UDM_PRO_MANUAL_SSH_DIAGNOSIS.md

# UDM Pro Manual SSH Diagnosis Guide

**Date**: 2026-01-21  
**Purpose**: Manual commands to run on UDM Pro via SSH to diagnose firewall/port forwarding

**SSH Credentials:**
- **Username**: `OQmQuS`
- **Password**: `m0MFXHdgMFKGB213b04`
- **IP**: `192.168.11.1` (or your UDM Pro IP)

---

## Connect to UDM Pro

```bash
ssh OQmQuS@192.168.11.1
# Enter password when prompted: m0MFXHdgMFKGB213b04
```

---

## Diagnosis Commands

### 1. Check Port Forwarding Rules (NAT Table)

```bash
# Check if port forwarding rules exist for 76.53.10.36
iptables -t nat -L -n -v | grep -A 5 "76.53.10.36"
```

**Expected Output (if working):**
```
DNAT       tcp  --  0.0.0.0/0      76.53.10.36        tcp dpt:80  to:192.168.11.166:80
DNAT       tcp  --  0.0.0.0/0      76.53.10.36        tcp dpt:443 to:192.168.11.166:443
```

**If empty**: Port forwarding rules are not active

---

### 2. Check Firewall Rules for NPMplus

```bash
# Check if firewall allows traffic to 192.168.11.166
iptables -L FORWARD -n -v | grep -A 5 "192.168.11.166"
```

**Expected Output (if working):**
```
ACCEPT     tcp  --  0.0.0.0/0      192.168.11.166     tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0      192.168.11.166     tcp dpt:443
```

**If empty**: Firewall may be blocking traffic

---

### 3. Check Firewall Rule Order

```bash
# List all FORWARD rules with line numbers
iptables -L FORWARD -n -v --line-numbers
```

**What to look for:**
- **Allow rules** for 192.168.11.166 should be **BEFORE** any **block rules**
- If block rules come first, they will block the traffic

---

### 4. Check All NAT Rules

```bash
# List all NAT rules
iptables -t nat -L -n -v
```

**What to look for:**
- DNAT rules for 76.53.10.36:80 → 192.168.11.166:80
- DNAT rules for 76.53.10.36:443 → 192.168.11.166:443

---

### 5. Check Network Interfaces

```bash
# Check if 76.53.10.36 is on a network interface
ip addr show | grep "76.53.10"
```

**Expected**: Should show the IP on a WAN interface

---

### 6. Check Configuration Files

```bash
# Check firewall configuration
cat /mnt/data/udapi-config/firewall.json | grep -A 10 "76.53.10.36"

# Check UniFi gateway config
cat /mnt/data/unifi/config/config.gateway.json | grep -A 20 "port-forward"
```

---

## Quick Diagnosis Script

Run this complete check:

```bash
echo "=== Port Forwarding (NAT) ==="
iptables -t nat -L -n -v | grep -A 3 "76.53.10.36"
echo ""
echo "=== Firewall Rules (FORWARD) ==="
iptables -L FORWARD -n -v --line-numbers | grep -A 3 "192.168.11.166"
echo ""
echo "=== All FORWARD Rules (First 20) ==="
iptables -L FORWARD -n -v --line-numbers | head -20
```

---

## What to Look For

### ✅ If Port Forwarding is Working:
- NAT table shows DNAT rules for 76.53.10.36:80/443
- Rules have packet/byte counts (showing traffic)

### ❌ If Port Forwarding is NOT Working:
- NAT table is empty for 76.53.10.36
- No DNAT rules found

### ✅ If Firewall Allows Traffic:
- FORWARD chain shows ACCEPT rules for 192.168.11.166:80/443
- Allow rules come BEFORE block rules

### ❌ If Firewall is Blocking:
- No ACCEPT rules for 192.168.11.166
- Block rules come BEFORE allow rules
- DROP/REJECT rules for 192.168.11.166

---

## Common Issues and Fixes

### Issue 1: Port Forwarding Rules Not in NAT Table

**Symptom**: `iptables -t nat -L` shows no rules for 76.53.10.36

**Fix**: 
- Go to UDM Pro Web UI
- Settings → Firewall & Security → Port Forwarding
- Verify rules are **enabled**
- If disabled, enable them
- Save and wait 30 seconds

