225 lines
6.6 KiB
Markdown
225 lines
6.6 KiB
Markdown
# External Access Timeout - Diagnosis & Fix
|
|
|
|
**Date**: 2026-01-21
|
|
**Issue**: ERR_CONNECTION_TIMED_OUT when accessing explorer.d-bis.org
|
|
**Status**: ⚠️ **Port Forwarding Configured but Firewall Blocking**
|
|
|
|
---
|
|
|
|
## Problem Summary
|
|
|
|
**Symptoms**:
|
|
- ✅ DNS resolves correctly: `explorer.d-bis.org` → `76.53.10.36`
|
|
- ✅ Port forwarding rules exist in UDM Pro
|
|
- ✅ NPMplus is running and listening on ports 80/443
|
|
- ✅ Internal path works (HTTP 200)
|
|
- ❌ External access times out (ERR_CONNECTION_TIMED_OUT)
|
|
|
|
**Root Cause**: UDM Pro firewall is likely blocking WAN → LAN traffic, even though port forwarding rules exist.
|
|
|
|
---
|
|
|
|
## Current Status
|
|
|
|
### ✅ Working Components
|
|
|
|
1. **DNS**: ✅ Resolves to 76.53.10.36
|
|
2. **NPMplus**: ✅ Running, listening on 0.0.0.0:80 and 0.0.0.0:443
|
|
3. **NPMplus Config**: ✅ Proxy host configured correctly
|
|
4. **VMID 5000**: ✅ Operational, serving HTTP 200
|
|
5. **Port Forwarding Rules**: ✅ Exist in UDM Pro:
|
|
- `76.53.10.36:80` → `192.168.11.166:80`
|
|
- `76.53.10.36:443` → `192.168.11.166:443`
|
|
|
|
### ❌ Issue
|
|
|
|
**Ports 80 and 443 are NOT reachable from external**:
|
|
- Connection to `76.53.10.36:80` → Timeout
|
|
- Connection to `76.53.10.36:443` → Timeout
|
|
|
|
---
|
|
|
|
## Root Cause Analysis
|
|
|
|
Port forwarding rules exist, but traffic is being blocked. This is typically due to:
|
|
|
|
1. **UDM Pro Firewall Rules** blocking WAN → LAN traffic
|
|
2. **Port forwarding rules not enabled** (though they appear in the UI)
|
|
3. **Zone-based firewall** blocking External → Internal traffic
|
|
4. **WAN interface not selected** in port forwarding rules
|
|
|
|
---
|
|
|
|
## Solution: Check UDM Pro Firewall Rules
|
|
|
|
### Step 1: Verify Port Forwarding Rules Are Enabled
|
|
|
|
In UDM Pro web interface:
|
|
|
|
1. Navigate to: **Settings** → **Firewall & Security** → **Port Forwarding**
|
|
2. Verify the rules show as **"Enabled"** or have a checkmark
|
|
3. If disabled, **enable** them:
|
|
- Click on each rule
|
|
- Toggle "Enabled" to ON
|
|
- Save
|
|
|
|
### Step 2: Check Firewall Rules (WAN → LAN)
|
|
|
|
UDM Pro may have firewall rules that block incoming WAN traffic. Check:
|
|
|
|
1. Navigate to: **Settings** → **Firewall & Security** → **Firewall Rules**
|
|
2. Look for rules with:
|
|
- **Source**: WAN / External / Internet
|
|
- **Destination**: LAN / Internal / 192.168.11.0/24
|
|
- **Action**: Block / Deny
|
|
|
|
3. **If blocking rules exist**, you need to either:
|
|
- **Option A**: Add an allow rule BEFORE the block rule:
|
|
- Source: Any (or WAN)
|
|
- Destination: 192.168.11.166
|
|
- Port: 80, 443
|
|
- Action: Allow
|
|
- Place it ABOVE any block rules
|
|
|
|
- **Option B**: Modify the block rule to exclude port forwarding:
|
|
- Add exception for destination IP: 192.168.11.166
|
|
- Add exception for ports: 80, 443
|
|
|
|
### Step 3: Check Zone-Based Firewall (If Enabled)
|
|
|
|
If UDM Pro uses zone-based firewall:
|
|
|
|
1. Navigate to: **Settings** → **Firewall & Security** → **Zones**
|
|
2. Check **External → Internal** policy:
|
|
- Should be **"Allow"** or **"Allow Return"**
|
|
- If **"Block"**, change to **"Allow"** or add exception
|
|
|
|
3. Or create specific rule:
|
|
- Source Zone: External
|
|
- Destination Zone: Internal
|
|
- Destination IP: 192.168.11.166
|
|
- Ports: 80, 443
|
|
- Action: Allow
|
|
|
|
### Step 4: Verify WAN Interface in Port Forwarding
|
|
|
|
Ensure port forwarding rules specify the correct WAN interface:
|
|
|
|
1. Edit each port forwarding rule
|
|
