# External Access Timeout - Diagnosis & Fix

**Date**: 2026-01-21  
**Issue**: ERR_CONNECTION_TIMED_OUT when accessing explorer.d-bis.org  
**Status**: ⚠️ **Port Forwarding Configured but Firewall Blocking**

---

## Problem Summary

**Symptoms**:
- ✅ DNS resolves correctly: `explorer.d-bis.org` → `76.53.10.36`
- ✅ Port forwarding rules exist in UDM Pro
- ✅ NPMplus is running and listening on ports 80/443
- ✅ Internal path works (HTTP 200)
- ❌ External access times out (ERR_CONNECTION_TIMED_OUT)

**Root Cause**: UDM Pro firewall is likely blocking WAN → LAN traffic, even though port forwarding rules exist.

---

## Current Status

### ✅ Working Components

1. **DNS**: ✅ Resolves to 76.53.10.36
2. **NPMplus**: ✅ Running, listening on 0.0.0.0:80 and 0.0.0.0:443
3. **NPMplus Config**: ✅ Proxy host configured correctly
4. **VMID 5000**: ✅ Operational, serving HTTP 200
5. **Port Forwarding Rules**: ✅ Exist in UDM Pro:
   - `76.53.10.36:80` → `192.168.11.166:80`
   - `76.53.10.36:443` → `192.168.11.166:443`

### ❌ Issue

**Ports 80 and 443 are NOT reachable from external**:
- Connection to `76.53.10.36:80` → Timeout
- Connection to `76.53.10.36:443` → Timeout

---

## Root Cause Analysis

Port forwarding rules exist, but traffic is being blocked. This is typically due to:

1. **UDM Pro Firewall Rules** blocking WAN → LAN traffic
2. **Port forwarding rules not enabled** (though they appear in the UI)
3. **Zone-based firewall** blocking External → Internal traffic
4. **WAN interface not selected** in port forwarding rules

---

## Solution: Check UDM Pro Firewall Rules

### Step 1: Verify Port Forwarding Rules Are Enabled

In UDM Pro web interface:

1. Navigate to: **Settings** → **Firewall & Security** → **Port Forwarding**
2. Verify the rules show as **"Enabled"** or have a checkmark
3. If disabled, **enable** them:
   - Click on each rule
   - Toggle "Enabled" to ON
   - Save

### Step 2: Check Firewall Rules (WAN → LAN)

UDM Pro may have firewall rules that block incoming WAN traffic. Check:

1. Navigate to: **Settings** → **Firewall & Security** → **Firewall Rules**
2. Look for rules with:
   - **Source**: WAN / External / Internet
   - **Destination**: LAN / Internal / 192.168.11.0/24
   - **Action**: Block / Deny

3. **If blocking rules exist**, you need to either:
   - **Option A**: Add an allow rule BEFORE the block rule:
     - Source: Any (or WAN)
     - Destination: 192.168.11.166
     - Port: 80, 443
     - Action: Allow
     - Place it ABOVE any block rules
   
   - **Option B**: Modify the block rule to exclude port forwarding:
     - Add exception for destination IP: 192.168.11.166
     - Add exception for ports: 80, 443

### Step 3: Check Zone-Based Firewall (If Enabled)

If UDM Pro uses zone-based firewall:

1. Navigate to: **Settings** → **Firewall & Security** → **Zones**
2. Check **External → Internal** policy:
   - Should be **"Allow"** or **"Allow Return"**
   - If **"Block"**, change to **"Allow"** or add exception

3. Or create specific rule:
   - Source Zone: External
   - Destination Zone: Internal
   - Destination IP: 192.168.11.166
   - Ports: 80, 443
   - Action: Allow

### Step 4: Verify WAN Interface in Port Forwarding

Ensure port forwarding rules specify the correct WAN interface:

1. Edit each port forwarding rule
2. Check **"Interface"** or **"WAN Interface"**:
   - Should be set to your primary WAN interface
   - Or "Any" / "All" if option exists
3. Save changes

---

## Quick Fix Checklist

- [ ] Verify port forwarding rules are **ENABLED**
- [ ] Check firewall rules for **WAN → LAN blocking**
- [ ] Add **allow rule** for 192.168.11.166:80,443 if blocked
- [ ] Check **zone-based firewall** External → Internal policy
- [ ] Verify **WAN interface** in port forwarding rules
- [ ] Test external access after each change

---

## Testing After Fix

### Test 1: Port Reachability
```bash
# From external location
curl -v --connect-timeout 10 https://explorer.d-bis.org
curl -v --connect-timeout 10 http://explorer.d-bis.org
```

### Test 2: Direct IP Test
```bash
# Test direct IP (bypasses DNS)
curl -v --connect-timeout 10 https://76.53.10.36
curl -v --connect-timeout 10 http://76.53.10.36
```

### Test 3: Port Check
```bash
# Check if ports are open
nmap -p 80,443 76.53.10.36
```

---

## Expected Behavior After Fix

Once firewall rules are corrected:

1. **External request** → `76.53.10.36:443`
2. **UDM Pro** → Port forwarding rule matches
3. **Firewall** → Allows traffic (no block rule)
4. **NPMplus** → Receives request on 192.168.11.166:443
5. **NPMplus** → Proxies to 192.168.11.140:80
6. **VMID 5000** → Serves frontend
7. **Response** → HTTP 200 OK

---

## Common UDM Pro Firewall Issues

### Issue 1: Default Deny Policy
**Problem**: UDM Pro may have default "deny all WAN → LAN" policy  
**Solution**: Add explicit allow rule for port forwarding destination

### Issue 2: Rule Order
**Problem**: Block rules may be evaluated before port forwarding  
**Solution**: Ensure allow rules are placed before block rules

### Issue 3: Zone-Based Firewall
**Problem**: External → Internal zone policy may be blocking  
**Solution**: Change policy to "Allow" or add exception

### Issue 4: Interface Selection
**Problem**: Port forwarding rule may not specify correct WAN interface  
**Solution**: Verify interface selection in port forwarding rule

---

## Manual Verification Steps

1. **Access UDM Pro Web UI**
   - Navigate to your UDM Pro IP (typically 192.168.1.1 or 192.168.11.1)

2. **Check Port Forwarding Status**
   - Settings → Firewall & Security → Port Forwarding
   - Verify rules are enabled (green checkmark or "Enabled" status)

3. **Check Firewall Rules**
   - Settings → Firewall & Security → Firewall Rules
   - Look for any rules blocking WAN → LAN
   - Check rule order (allow rules should be before block rules)

4. **Check Zone Policies** (if zone-based firewall enabled)
   - Settings → Firewall & Security → Zones
   - Check External → Internal policy
   - Should be "Allow" or "Allow Return"

5. **Test After Changes**
   - Make one change at a time
   - Test external access after each change
   - Document what works

---

## Summary

**All internal components are working correctly.** The issue is UDM Pro firewall blocking external traffic, even though port forwarding rules are configured.

**Action Required**: 
1. Verify port forwarding rules are enabled
2. Check and fix UDM Pro firewall rules blocking WAN → LAN
3. Test external access

Once firewall rules are corrected, external access should work immediately.

---

**Status**: ⚠️ **Firewall Configuration Needed**