d-bis/explorer-monorepo
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
43a7b88e2a7981e28cacdcd9715342b781a5f10c
explorer-monorepo/UDM_PRO_FIX_REQUIRED.md

153 lines
3.9 KiB
Markdown
Raw Blame History

# UDM Pro Fix Required - Root Cause Identified
**Date**: 2026-01-21
**Status**: ❌ **CRITICAL ISSUES FOUND**
---
## Diagnosis Results
### ❌ Issue 1: Port Forwarding Rules NOT Active
- **Problem**: No DNAT rules found in NAT table for 76.53.10.36
- **Impact**: Port forwarding rules exist in Web UI but are NOT actually active
- **Result**: External traffic cannot reach NPMplus
### ❌ Issue 2: Firewall Rules Missing
- **Problem**: No firewall rules found for 192.168.11.166
- **Impact**: Even if port forwarding worked, firewall would block traffic
- **Result**: Traffic would be dropped by firewall
---
## Root Cause
**Port forwarding rules are configured in the Web UI but NOT active in the firewall/NAT table.**
This means:
1. Rules exist in configuration
2. Rules are NOT enabled/applied
3. Rules need to be enabled and saved
---
## Fix Steps
### Step 1: Enable Port Forwarding Rules
1. **Access UDM Pro Web UI**
- Navigate to: `https://192.168.11.1` (or your UDM Pro IP)
- Login with admin credentials
2. **Go to Port Forwarding**
- Click: **Settings****Firewall & Security****Port Forwarding**
3. **Verify and Enable Rules**
- Find these rules:
- **Nginx HTTP (76.53.10.36)** - Port 80
- **Nginx HTTPS (76.53.10.36)** - Port 443
- **Check that they are ENABLED** (toggle should be ON, or checkbox checked)
- If disabled, **enable them**
- **Save/Apply** changes
4. **Wait 30 seconds** for rules to apply
### Step 2: Verify Firewall Allow Rules
1. **Go to Firewall Rules**
- Click: **Settings****Firewall & Security****Firewall Rules**
2. **Check for Allow Rules**
- Look for rules named "Allow Port Forward..." or similar
- Should allow:
- External → Internal (192.168.11.166:80)
- External → Internal (192.168.11.166:443)
3. **If Rules Don't Exist, Add Them**
- Click **Add Rule** or **Create New Rule**
- Configure:
- **Name**: Allow Port Forward HTTP
- **Action**: Allow
- **Protocol**: TCP
- **Source Zone**: External
- **Source**: Any
- **Destination Zone**: Internal
- **Destination**: 192.168.11.166
- **Port**: 80
- Repeat for port 443
- **Save**
4. **Verify Rule Order**
- Allow rules should be **at the TOP** of the list
- Any block rules should be **below** allow rules
- If needed, reorder rules (drag and drop or use up/down arrows)
5. **Save and wait 30 seconds**
### Step 3: Verify Fix
After making changes, verify they're active:
```bash
# SSH to UDM Pro
ssh OQmQuS@192.168.11.1
# Check NAT rules (should show DNAT rules now)
sudo iptables -t nat -L PREROUTING -n -v | grep "76.53.10.36"
# Check firewall rules (should show ACCEPT rules now)
sudo iptables -L FORWARD -n -v | grep "192.168.11.166"
```
### Step 4: Test External Access
```bash
# Test HTTP
curl -v http://76.53.10.36
# Test HTTPS
curl -v https://76.53.10.36
# Test domain
curl -v http://explorer.d-bis.org
curl -v https://explorer.d-bis.org
```
---
## Expected Results After Fix
### NAT Table Should Show:
```
DNAT tcp -- 0.0.0.0/0 76.53.10.36 tcp dpt:80 to:192.168.11.166:80
DNAT tcp -- 0.0.0.0/0 76.53.10.36 tcp dpt:443 to:192.168.11.166:443
```
### Firewall Should Show:
```
ACCEPT tcp -- 0.0.0.0/0 192.168.11.166 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 192.168.11.166 tcp dpt:443
```
### External Access Should:
- ✅ Respond to HTTP requests
- ✅ Respond to HTTPS requests
- ✅ Serve explorer.d-bis.org correctly
---
## Summary
**Root Cause**: Port forwarding and firewall rules are configured but NOT enabled/active
**Fix**:
1. Enable port forwarding rules in Web UI
2. Verify/add firewall allow rules
3. Ensure rule order is correct (allow before block)
4. Save and wait for rules to apply
**After Fix**: External access should work immediately
---
**Status**: ⚠️ **FIX REQUIRED - Rules need to be enabled in Web UI**
Reference in New Issue View Git Blame Copy Permalink