d-bis/explorer-monorepo
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
903c03c65b953d50006bff96c4acf7eef003a130
explorer-monorepo/UDM_PRO_FIX_REQUIRED.md

3.9 KiB
Raw Blame History

UDM Pro Fix Required - Root Cause Identified

Date: 2026-01-21
Status: CRITICAL ISSUES FOUND

Diagnosis Results

Issue 1: Port Forwarding Rules NOT Active

  • Problem: No DNAT rules found in NAT table for 76.53.10.36
  • Impact: Port forwarding rules exist in Web UI but are NOT actually active
  • Result: External traffic cannot reach NPMplus

Issue 2: Firewall Rules Missing

  • Problem: No firewall rules found for 192.168.11.166
  • Impact: Even if port forwarding worked, firewall would block traffic
  • Result: Traffic would be dropped by firewall

Root Cause

Port forwarding rules are configured in the Web UI but NOT active in the firewall/NAT table.

This means:

  1. Rules exist in configuration
  2. Rules are NOT enabled/applied
  3. Rules need to be enabled and saved

Fix Steps

Step 1: Enable Port Forwarding Rules

  1. Access UDM Pro Web UI

    • Navigate to: https://192.168.11.1 (or your UDM Pro IP)
    • Login with admin credentials

  2. Go to Port Forwarding

    • Click: SettingsFirewall & SecurityPort Forwarding

  3. Verify and Enable Rules

    • Find these rules:
      • Nginx HTTP (76.53.10.36) - Port 80
      • Nginx HTTPS (76.53.10.36) - Port 443
    • Check that they are ENABLED (toggle should be ON, or checkbox checked)
    • If disabled, enable them
    • Save/Apply changes

  4. Wait 30 seconds for rules to apply

Step 2: Verify Firewall Allow Rules

  1. Go to Firewall Rules

    • Click: SettingsFirewall & SecurityFirewall Rules

  2. Check for Allow Rules

    • Look for rules named "Allow Port Forward..." or similar
    • Should allow:
      • External → Internal (192.168.11.166:80)
      • External → Internal (192.168.11.166:443)

  3. If Rules Don't Exist, Add Them

    • Click Add Rule or Create New Rule
    • Configure:
      • Name: Allow Port Forward HTTP
      • Action: Allow
      • Protocol: TCP
      • Source Zone: External
      • Source: Any
      • Destination Zone: Internal
      • Destination: 192.168.11.166
      • Port: 80
    • Repeat for port 443
    • Save

  4. Verify Rule Order

    • Allow rules should be at the TOP of the list
    • Any block rules should be below allow rules
    • If needed, reorder rules (drag and drop or use up/down arrows)

  5. Save and wait 30 seconds

Step 3: Verify Fix

After making changes, verify they're active:

# SSH to UDM Pro
ssh OQmQuS@192.168.11.1

# Check NAT rules (should show DNAT rules now)
sudo iptables -t nat -L PREROUTING -n -v | grep "76.53.10.36"

# Check firewall rules (should show ACCEPT rules now)
sudo iptables -L FORWARD -n -v | grep "192.168.11.166"

Step 4: Test External Access

# Test HTTP
curl -v http://76.53.10.36

# Test HTTPS
curl -v https://76.53.10.36

# Test domain
curl -v http://explorer.d-bis.org
curl -v https://explorer.d-bis.org

Expected Results After Fix

NAT Table Should Show:

DNAT       tcp  --  0.0.0.0/0      76.53.10.36        tcp dpt:80  to:192.168.11.166:80
DNAT       tcp  --  0.0.0.0/0      76.53.10.36        tcp dpt:443 to:192.168.11.166:443

Firewall Should Show:

ACCEPT     tcp  --  0.0.0.0/0      192.168.11.166     tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0      192.168.11.166     tcp dpt:443

External Access Should:

  • Respond to HTTP requests
  • Respond to HTTPS requests
  • Serve explorer.d-bis.org correctly

Summary

Root Cause: Port forwarding and firewall rules are configured but NOT enabled/active

Fix:

  1. Enable port forwarding rules in Web UI
  2. Verify/add firewall allow rules
  3. Ensure rule order is correct (allow before block)
  4. Save and wait for rules to apply

After Fix: External access should work immediately

Status: ⚠️ FIX REQUIRED - Rules need to be enabled in Web UI

Reference in New Issue View Git Blame Copy Permalink