199 lines
5.3 KiB
Markdown
199 lines
5.3 KiB
Markdown
# Firewall Rule Order Verification
|
|
|
|
**Date**: 2026-01-21
|
|
**Status**: Rules Configured - Need to Verify Order & Status
|
|
|
|
---
|
|
|
|
## Confirmed Rules (From UDM Pro Screenshot)
|
|
|
|
### ✅ Port Forwarding Rules
|
|
1. **Nginx HTTPS (76.53.10.36)**
|
|
- Type: Port Forwarding
|
|
- Action: Translate
|
|
- Protocol: TCP
|
|
- Source: Any
|
|
- Destination: 76.53.10.36
|
|
- Port: 443
|
|
- Interface: Internet 1
|
|
|
|
2. **Nginx HTTP (76.53.10.36)**
|
|
- Type: Port Forwarding
|
|
- Action: Translate
|
|
- Protocol: TCP
|
|
- Source: Any
|
|
- Destination: 76.53.10.36
|
|
- Port: 80
|
|
- Interface: Internet 1
|
|
|
|
3. **Nginx Manager (76.53.10.36)**
|
|
- Type: Port Forwarding
|
|
- Action: Translate
|
|
- Protocol: TCP
|
|
- Source: Any
|
|
- Destination: 76.53.10.36
|
|
- Port: 81
|
|
- Interface: Internet 1
|
|
|
|
### ✅ Firewall Allow Rules
|
|
1. **Allow Port Forward... (Port 80)**
|
|
- Type: Firewall
|
|
- Action: Allow
|
|
- Protocol: TCP
|
|
- Source Zone: External
|
|
- Source: Any
|
|
- Destination Zone: Internal
|
|
- Destination: 192.168.11.166
|
|
- Port: 80
|
|
|
|
2. **Allow Port Forward... (Port 443)**
|
|
- Type: Firewall
|
|
- Action: Allow
|
|
- Protocol: TCP
|
|
- Source Zone: External
|
|
- Source: Any
|
|
- Destination Zone: Internal
|
|
- Destination: 192.168.11.166
|
|
- Port: 443
|
|
|
|
3. **Allow Port Forward... (Port 81)**
|
|
- Type: Firewall
|
|
- Action: Allow
|
|
- Protocol: TCP
|
|
- Source Zone: External
|
|
- Source: Any
|
|
- Destination Zone: Internal
|
|
- Destination: 192.168.11.166
|
|
- Port: 81
|
|
|
|
---
|
|
|
|
## Critical Check: Rule Order
|
|
|
|
**Firewall rules are processed in order from top to bottom.** If a "Block" or "Deny" rule comes BEFORE the "Allow" rules, it will block the traffic.
|
|
|
|
### What to Check:
|
|
|
|
1. **In UDM Pro Web UI:**
|
|
- Navigate to: **Settings** → **Firewall & Security** → **Firewall Rules**
|
|
- Look at the **order** of rules
|
|
|
|
2. **Verify Order:**
|
|
- The "Allow Port Forward..." rules should be **ABOVE** any "Block" or "Deny" rules
|
|
- If there's a "Block External → Internal" rule, it must come **AFTER** the allow rules
|
|
|
|
3. **Check for Block Rules:**
|
|
- Look for rules with:
|
|
- Source Zone: External
|
|
- Destination Zone: Internal
|
|
- Action: Block / Deny
|
|
- If such rules exist, they must be **BELOW** the allow rules
|
|
|
|
---
|
|
|
|
## Additional Checks
|
|
|
|
### 1. Rule Status (Enabled/Disabled)
|
|
- Verify all rules show as **"Enabled"** or have a checkmark
|
|
- Disabled rules won't work even if configured
|
|
|
|
### 2. Interface Selection
|
|
- Verify port forwarding rules specify **"Internet 1"** (or your active WAN interface)
|
|
- If multiple WAN interfaces exist, ensure correct one is selected
|
|
|
|
### 3. Zone Configuration
|
|
- Verify "External" zone includes your WAN interface
|
|
- Verify "Internal" zone includes 192.168.11.0/24 network
