4.6 KiB
4.6 KiB
UDM Pro Manual SSH Diagnosis Guide
Date: 2026-01-21
Purpose: Manual commands to run on UDM Pro via SSH to diagnose firewall/port forwarding
SSH Credentials:
- Username:
OQmQuS - Password:
m0MFXHdgMFKGB213b04 - IP:
192.168.11.1(or your UDM Pro IP)
Connect to UDM Pro
ssh OQmQuS@192.168.11.1
# Enter password when prompted: m0MFXHdgMFKGB213b04
Diagnosis Commands
1. Check Port Forwarding Rules (NAT Table)
# Check if port forwarding rules exist for 76.53.10.36
iptables -t nat -L -n -v | grep -A 5 "76.53.10.36"
Expected Output (if working):
DNAT tcp -- 0.0.0.0/0 76.53.10.36 tcp dpt:80 to:192.168.11.166:80
DNAT tcp -- 0.0.0.0/0 76.53.10.36 tcp dpt:443 to:192.168.11.166:443
If empty: Port forwarding rules are not active
2. Check Firewall Rules for NPMplus
# Check if firewall allows traffic to 192.168.11.166
iptables -L FORWARD -n -v | grep -A 5 "192.168.11.166"
Expected Output (if working):
ACCEPT tcp -- 0.0.0.0/0 192.168.11.166 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 192.168.11.166 tcp dpt:443
If empty: Firewall may be blocking traffic
3. Check Firewall Rule Order
# List all FORWARD rules with line numbers
iptables -L FORWARD -n -v --line-numbers
What to look for:
- Allow rules for 192.168.11.166 should be BEFORE any block rules
- If block rules come first, they will block the traffic
4. Check All NAT Rules
# List all NAT rules
iptables -t nat -L -n -v
What to look for:
- DNAT rules for 76.53.10.36:80 → 192.168.11.166:80
- DNAT rules for 76.53.10.36:443 → 192.168.11.166:443
5. Check Network Interfaces
# Check if 76.53.10.36 is on a network interface
ip addr show | grep "76.53.10"
Expected: Should show the IP on a WAN interface
6. Check Configuration Files
# Check firewall configuration
cat /mnt/data/udapi-config/firewall.json | grep -A 10 "76.53.10.36"
# Check UniFi gateway config
cat /mnt/data/unifi/config/config.gateway.json | grep -A 20 "port-forward"
Quick Diagnosis Script
Run this complete check:
echo "=== Port Forwarding (NAT) ==="
iptables -t nat -L -n -v | grep -A 3 "76.53.10.36"
echo ""
echo "=== Firewall Rules (FORWARD) ==="
iptables -L FORWARD -n -v --line-numbers | grep -A 3 "192.168.11.166"
echo ""
echo "=== All FORWARD Rules (First 20) ==="
iptables -L FORWARD -n -v --line-numbers | head -20
What to Look For
✅ If Port Forwarding is Working:
- NAT table shows DNAT rules for 76.53.10.36:80/443
- Rules have packet/byte counts (showing traffic)
❌ If Port Forwarding is NOT Working:
- NAT table is empty for 76.53.10.36
- No DNAT rules found
✅ If Firewall Allows Traffic:
- FORWARD chain shows ACCEPT rules for 192.168.11.166:80/443
- Allow rules come BEFORE block rules
❌ If Firewall is Blocking:
- No ACCEPT rules for 192.168.11.166
- Block rules come BEFORE allow rules
- DROP/REJECT rules for 192.168.11.166
Common Issues and Fixes
Issue 1: Port Forwarding Rules Not in NAT Table
Symptom: iptables -t nat -L shows no rules for 76.53.10.36
Fix:
- Go to UDM Pro Web UI
- Settings → Firewall & Security → Port Forwarding
- Verify rules are enabled
- If disabled, enable them
- Save and wait 30 seconds
Issue 2: Firewall Blocking Traffic
Symptom: NAT rules exist but no ACCEPT rules in FORWARD chain
Fix:
- Go to UDM Pro Web UI
- Settings → Firewall & Security → Firewall Rules
- Ensure "Allow Port Forward..." rules exist
- Move them to the top of the list
- Save and wait 30 seconds
Issue 3: Rule Order Issue
Symptom: Block rules come before allow rules
Fix:
- Go to UDM Pro Web UI
- Settings → Firewall & Security → Firewall Rules
- Reorder rules: Allow rules at top, Block rules below
- Save and wait 30 seconds
After Making Changes
- Wait 30 seconds for rules to apply
- Re-run diagnosis commands to verify
- Test external access:
curl -v http://76.53.10.36 curl -v https://76.53.10.36
Summary
SSH Access Allows:
- ✅ View current firewall/port forwarding configuration
- ✅ Diagnose why ports are blocked
- ✅ Verify rule order
- ⚠️ Changes via CLI may not persist (use Web UI for changes)
Recommended Workflow:
- SSH to UDM Pro
- Run diagnosis commands
- Identify the issue
- Make changes via Web UI
- Verify via SSH again
Next Step: SSH to UDM Pro and run the diagnosis commands above