# UDM Pro Fix Required - Root Cause Identified **Date**: 2026-01-21 **Status**: ❌ **CRITICAL ISSUES FOUND** --- ## Diagnosis Results ### ❌ Issue 1: Port Forwarding Rules NOT Active - **Problem**: No DNAT rules found in NAT table for 76.53.10.36 - **Impact**: Port forwarding rules exist in Web UI but are NOT actually active - **Result**: External traffic cannot reach NPMplus ### ❌ Issue 2: Firewall Rules Missing - **Problem**: No firewall rules found for 192.168.11.166 - **Impact**: Even if port forwarding worked, firewall would block traffic - **Result**: Traffic would be dropped by firewall --- ## Root Cause **Port forwarding rules are configured in the Web UI but NOT active in the firewall/NAT table.** This means: 1. Rules exist in configuration 2. Rules are NOT enabled/applied 3. Rules need to be enabled and saved --- ## Fix Steps ### Step 1: Enable Port Forwarding Rules 1. **Access UDM Pro Web UI** - Navigate to: `https://192.168.11.1` (or your UDM Pro IP) - Login with admin credentials 2. **Go to Port Forwarding** - Click: **Settings** → **Firewall & Security** → **Port Forwarding** 3. **Verify and Enable Rules** - Find these rules: - **Nginx HTTP (76.53.10.36)** - Port 80 - **Nginx HTTPS (76.53.10.36)** - Port 443 - **Check that they are ENABLED** (toggle should be ON, or checkbox checked) - If disabled, **enable them** - **Save/Apply** changes 4. **Wait 30 seconds** for rules to apply ### Step 2: Verify Firewall Allow Rules 1. **Go to Firewall Rules** - Click: **Settings** → **Firewall & Security** → **Firewall Rules** 2. **Check for Allow Rules** - Look for rules named "Allow Port Forward..." or similar - Should allow: - External → Internal (192.168.11.166:80) - External → Internal (192.168.11.166:443) 3. **If Rules Don't Exist, Add Them** - Click **Add Rule** or **Create New Rule** - Configure: - **Name**: Allow Port Forward HTTP - **Action**: Allow - **Protocol**: TCP - **Source Zone**: External - **Source**: Any - **Destination Zone**: Internal - **Destination**: 192.168.11.166 - **Port**: 80 - Repeat for port 443 - **Save** 4. **Verify Rule Order** - Allow rules should be **at the TOP** of the list - Any block rules should be **below** allow rules - If needed, reorder rules (drag and drop or use up/down arrows) 5. **Save and wait 30 seconds** ### Step 3: Verify Fix After making changes, verify they're active: ```bash # SSH to UDM Pro ssh OQmQuS@192.168.11.1 # Check NAT rules (should show DNAT rules now) sudo iptables -t nat -L PREROUTING -n -v | grep "76.53.10.36" # Check firewall rules (should show ACCEPT rules now) sudo iptables -L FORWARD -n -v | grep "192.168.11.166" ``` ### Step 4: Test External Access ```bash # Test HTTP curl -v http://76.53.10.36 # Test HTTPS curl -v https://76.53.10.36 # Test domain curl -v http://explorer.d-bis.org curl -v https://explorer.d-bis.org ``` --- ## Expected Results After Fix ### NAT Table Should Show: ``` DNAT tcp -- 0.0.0.0/0 76.53.10.36 tcp dpt:80 to:192.168.11.166:80 DNAT tcp -- 0.0.0.0/0 76.53.10.36 tcp dpt:443 to:192.168.11.166:443 ``` ### Firewall Should Show: ``` ACCEPT tcp -- 0.0.0.0/0 192.168.11.166 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 192.168.11.166 tcp dpt:443 ``` ### External Access Should: - ✅ Respond to HTTP requests - ✅ Respond to HTTPS requests - ✅ Serve explorer.d-bis.org correctly --- ## Summary **Root Cause**: Port forwarding and firewall rules are configured but NOT enabled/active **Fix**: 1. Enable port forwarding rules in Web UI 2. Verify/add firewall allow rules 3. Ensure rule order is correct (allow before block) 4. Save and wait for rules to apply **After Fix**: External access should work immediately --- **Status**: ⚠️ **FIX REQUIRED - Rules need to be enabled in Web UI**