### Issue 2: Firewall Blocking Traffic

**Symptom**: NAT rules exist but no ACCEPT rules in FORWARD chain

**Fix**:
- Go to UDM Pro Web UI
- Settings → Firewall & Security → Firewall Rules
- Ensure "Allow Port Forward..." rules exist
- Move them to the **top** of the list
- Save and wait 30 seconds

### Issue 3: Rule Order Issue

**Symptom**: Block rules come before allow rules

**Fix**:
- Go to UDM Pro Web UI
- Settings → Firewall & Security → Firewall Rules
- Reorder rules: Allow rules at top, Block rules below
- Save and wait 30 seconds

---

## After Making Changes

1. **Wait 30 seconds** for rules to apply
2. **Re-run diagnosis commands** to verify
3. **Test external access**:
   ```bash
   curl -v http://76.53.10.36
   curl -v https://76.53.10.36
   ```

---

## Summary

**SSH Access Allows:**
- ✅ View current firewall/port forwarding configuration
- ✅ Diagnose why ports are blocked
- ✅ Verify rule order
- ⚠️ Changes via CLI may not persist (use Web UI for changes)

**Recommended Workflow:**
1. SSH to UDM Pro
2. Run diagnosis commands
3. Identify the issue
4. Make changes via Web UI
5. Verify via SSH again

---

**Next Step**: SSH to UDM Pro and run the diagnosis commands above
Add full monorepo: virtual-banker, backend, frontend, docs, scripts, deployment Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-10 11:32:49 -08:00			`# UDM Pro Manual SSH Diagnosis Guide`

			`Date: 2026-01-21`
			`Purpose: Manual commands to run on UDM Pro via SSH to diagnose firewall/port forwarding`

			`SSH Credentials:`
			- Username: `OQmQuS`
			- Password: `m0MFXHdgMFKGB213b04`
			- IP: `192.168.11.1` (or your UDM Pro IP)

			`---`

			`## Connect to UDM Pro`

			```bash
			`ssh OQmQuS@192.168.11.1`
			`# Enter password when prompted: m0MFXHdgMFKGB213b04`
			```

			`---`

			`## Diagnosis Commands`

			`### 1. Check Port Forwarding Rules (NAT Table)`

			```bash
			`# Check if port forwarding rules exist for 76.53.10.36`
			`iptables -t nat -L -n -v \| grep -A 5 "76.53.10.36"`
			```

			`Expected Output (if working):`
			```
			`DNAT tcp -- 0.0.0.0/0 76.53.10.36 tcp dpt:80 to:192.168.11.166:80`
			`DNAT tcp -- 0.0.0.0/0 76.53.10.36 tcp dpt:443 to:192.168.11.166:443`
			```

			`If empty: Port forwarding rules are not active`

			`---`

			`### 2. Check Firewall Rules for NPMplus`

			```bash
			`# Check if firewall allows traffic to 192.168.11.166`
			`iptables -L FORWARD -n -v \| grep -A 5 "192.168.11.166"`
			```

			`Expected Output (if working):`
			```
			`ACCEPT tcp -- 0.0.0.0/0 192.168.11.166 tcp dpt:80`
			`ACCEPT tcp -- 0.0.0.0/0 192.168.11.166 tcp dpt:443`
			```

			`If empty: Firewall may be blocking traffic`

			`---`

			`### 3. Check Firewall Rule Order`

			```bash
			`# List all FORWARD rules with line numbers`
			`iptables -L FORWARD -n -v --line-numbers`
			```

			`What to look for:`
			`- Allow rules for 192.168.11.166 should be BEFORE any block rules`
			`- If block rules come first, they will block the traffic`

			`---`

			`### 4. Check All NAT Rules`

			```bash
			`# List all NAT rules`
			`iptables -t nat -L -n -v`
			```

			`What to look for:`
			`- DNAT rules for 76.53.10.36:80 → 192.168.11.166:80`
			`- DNAT rules for 76.53.10.36:443 → 192.168.11.166:443`

