d-bis/explorer-monorepo
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
43a7b88e2a7981e28cacdcd9715342b781a5f10c
explorer-monorepo/VERIFY_FIREWALL_RULE_ORDER.md

199 lines
5.3 KiB
Markdown
Raw Normal View History

Add full monorepo: virtual-banker, backend, frontend, docs, scripts, deployment Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-10 11:32:49 -08:00
# Firewall Rule Order Verification
**Date**: 2026-01-21
**Status**: Rules Configured - Need to Verify Order & Status
---
## Confirmed Rules (From UDM Pro Screenshot)
### ✅ Port Forwarding Rules
1. **Nginx HTTPS (76.53.10.36)**
- Type: Port Forwarding
- Action: Translate
- Protocol: TCP
- Source: Any
- Destination: 76.53.10.36
- Port: 443
- Interface: Internet 1
2. **Nginx HTTP (76.53.10.36)**
- Type: Port Forwarding
- Action: Translate
- Protocol: TCP
- Source: Any
- Destination: 76.53.10.36
- Port: 80
- Interface: Internet 1
3. **Nginx Manager (76.53.10.36)**
- Type: Port Forwarding
- Action: Translate
- Protocol: TCP
- Source: Any
- Destination: 76.53.10.36
- Port: 81
- Interface: Internet 1
### ✅ Firewall Allow Rules
1. **Allow Port Forward... (Port 80)**
- Type: Firewall
- Action: Allow
- Protocol: TCP
- Source Zone: External
- Source: Any
- Destination Zone: Internal
- Destination: 192.168.11.166
- Port: 80
2. **Allow Port Forward... (Port 443)**
- Type: Firewall
- Action: Allow
- Protocol: TCP
- Source Zone: External
- Source: Any
- Destination Zone: Internal
- Destination: 192.168.11.166
- Port: 443
3. **Allow Port Forward... (Port 81)**
- Type: Firewall
- Action: Allow
- Protocol: TCP
- Source Zone: External
- Source: Any
- Destination Zone: Internal
- Destination: 192.168.11.166
- Port: 81
---
## Critical Check: Rule Order
**Firewall rules are processed in order from top to bottom.** If a "Block" or "Deny" rule comes BEFORE the "Allow" rules, it will block the traffic.
### What to Check:
1. **In UDM Pro Web UI:**
- Navigate to: **Settings****Firewall & Security****Firewall Rules**
- Look at the **order** of rules
2. **Verify Order:**
- The "Allow Port Forward..." rules should be **ABOVE** any "Block" or "Deny" rules
- If there's a "Block External → Internal" rule, it must come **AFTER** the allow rules
3. **Check for Block Rules:**
- Look for rules with:
- Source Zone: External
- Destination Zone: Internal
- Action: Block / Deny
- If such rules exist, they must be **BELOW** the allow rules
---
## Additional Checks
### 1. Rule Status (Enabled/Disabled)
- Verify all rules show as **"Enabled"** or have a checkmark
- Disabled rules won't work even if configured
### 2. Interface Selection
- Verify port forwarding rules specify **"Internet 1"** (or your active WAN interface)
- If multiple WAN interfaces exist, ensure correct one is selected
### 3. Zone Configuration
- Verify "External" zone includes your WAN interface
- Verify "Internal" zone includes 192.168.11.0/24 network
### 4. NAT Translation
- Port forwarding rules should translate:
- `76.53.10.36:80``192.168.11.166:80`
- `76.53.10.36:443``192.168.11.166:443`
- Verify the "Translate" action is working correctly
---
## Troubleshooting Steps
### Step 1: Check Rule Order
1. Open UDM Pro → Settings → Firewall & Security → Firewall Rules
2. Note the order of all rules
3. Ensure "Allow Port Forward..." rules are **at the top** (or at least above any block rules)
### Step 2: Test Rule Priority
If block rules exist above allow rules:
1. **Option A**: Move allow rules to the top
2. **Option B**: Modify block rules to exclude 192.168.11.166
### Step 3: Verify Rule Application
1. After making changes, **apply/save** the configuration
2. Wait 30-60 seconds for rules to propagate
3. Test external access again
### Step 4: Check Logs
1. UDM Pro → Settings → Logs → Firewall Logs
2. Look for blocked connections to 192.168.11.166:80 or 443
3. This will show if firewall is blocking and which rule is blocking
---
## Expected Rule Order (Ideal)
```
1. Allow Port Forward... (Port 443) ← Should be FIRST
2. Allow Port Forward... (Port 80) ← Should be SECOND
3. Allow Port Forward... (Port 81) ← Should be THIRD
4. [Other allow rules...]
5. [Block rules...] ← Should be AFTER allow rules
```
---
## If Rules Are Correct But Still Not Working
If rule order is correct and rules are enabled, check:
1. **ISP Blocking**: Some ISPs block ports 80/443
- Test from different network/location
- Use port 81 to test (if accessible)
2. **Network Routing**: Verify traffic is reaching UDM Pro
- Check UDM Pro logs for incoming connections
- Verify WAN interface is receiving traffic
3. **NPMplus Binding**: Verify NPMplus is listening on correct interface
- Should be 0.0.0.0 (all interfaces), not 127.0.0.1
4. **Service Status**: Verify NPMplus is actually running
- Check container status
- Check nginx process
---
## Quick Test
After verifying rule order:
```bash
# Test from external location
curl -v --connect-timeout 10 https://explorer.d-bis.org
curl -v --connect-timeout 10 http://explorer.d-bis.org
# Test direct IP
curl -v --connect-timeout 10 https://76.53.10.36
curl -v --connect-timeout 10 http://76.53.10.36
```
---
## Summary
**Rules are configured correctly**, but external access is still timing out. This suggests:
1. **Rule order issue** - Block rules may be before allow rules
2. **Rules not enabled** - Rules may be disabled
3. **ISP blocking** - ISP may be blocking ports 80/443
4. **Network routing** - Traffic may not be reaching UDM Pro
**Next Step**: Verify rule order in UDM Pro firewall rules list.
Reference in New Issue Copy Permalink