explorer-monorepo/EXTERNAL_TETHERING_TEST_REPORT.md

# External Network Test Report (Tethering Active)

**Date**: 2026-01-21  
**Test Environment**: External Network (Mobile Tethering)  
**Public IP**: 76.53.10.36

---

## Test Results Summary

| Test | Status | Details |
|------|--------|---------|
| DNS Resolution | ✅ PASS | explorer.d-bis.org → 76.53.10.36 |
| TCP Connection (HTTPS) | ⚠️ PARTIAL | Connects but SSL handshake times out |
| TCP Connection (HTTP) | ⚠️ PARTIAL | Connects but response times out |
| Public IP Direct | ⚠️ PARTIAL | Connects but response times out |
| Frontend Content | ❌ FAIL | No content received |
| API Endpoint | ❌ FAIL | Not accessible |
| NPMplus Container | ✅ PASS | Running |
| VMID 5000 Container | ✅ PASS | Running |
| UDM Pro SSH | ⚠️ WARN | Unreachable from external (expected) |

---

## Critical Findings

### ✅ Progress: TCP Connections Are Being Established

**Key Discovery**: Unlike previous tests, TCP connections ARE now being established:
- ✅ Can connect to port 80 (HTTP)
- ✅ Can connect to port 443 (HTTPS)
- ✅ DNS resolution works
- ✅ TCP handshake completes

**This indicates port forwarding rules may be partially active or there's a different issue.**

### ❌ Problem: Connections Timeout After Establishment

**Issue**: After TCP connection is established:
- HTTP: Connection established but no response received (timeout after 15s)
- HTTPS: SSL handshake times out
- No data is being returned

**Possible Causes:**
1. **Port forwarding rules are active but incomplete**
   - DNAT may be working (allowing connection)
   - But return path may be blocked
   - Or firewall rules may be blocking responses

2. **Firewall rules blocking return traffic**
   - UDM Pro may allow incoming connections
   - But may block outgoing responses
   - Need to check FORWARD chain rules

3. **NPMplus not responding to external connections**
   - May only be listening on internal interface
   - May have firewall rules blocking external IPs
   - May need to check NPMplus configuration

4. **Asymmetric routing issue**
   - Traffic coming in via UDM Pro
   - But responses trying to go out different path
   - Need proper routing configuration

---

## Detailed Test Results

### 1. DNS Resolution ✅
```
explorer.d-bis.org → 76.53.10.36
```
**Status**: Working correctly

### 2. HTTPS Connection (Port 443) ⚠️
```
* Connected to explorer.d-bis.org (76.53.10.36) port 443
* SSL connection timeout
```
**Status**: TCP connection established, but SSL handshake times out

### 3. HTTP Connection (Port 80) ⚠️
```
* Connected to explorer.d-bis.org (76.53.10.36) port 80
* Operation timed out after 15003 milliseconds with 0 bytes received
```
**Status**: TCP connection established, but no HTTP response received

### 4. Public IP Direct ⚠️
```
* Connected to 76.53.10.36 (76.53.10.36) port 80
* Operation timed out after 15002 milliseconds with 0 bytes received
```
**Status**: Same behavior as domain name - confirms issue is at network level

### 5. Frontend Content ❌
**Status**: No HTML content received

### 6. API Endpoint ❌
**Status**: Not accessible

### 7. Internal Components ✅
- NPMplus (VMID 10233): Running
- VMID 5000: Running

---

## Diagnosis

### What's Working
1. ✅ DNS resolution
2. ✅ TCP connection establishment (ports 80/443)
3. ✅ Internal services running
4. ✅ Port forwarding appears to be allowing connections

### What's Not Working
1. ❌ No data/response after connection established
2. ❌ SSL handshake fails
3. ❌ HTTP requests timeout
4. ❌ No content returned

### Root Cause Analysis

**Most Likely Issue**: **Firewall rules blocking return traffic**

The fact that TCP connections are established but no data flows suggests:
- Port forwarding (DNAT) is working (allowing connections)
- But firewall rules are blocking the return path
- Or NPMplus is not configured to accept connections from external IPs

---

## Recommended Fixes

### Priority 1: Check UDM Pro Firewall Rules

**Action**: Verify firewall rules allow return traffic

1. Access UDM Pro Web UI (from internal network)
2. Go to: Settings → Firewall & Security → Firewall Rules
3. Check for rules that:
   - Allow traffic FROM 192.168.11.166 (NPMplus)
   - Allow traffic TO 192.168.11.166:80/443
   - Are placed BEFORE any deny rules

4. Verify "Allow Port Forward..." rules exist and are enabled

### Priority 2: Check NPMplus Configuration

**Action**: Verify NPMplus accepts external connections

```bash
# Check if NPMplus is listening on all interfaces
ssh root@192.168.11.10 "ssh root@r630-01 'pct exec 10233 -- ss -tlnp | grep -E \":80 |:443 \"'"

# Check NPMplus logs for connection attempts
ssh root@192.168.11.10 "ssh root@r630-01 'pct exec 10233 -- docker logs npmplus --tail 50'"
```

### Priority 3: Verify Port Forwarding Rules Are Active

**Action**: Check if DNAT rules are actually in NAT table

```bash
sshpass -p 'm0MFXHdgMFKGB2l3bO4' ssh OQmQuS@192.168.11.1 \
  "sudo iptables -t nat -L PREROUTING -n -v | grep '76.53.10.36'"
```

If no rules found, enable them in UDM Pro Web UI.

### Priority 4: Check Routing

**Action**: Verify return path routing

```bash
# On UDM Pro, check routing table
sshpass -p 'm0MFXHdgMFKGB2l3bO4' ssh OQmQuS@192.168.11.1 \
  "ip route show | grep 192.168.11"
```

---

## Next Steps

1. **From internal network**, check UDM Pro firewall rules
2. **Enable/unpause** any paused firewall rules
3. **Verify** port forwarding rules are active
4. **Check** NPMplus logs for incoming connection attempts
5. **Re-test** from external network (tethering)

---

## Test Statistics

- **Total Tests**: 9
- **Passed**: 3
- **Partial/Working**: 3
- **Failed**: 3
- **Warnings**: 1

---

## Conclusion

**Status**: ⚠️ **PROGRESS MADE - TCP CONNECTIONS WORKING**

**Key Finding**: Port forwarding appears to be working (connections established), but firewall rules or return path routing is blocking responses.

**Action Required**: Check and fix UDM Pro firewall rules to allow return traffic from NPMplus.

---

**Next Test**: After fixing firewall rules, re-run tests from external network.