d-bis/explorer-monorepo
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a53c15507ffabaf4280b85260cc4b9830824b71c
explorer-monorepo/VERIFY_FIREWALL_RULE_ORDER.md

5.3 KiB
Raw Blame History

Firewall Rule Order Verification

Date: 2026-01-21
Status: Rules Configured - Need to Verify Order & Status

Confirmed Rules (From UDM Pro Screenshot)

Port Forwarding Rules

  1. Nginx HTTPS (76.53.10.36)

    • Type: Port Forwarding
    • Action: Translate
    • Protocol: TCP
    • Source: Any
    • Destination: 76.53.10.36
    • Port: 443
    • Interface: Internet 1

  2. Nginx HTTP (76.53.10.36)

    • Type: Port Forwarding
    • Action: Translate
    • Protocol: TCP
    • Source: Any
    • Destination: 76.53.10.36
    • Port: 80
    • Interface: Internet 1

  3. Nginx Manager (76.53.10.36)

    • Type: Port Forwarding
    • Action: Translate
    • Protocol: TCP
    • Source: Any
    • Destination: 76.53.10.36
    • Port: 81
    • Interface: Internet 1

Firewall Allow Rules

  1. Allow Port Forward... (Port 80)

    • Type: Firewall
    • Action: Allow
    • Protocol: TCP
    • Source Zone: External
    • Source: Any
    • Destination Zone: Internal
    • Destination: 192.168.11.166
    • Port: 80

  2. Allow Port Forward... (Port 443)

    • Type: Firewall
    • Action: Allow
    • Protocol: TCP
    • Source Zone: External
    • Source: Any
    • Destination Zone: Internal
    • Destination: 192.168.11.166
    • Port: 443

  3. Allow Port Forward... (Port 81)

    • Type: Firewall
    • Action: Allow
    • Protocol: TCP
    • Source Zone: External
    • Source: Any
    • Destination Zone: Internal
    • Destination: 192.168.11.166
    • Port: 81

Critical Check: Rule Order

Firewall rules are processed in order from top to bottom. If a "Block" or "Deny" rule comes BEFORE the "Allow" rules, it will block the traffic.

What to Check:

  1. In UDM Pro Web UI:

    • Navigate to: SettingsFirewall & SecurityFirewall Rules
    • Look at the order of rules

  2. Verify Order:

    • The "Allow Port Forward..." rules should be ABOVE any "Block" or "Deny" rules
    • If there's a "Block External → Internal" rule, it must come AFTER the allow rules

  3. Check for Block Rules:

    • Look for rules with:
      • Source Zone: External
      • Destination Zone: Internal
      • Action: Block / Deny
    • If such rules exist, they must be BELOW the allow rules

Additional Checks

1. Rule Status (Enabled/Disabled)

  • Verify all rules show as "Enabled" or have a checkmark
  • Disabled rules won't work even if configured

2. Interface Selection

  • Verify port forwarding rules specify "Internet 1" (or your active WAN interface)
  • If multiple WAN interfaces exist, ensure correct one is selected

3. Zone Configuration

  • Verify "External" zone includes your WAN interface
  • Verify "Internal" zone includes 192.168.11.0/24 network

4. NAT Translation

  • Port forwarding rules should translate:
    • 76.53.10.36:80192.168.11.166:80
    • 76.53.10.36:443192.168.11.166:443
  • Verify the "Translate" action is working correctly

Troubleshooting Steps

Step 1: Check Rule Order

  1. Open UDM Pro → Settings → Firewall & Security → Firewall Rules
  2. Note the order of all rules
  3. Ensure "Allow Port Forward..." rules are at the top (or at least above any block rules)

Step 2: Test Rule Priority

If block rules exist above allow rules:

  1. Option A: Move allow rules to the top
  2. Option B: Modify block rules to exclude 192.168.11.166

Step 3: Verify Rule Application

  1. After making changes, apply/save the configuration
  2. Wait 30-60 seconds for rules to propagate
  3. Test external access again

Step 4: Check Logs

  1. UDM Pro → Settings → Logs → Firewall Logs
  2. Look for blocked connections to 192.168.11.166:80 or 443
  3. This will show if firewall is blocking and which rule is blocking

Expected Rule Order (Ideal)

1. Allow Port Forward... (Port 443) ← Should be FIRST
2. Allow Port Forward... (Port 80)  ← Should be SECOND
3. Allow Port Forward... (Port 81)  ← Should be THIRD
4. [Other allow rules...]
5. [Block rules...] ← Should be AFTER allow rules

If Rules Are Correct But Still Not Working

If rule order is correct and rules are enabled, check:

  1. ISP Blocking: Some ISPs block ports 80/443

    • Test from different network/location
    • Use port 81 to test (if accessible)

  2. Network Routing: Verify traffic is reaching UDM Pro

    • Check UDM Pro logs for incoming connections
    • Verify WAN interface is receiving traffic

  3. NPMplus Binding: Verify NPMplus is listening on correct interface

    • Should be 0.0.0.0 (all interfaces), not 127.0.0.1

  4. Service Status: Verify NPMplus is actually running

    • Check container status
    • Check nginx process

Quick Test

After verifying rule order:

# Test from external location
curl -v --connect-timeout 10 https://explorer.d-bis.org
curl -v --connect-timeout 10 http://explorer.d-bis.org

# Test direct IP
curl -v --connect-timeout 10 https://76.53.10.36
curl -v --connect-timeout 10 http://76.53.10.36

Summary

Rules are configured correctly, but external access is still timing out. This suggests:

  1. Rule order issue - Block rules may be before allow rules
  2. Rules not enabled - Rules may be disabled
  3. ISP blocking - ISP may be blocking ports 80/443
  4. Network routing - Traffic may not be reaching UDM Pro

Next Step: Verify rule order in UDM Pro firewall rules list.

Reference in New Issue View Git Blame Copy Permalink