			`---`

			`### 5. Check Network Interfaces`

			```bash
			`# Check if 76.53.10.36 is on a network interface`
			`ip addr show \| grep "76.53.10"`
			```

			`Expected: Should show the IP on a WAN interface`

			`---`

			`### 6. Check Configuration Files`

			```bash
			`# Check firewall configuration`
			`cat /mnt/data/udapi-config/firewall.json \| grep -A 10 "76.53.10.36"`

			`# Check UniFi gateway config`
			`cat /mnt/data/unifi/config/config.gateway.json \| grep -A 20 "port-forward"`
			```

			`---`

			`## Quick Diagnosis Script`

			`Run this complete check:`

			```bash
			`echo "=== Port Forwarding (NAT) ==="`
			`iptables -t nat -L -n -v \| grep -A 3 "76.53.10.36"`
			`echo ""`
			`echo "=== Firewall Rules (FORWARD) ==="`
			`iptables -L FORWARD -n -v --line-numbers \| grep -A 3 "192.168.11.166"`
			`echo ""`
			`echo "=== All FORWARD Rules (First 20) ==="`
			`iptables -L FORWARD -n -v --line-numbers \| head -20`
			```

			`---`

			`## What to Look For`

			`### ✅ If Port Forwarding is Working:`
			`- NAT table shows DNAT rules for 76.53.10.36:80/443`
			`- Rules have packet/byte counts (showing traffic)`

			`### ❌ If Port Forwarding is NOT Working:`
			`- NAT table is empty for 76.53.10.36`
			`- No DNAT rules found`

			`### ✅ If Firewall Allows Traffic:`
			`- FORWARD chain shows ACCEPT rules for 192.168.11.166:80/443`
			`- Allow rules come BEFORE block rules`

			`### ❌ If Firewall is Blocking:`
			`- No ACCEPT rules for 192.168.11.166`
			`- Block rules come BEFORE allow rules`
			`- DROP/REJECT rules for 192.168.11.166`

			`---`

			`## Common Issues and Fixes`

			`### Issue 1: Port Forwarding Rules Not in NAT Table`

			Symptom: `iptables -t nat -L` shows no rules for 76.53.10.36

			`Fix:`
			`- Go to UDM Pro Web UI`
			`- Settings → Firewall & Security → Port Forwarding`
			`- Verify rules are enabled`
			`- If disabled, enable them`
			`- Save and wait 30 seconds`

			`### Issue 2: Firewall Blocking Traffic`

			`Symptom: NAT rules exist but no ACCEPT rules in FORWARD chain`

			`Fix:`
			`- Go to UDM Pro Web UI`
			`- Settings → Firewall & Security → Firewall Rules`
			`- Ensure "Allow Port Forward..." rules exist`
			`- Move them to the top of the list`
			`- Save and wait 30 seconds`

			`### Issue 3: Rule Order Issue`

			`Symptom: Block rules come before allow rules`

			`Fix:`
			`- Go to UDM Pro Web UI`
			`- Settings → Firewall & Security → Firewall Rules`
			`- Reorder rules: Allow rules at top, Block rules below`
			`- Save and wait 30 seconds`

			`---`

			`## After Making Changes`

			`1. Wait 30 seconds for rules to apply`
			`2. Re-run diagnosis commands to verify`
			`3. Test external access:`
			```bash
			`curl -v http://76.53.10.36`
			`curl -v https://76.53.10.36`
			```

			`---`

			`## Summary`

			`SSH Access Allows:`
			`- ✅ View current firewall/port forwarding configuration`
			`- ✅ Diagnose why ports are blocked`
			`- ✅ Verify rule order`
			`- ⚠️ Changes via CLI may not persist (use Web UI for changes)`

			`Recommended Workflow:`
			`1. SSH to UDM Pro`
			`2. Run diagnosis commands`
			`3. Identify the issue`
			`4. Make changes via Web UI`
			`5. Verify via SSH again`

			`---`

			`Next Step: SSH to UDM Pro and run the diagnosis commands above`