# Firewall Rule Order Verification

**Date**: 2026-01-21  
**Status**: Rules Configured - Need to Verify Order & Status

---

## Confirmed Rules (From UDM Pro Screenshot)

### ✅ Port Forwarding Rules
1. **Nginx HTTPS (76.53.10.36)**
   - Type: Port Forwarding
   - Action: Translate
   - Protocol: TCP
   - Source: Any
   - Destination: 76.53.10.36
   - Port: 443
   - Interface: Internet 1

2. **Nginx HTTP (76.53.10.36)**
   - Type: Port Forwarding
   - Action: Translate
   - Protocol: TCP
   - Source: Any
   - Destination: 76.53.10.36
   - Port: 80
   - Interface: Internet 1

3. **Nginx Manager (76.53.10.36)**
   - Type: Port Forwarding
   - Action: Translate
   - Protocol: TCP
   - Source: Any
   - Destination: 76.53.10.36
   - Port: 81
   - Interface: Internet 1

### ✅ Firewall Allow Rules
1. **Allow Port Forward... (Port 80)**
   - Type: Firewall
   - Action: Allow
   - Protocol: TCP
   - Source Zone: External
   - Source: Any
   - Destination Zone: Internal
   - Destination: 192.168.11.166
   - Port: 80

2. **Allow Port Forward... (Port 443)**
   - Type: Firewall
   - Action: Allow
   - Protocol: TCP
   - Source Zone: External
   - Source: Any
   - Destination Zone: Internal
   - Destination: 192.168.11.166
   - Port: 443

3. **Allow Port Forward... (Port 81)**
   - Type: Firewall
   - Action: Allow
   - Protocol: TCP
   - Source Zone: External
   - Source: Any
   - Destination Zone: Internal
   - Destination: 192.168.11.166
   - Port: 81

---

## Critical Check: Rule Order

**Firewall rules are processed in order from top to bottom.** If a "Block" or "Deny" rule comes BEFORE the "Allow" rules, it will block the traffic.

### What to Check:

1. **In UDM Pro Web UI:**
   - Navigate to: **Settings** → **Firewall & Security** → **Firewall Rules**
   - Look at the **order** of rules

2. **Verify Order:**
   - The "Allow Port Forward..." rules should be **ABOVE** any "Block" or "Deny" rules
   - If there's a "Block External → Internal" rule, it must come **AFTER** the allow rules

3. **Check for Block Rules:**
   - Look for rules with:
     - Source Zone: External
     - Destination Zone: Internal
     - Action: Block / Deny
   - If such rules exist, they must be **BELOW** the allow rules

---

## Additional Checks

### 1. Rule Status (Enabled/Disabled)
- Verify all rules show as **"Enabled"** or have a checkmark
- Disabled rules won't work even if configured

### 2. Interface Selection
- Verify port forwarding rules specify **"Internet 1"** (or your active WAN interface)
- If multiple WAN interfaces exist, ensure correct one is selected

### 3. Zone Configuration
- Verify "External" zone includes your WAN interface
- Verify "Internal" zone includes 192.168.11.0/24 network

### 4. NAT Translation
- Port forwarding rules should translate:
  - `76.53.10.36:80` → `192.168.11.166:80`
  - `76.53.10.36:443` → `192.168.11.166:443`
- Verify the "Translate" action is working correctly

---

## Troubleshooting Steps

### Step 1: Check Rule Order
1. Open UDM Pro → Settings → Firewall & Security → Firewall Rules
2. Note the order of all rules
3. Ensure "Allow Port Forward..." rules are **at the top** (or at least above any block rules)

### Step 2: Test Rule Priority
If block rules exist above allow rules:
1. **Option A**: Move allow rules to the top
2. **Option B**: Modify block rules to exclude 192.168.11.166

### Step 3: Verify Rule Application
1. After making changes, **apply/save** the configuration
2. Wait 30-60 seconds for rules to propagate
3. Test external access again

### Step 4: Check Logs
1. UDM Pro → Settings → Logs → Firewall Logs
2. Look for blocked connections to 192.168.11.166:80 or 443
3. This will show if firewall is blocking and which rule is blocking

---

## Expected Rule Order (Ideal)

```
1. Allow Port Forward... (Port 443) ← Should be FIRST
2. Allow Port Forward... (Port 80)  ← Should be SECOND
3. Allow Port Forward... (Port 81)  ← Should be THIRD
4. [Other allow rules...]
5. [Block rules...] ← Should be AFTER allow rules
```

---

## If Rules Are Correct But Still Not Working

If rule order is correct and rules are enabled, check:

1. **ISP Blocking**: Some ISPs block ports 80/443
   - Test from different network/location
   - Use port 81 to test (if accessible)

2. **Network Routing**: Verify traffic is reaching UDM Pro
   - Check UDM Pro logs for incoming connections
   - Verify WAN interface is receiving traffic

3. **NPMplus Binding**: Verify NPMplus is listening on correct interface
   - Should be 0.0.0.0 (all interfaces), not 127.0.0.1

4. **Service Status**: Verify NPMplus is actually running
   - Check container status
   - Check nginx process

---

## Quick Test

After verifying rule order:

```bash
# Test from external location
curl -v --connect-timeout 10 https://explorer.d-bis.org
curl -v --connect-timeout 10 http://explorer.d-bis.org

# Test direct IP
curl -v --connect-timeout 10 https://76.53.10.36
curl -v --connect-timeout 10 http://76.53.10.36
```

---

## Summary

**Rules are configured correctly**, but external access is still timing out. This suggests:

1. **Rule order issue** - Block rules may be before allow rules
2. **Rules not enabled** - Rules may be disabled
3. **ISP blocking** - ISP may be blocking ports 80/443
4. **Network routing** - Traffic may not be reaching UDM Pro

**Next Step**: Verify rule order in UDM Pro firewall rules list.