | 10.141.0.0/24 |
| Indy | 150 | INDY | 10.150.0.0/24 |
| Sankofa Service | 160 | SANKOFA-SVC | 10.160.0.0/22 |
| Sovereign SMOM | 200 | PHX-SOV-SMOM | 10.200.0.0/20 |
| Sovereign ICCC | 201 | PHX-SOV-ICCC | 10.201.0.0/20 |
| Sovereign DBIS | 202 | PHX-SOV-DBIS | 10.202.0.0/24 |
| Sovereign AR | 203 | PHX-SOV-AR | 10.203.0.0/20 |
Step 6: Test Connectivity
After assigning VMs/containers to VLANs:
-
Test from Management VLAN:
# From VLAN 11, test connectivity to services on other VLANs ping <SERVICE_IP_ON_VLAN_110> ping <SERVICE_IP_ON_VLAN_120> # etc. -
Test from Assigned VLAN:
# SSH into container/VM on assigned VLAN # Test connectivity to gateway ping 10.110.0.1 # If on VLAN 110 # Test connectivity to other VLANs ping 10.120.0.1 # BLOCKSCOUT -
Test Service-Specific Connectivity:
# Test HTTP/HTTPS curl http://<SERVICE_IP> # Test database psql -h <DB_IP> -U <USER> # Test SSH ssh user@<SERVICE_IP>
Automated Scripts
Verification Script
# Verify VLAN settings and test inter-VLAN routing
./scripts/unifi/verify-vlan-settings.sh
What it does:
- Tests UDM Pro connectivity
- Provides manual verification steps
- Tests inter-VLAN routing automatically
Firewall Configuration Guide
# View firewall rules configuration guide
./scripts/unifi/configure-inter-vlan-firewall-rules.sh
What it does:
- Lists required firewall rules
- Provides configuration instructions
- Shows manual and API options
VLAN Assignment Scripts
# Assign container to VLAN
./scripts/proxmox/assign-vlan-to-container.sh <CTID> <VLAN_ID> [HOST]
# Assign VM to VLAN
./scripts/proxmox/assign-vlan-to-vm.sh <VMID> <VLAN_ID> [HOST]
What they do:
- Validate VLAN ID
- Check container/VM existence
- Assign VLAN tag
- Verify configuration
Troubleshooting
Issue: Cannot ping VLAN gateway
Possible Causes:
- Network Isolation enabled
- Zone Matrix not configured
- Firewall rules blocking ICMP
Solutions:
- Verify Network Isolation is disabled
- Verify Zone Matrix: Internal → Internal = Allow All
- Check firewall rules for ICMP blocking
Issue: Cannot access service on assigned VLAN
Possible Causes:
- Service not configured for new IP
- Firewall rules blocking access
- Service not listening on correct interface
Solutions:
- Verify service IP assignment (DHCP or static)
- Check firewall rules
- Verify service configuration
Issue: Inter-VLAN routing not working
Possible Causes:
- Network Isolation enabled on one or more VLANs
- Zone Matrix not configured correctly
- Firewall rules blocking traffic
Solutions:
- Verify Network Isolation is disabled on ALL VLANs
- Verify Zone Matrix: Internal → Internal = Allow All
- Check and adjust firewall rules
Summary
Status: ✅ READY FOR UTILIZATION
Completed:
- ✅ All 19 VLANs configured
- ✅ Verification scripts created
- ✅ VLAN assignment scripts created
- ✅ Complete guide documented
Next Steps:
- Complete manual verification (Network Isolation, Zone Matrix)
- Test inter-VLAN routing
- Configure firewall rules
- Assign VMs/containers to VLANs
- Test and verify connectivity
VLAN Plan Utilization: ✅ READY TO PROCEED
Last Updated: 2026-01-14