# UDM Pro Networks Routing Configuration Guide **Last Updated:** 2026-01-13 **Status:** Active Documentation **Issue:** Enable routing between Default network (192.168.0.0/24) and MGMT-LAN (VLAN 11 - 192.168.11.0/24) **Access URL:** `https://192.168.0.1` --- ## Step-by-Step Configuration Instructions ### Step 1: Access UDM Pro Web Interface 1. **Open web browser** 2. **Navigate to:** `https://192.168.0.1` 3. **Log in** with admin credentials --- ### Step 2: Navigate to Networks Settings 1. **Click on:** **Settings** (left sidebar) 2. **Click on:** **Networks** (under Settings) - You should see a list of all networks including: - Default (192.168.0.0/24) - MGMT-LAN (VLAN 11 - 192.168.11.0/24) - BESU-VAL, BESU-SEN, BESU-RPC, etc. --- ### Step 3: Configure Default Network 1. **Click on:** **Default** network (first row in the networks list) - Network: Default - VLAN: 1 - Subnet: 192.168.0.0/24 - Gateway: UDM Pro 2. **Verify/Configure Network Settings:** - **Network Name:** Default - **VLAN ID:** 1 (or blank/untagged) - **Subnet:** 192.168.0.0/24 - **Gateway IP/Subnet:** Should be 192.168.0.1/24 3. **Check Routing Settings:** - Look for **"Enable Inter-VLAN Routing"** or **"Route Between VLANs"** option - If present, ensure it's **enabled** (checked) - If not present, inter-VLAN routing may be enabled by default 4. **Check Security Posture:** - **Default Security Posture:** Should be set appropriately - For routing to work, ensure it's not set to "Block All" 5. **Click:** **Save** or **Apply** (if changes were made) --- ### Step 4: Configure MGMT-LAN (VLAN 11) 1. **Click on:** **MGMT-LAN** network (second row in the networks list) - Network: MGMT-LAN - VLAN: 11 - Subnet: 192.168.11.0/24 - Gateway: UDM Pro 2. **Verify/Configure Network Settings:** - **Network Name:** MGMT-LAN - **VLAN ID:** 11 - **Subnet:** 192.168.11.0/24 - **Gateway IP/Subnet:** Should be 192.168.11.1/24 3. **Check Routing Settings:** - Look for **"Enable Inter-VLAN Routing"** or **"Route Between VLANs"** option - Ensure it's **enabled** (checked) - This allows VLAN 11 to communicate with other VLANs 4. **Check Security Posture:** - **Default Security Posture:** Should allow inter-VLAN communication - Ensure it's not set to "Block All" 5. **DHCP Settings (if applicable):** - Verify DHCP is configured correctly - DHCP Range: 192.168.11.100 - 192.168.11.200 6. **Click:** **Save** or **Apply** (if changes were made) --- ### Step 5: Verify Global Network Settings 1. **Scroll down** on the Networks page to see **Global Switch Settings** 2. **Check VLAN Scope:** - **VLAN Scope:** Should include both networks - Default (1) should be listed - MGMT-LAN (11) should be listed - All other VLANs should be listed 3. **Check Default Security Posture:** - **Default Security Posture:** - Should be set to **"Allow All"** or **"Auto"** for inter-VLAN routing - If set to **"Block All"**, change to **"Allow All"** or **"Auto"** 4. **Gateway mDNS Proxy:** - This setting doesn't affect routing but may be useful for service discovery - Can be left as default 5. **IGMP Snooping:** - Doesn't affect routing - Can be left as default 6. **Spanning Tree Protocol:** - Doesn't affect routing - Can be left as default 7. **Click:** **Save** or **Apply** (if changes were made) --- ### Step 6: Verify Zone-Based Firewall Configuration Since Zone-Based Firewall is active, verify zone assignments: 1. **Navigate to:** **Settings** → **Firewall & Security** → **Zones** (or **Policy Engine**) 2. **Verify Zone Assignments:** - **Default network (192.168.0.0/24):** Should be in **Internal** zone - **MGMT-LAN (VLAN 11):** Should be in **Internal** zone 3. **Verify Zone Policy:** - **Internal → Internal:** Should be **"Allow All"** - This policy allows all networks in the Internal zone to communicate 4. **If networks are in different zones:** - Create a firewall policy to allow communication - Or move both networks to the same zone (Internal) --- ### Step 7: Test Routing 1. **From source device (192.168.0.23):** ```bash # Test ping ping -c 3 192.168.11.10 # Test with traceroute (if available) traceroute 192.168.11.10 ``` 2. **Expected Result:** - Ping should succeed - Traceroute should show routing path through UDM Pro 3. **If ping still fails:** - Check firewall rules (ACL rules) - Verify Zone-Based Firewall policies - Check if static route is needed (see Step 8) --- ### Step 8: Configure Static Route (If Needed) If inter-VLAN routing is enabled but traffic still doesn't work: 1. **Navigate to:** **Settings** → **Routing & Firewall** → **Static Routes** 2. **Add Static Route:** - **Name:** Route to VLAN 11 - **Destination Network:** `192.168.11.0/24` - **Gateway:** `192.168.11.1` (or leave blank if using interface routing) - **Interface:** Select VLAN 11 interface (or leave as default) - **Distance:** 1 (or default) - **Enabled:** ✅ Checked 3. **Click:** **Add** or **Save** 4. **Verify Route:** - Route should appear in the static routes list - Status should show as active/enabled --- ## Troubleshooting ### Issue: Cannot see "Enable Inter-VLAN Routing" option **Possible Causes:** - Option may be named differently in your UDM Pro version - Inter-VLAN routing may be enabled by default - Option may be in a different location **Solutions:** 1. Check network settings for any routing-related options 2. Verify both networks are configured as VLANs 3. Check Zone-Based Firewall policies instead ### Issue: Networks are in different zones **Solution:** 1. Move both networks to the same zone (Internal) 2. Or create firewall policy between zones 3. Reference: [UDM_PRO_ZONE_BASED_FIREWALL_GUIDE.md](./UDM_PRO_ZONE_BASED_FIREWALL_GUIDE.md) ### Issue: "Block All" security posture is enabled **Solution:** 1. Change Default Security Posture to "Allow All" or "Auto" 2. This is in Global Switch Settings on the Networks page 3. Save changes ### Issue: Routing works but firewall blocks traffic **Solution:** 1. Check ACL rules (firewall rules) 2. Verify "Allow Default Network to Management VLAN" rule exists 3. Check rule priority (lower numbers = higher priority) 4. Ensure no BLOCK rules with higher priority --- ## Verification Checklist After configuration, verify: - [ ] Default network (192.168.0.0/24) is configured correctly - [ ] MGMT-LAN (VLAN 11 - 192.168.11.0/24) is configured correctly - [ ] Inter-VLAN routing is enabled (or enabled by default) - [ ] Both networks are in the same zone (Internal) - [ ] Zone policy allows Internal → Internal communication - [ ] Default Security Posture is not "Block All" - [ ] Firewall rule exists: "Allow Default Network to Management VLAN" - [ ] Static route added (if needed) - [ ] Ping test succeeds: `ping 192.168.11.10` from `192.168.0.23` --- ## Current Network Status Based on the Networks settings page: | Network | VLAN | Subnet | Gateway | DHCP Status | Clients | |---------|------|--------|---------|-------------|---------| | Default | 1 | 192.168.0.0/24 | UDM Pro | Server | 2/249 | | MGMT-LAN | 11 | 192.168.11.0/24 | UDM Pro | Server | 0/249 | | BESU-VAL | 110 | 10.110.0.0/24 | UDM Pro | Server | 0/249 | | BESU-SEN | 111 | 10.111.0.0/24 | UDM Pro | Server | 0/249 | | BESU-RPC | 112 | 10.112.0.0/24 | UDM Pro | Server | 0/249 | | BLOCKSCOUT | 120 | 10.120.0.0/24 | UDM Pro | Server | 0/249 | | CACTI | 121 | 10.121.0.0/24 | UDM Pro | Server | 0/249 | | CCIP-OPS | 130 | 10.130.0.0/24 | UDM Pro | Server | 0/249 | | CCIP-COMMIT | 132 | 10.132.0.0/24 | UDM Pro | Server | 0/249 | | CCIP-EXEC | 133 | 10.133.0.0/24 | UDM Pro | Server | 0/249 | | CCIP-RMN | 134 | 10.134.0.0/24 | UDM Pro | Server | 0/249 | | FABRIC | 140 | 10.140.0.0/24 | UDM Pro | Server | 0/249 | | FIREFLY | 141 | 10.141.0.0/24 | UDM Pro | Server | 0/249 | | INDY | 150 | 10.150.0.0/24 | UDM Pro | Server | 0/249 | | SANKOFA-SVC | 160 | 10.160.0.0/22 | UDM Pro | Server | 0/1007 | | PHX-SOV-SMOM | 200 | 10.200.0.0/20 | UDM Pro | Server | 0/4069 | | PHX-SOV-ICCC | 201 | 10.201.0.0/20 | UDM Pro | Server | 0/4069 | | PHX-SOV-DBIS | 202 | 10.202.0.0/24 | UDM Pro | Server | 0/249 | | PHX-SOV-AR | 203 | 10.203.0.0/20 | UDM Pro | Server | 0/4069 | **Note:** All networks show "Server" for DHCP, indicating DHCP servers are configured. Default network has 2 active clients. --- ## Related Documentation - [UDM_PRO_ROUTING_TROUBLESHOOTING.md](./UDM_PRO_ROUTING_TROUBLESHOOTING.md) - Detailed troubleshooting guide - [UDM_PRO_ZONE_BASED_FIREWALL_GUIDE.md](./UDM_PRO_ZONE_BASED_FIREWALL_GUIDE.md) - Zone-Based Firewall configuration - [VLAN_11_SETTINGS_REFERENCE.md](./VLAN_11_SETTINGS_REFERENCE.md) - VLAN 11 complete settings - [UDM_PRO_ROUTING_API_LIMITATIONS.md](./UDM_PRO_ROUTING_API_LIMITATIONS.md) - API limitations for routing --- **Last Updated:** 2026-01-13