|
|
|
|
### 4. NAT Translation
|
|
- Port forwarding rules should translate:
|
|
- `76.53.10.36:80` → `192.168.11.166:80`
|
|
- `76.53.10.36:443` → `192.168.11.166:443`
|
|
- Verify the "Translate" action is working correctly
|
|
|
|
---
|
|
|
|
## Troubleshooting Steps
|
|
|
|
### Step 1: Check Rule Order
|
|
1. Open UDM Pro → Settings → Firewall & Security → Firewall Rules
|
|
2. Note the order of all rules
|
|
3. Ensure "Allow Port Forward..." rules are **at the top** (or at least above any block rules)
|
|
|
|
### Step 2: Test Rule Priority
|
|
If block rules exist above allow rules:
|
|
1. **Option A**: Move allow rules to the top
|
|
2. **Option B**: Modify block rules to exclude 192.168.11.166
|
|
|
|
### Step 3: Verify Rule Application
|
|
1. After making changes, **apply/save** the configuration
|
|
2. Wait 30-60 seconds for rules to propagate
|
|
3. Test external access again
|
|
|
|
### Step 4: Check Logs
|
|
1. UDM Pro → Settings → Logs → Firewall Logs
|
|
2. Look for blocked connections to 192.168.11.166:80 or 443
|
|
3. This will show if firewall is blocking and which rule is blocking
|
|
|
|
---
|
|
|
|
## Expected Rule Order (Ideal)
|
|
|
|
```
|
|
1. Allow Port Forward... (Port 443) ← Should be FIRST
|
|
2. Allow Port Forward... (Port 80) ← Should be SECOND
|
|
3. Allow Port Forward... (Port 81) ← Should be THIRD
|
|
4. [Other allow rules...]
|
|
5. [Block rules...] ← Should be AFTER allow rules
|
|
```
|
|
|
|
---
|
|
|
|
## If Rules Are Correct But Still Not Working
|
|
|
|
If rule order is correct and rules are enabled, check:
|
|
|
|
1. **ISP Blocking**: Some ISPs block ports 80/443
|
|
- Test from different network/location
|
|
- Use port 81 to test (if accessible)
|
|
|
|
2. **Network Routing**: Verify traffic is reaching UDM Pro
|
|
- Check UDM Pro logs for incoming connections
|
|
- Verify WAN interface is receiving traffic
|
|
|
|
3. **NPMplus Binding**: Verify NPMplus is listening on correct interface
|
|
- Should be 0.0.0.0 (all interfaces), not 127.0.0.1
|
|
|
|
4. **Service Status**: Verify NPMplus is actually running
|
|
- Check container status
|
|
- Check nginx process
|
|
|
|
---
|
|
|
|
## Quick Test
|
|
|
|
After verifying rule order:
|
|
|
|
```bash
|
|
# Test from external location
|
|
curl -v --connect-timeout 10 https://explorer.d-bis.org
|
|
curl -v --connect-timeout 10 http://explorer.d-bis.org
|
|
|
|
# Test direct IP
|
|
curl -v --connect-timeout 10 https://76.53.10.36
|
|
curl -v --connect-timeout 10 http://76.53.10.36
|
|
```
|
|
|
|
---
|
|
|
|
## Summary
|
|
|
|
**Rules are configured correctly**, but external access is still timing out. This suggests:
|
|
|
|
1. **Rule order issue** - Block rules may be before allow rules
|
|
2. **Rules not enabled** - Rules may be disabled
|
|
3. **ISP blocking** - ISP may be blocking ports 80/443
|
|
4. **Network routing** - Traffic may not be reaching UDM Pro
|
|
|
|
**Next Step**: Verify rule order in UDM Pro firewall rules list.
|