2. Check **"Interface"** or **"WAN Interface"**:
|
|
- Should be set to your primary WAN interface
|
|
- Or "Any" / "All" if option exists
|
|
3. Save changes
|
|
|
|
---
|
|
|
|
## Quick Fix Checklist
|
|
|
|
- [ ] Verify port forwarding rules are **ENABLED**
|
|
- [ ] Check firewall rules for **WAN → LAN blocking**
|
|
- [ ] Add **allow rule** for 192.168.11.166:80,443 if blocked
|
|
- [ ] Check **zone-based firewall** External → Internal policy
|
|
- [ ] Verify **WAN interface** in port forwarding rules
|
|
- [ ] Test external access after each change
|
|
|
|
---
|
|
|
|
## Testing After Fix
|
|
|
|
### Test 1: Port Reachability
|
|
```bash
|
|
# From external location
|
|
curl -v --connect-timeout 10 https://explorer.d-bis.org
|
|
curl -v --connect-timeout 10 http://explorer.d-bis.org
|
|
```
|
|
|
|
### Test 2: Direct IP Test
|
|
```bash
|
|
# Test direct IP (bypasses DNS)
|
|
curl -v --connect-timeout 10 https://76.53.10.36
|
|
curl -v --connect-timeout 10 http://76.53.10.36
|
|
```
|
|
|
|
### Test 3: Port Check
|
|
```bash
|
|
# Check if ports are open
|
|
nmap -p 80,443 76.53.10.36
|
|
```
|
|
|
|
---
|
|
|
|
## Expected Behavior After Fix
|
|
|
|
Once firewall rules are corrected:
|
|
|
|
1. **External request** → `76.53.10.36:443`
|
|
2. **UDM Pro** → Port forwarding rule matches
|
|
3. **Firewall** → Allows traffic (no block rule)
|
|
4. **NPMplus** → Receives request on 192.168.11.166:443
|
|
5. **NPMplus** → Proxies to 192.168.11.140:80
|
|
6. **VMID 5000** → Serves frontend
|
|
7. **Response** → HTTP 200 OK
|
|
|
|
---
|
|
|
|
## Common UDM Pro Firewall Issues
|
|
|
|
### Issue 1: Default Deny Policy
|
|
**Problem**: UDM Pro may have default "deny all WAN → LAN" policy
|
|
**Solution**: Add explicit allow rule for port forwarding destination
|
|
|
|
### Issue 2: Rule Order
|
|
**Problem**: Block rules may be evaluated before port forwarding
|
|
**Solution**: Ensure allow rules are placed before block rules
|
|
|
|
### Issue 3: Zone-Based Firewall
|
|
**Problem**: External → Internal zone policy may be blocking
|
|
**Solution**: Change policy to "Allow" or add exception
|
|
|
|
### Issue 4: Interface Selection
|
|
**Problem**: Port forwarding rule may not specify correct WAN interface
|
|
**Solution**: Verify interface selection in port forwarding rule
|
|
|
|
---
|
|
|
|
## Manual Verification Steps
|
|
|
|
1. **Access UDM Pro Web UI**
|
|
- Navigate to your UDM Pro IP (typically 192.168.1.1 or 192.168.11.1)
|
|
|
|
2. **Check Port Forwarding Status**
|
|
- Settings → Firewall & Security → Port Forwarding
|
|
- Verify rules are enabled (green checkmark or "Enabled" status)
|
|
|
|
3. **Check Firewall Rules**
|
|
- Settings → Firewall & Security → Firewall Rules
|
|
- Look for any rules blocking WAN → LAN
|
|
- Check rule order (allow rules should be before block rules)
|
|
|
|
4. **Check Zone Policies** (if zone-based firewall enabled)
|
|
- Settings → Firewall & Security → Zones
|
|
- Check External → Internal policy
|
|
- Should be "Allow" or "Allow Return"
|
|
|
|
5. **Test After Changes**
|
|
- Make one change at a time
|
|
- Test external access after each change
|
|
- Document what works
|
|
|
|
---
|
|
|
|
## Summary
|
|
|
|
**All internal components are working correctly.** The issue is UDM Pro firewall blocking external traffic, even though port forwarding rules are configured.
|
|
|
|
**Action Required**:
|
|
1. Verify port forwarding rules are enabled
|
|
2. Check and fix UDM Pro firewall rules blocking WAN → LAN
|
|
3. Test external access
|
|
|
|
Once firewall rules are corrected, external access should work immediately.
|
|
|
|
---
|
|
|
|
**Status**: ⚠️ **Firewall Configuration Needed**
|