# UDM Pro Network Isolation & Policy Engine Check **Last Updated:** 2026-01-14 **Status:** Active Documentation **Issue:** Routing blocked by Network Isolation or Policy Engine (UniFi Network 9.x) --- ## Problem Analysis Based on UniFi Network 9.x interface analysis, the routing issue may NOT be about static routes, but rather: 1. **Network Isolation Toggle** - "Isolate Network" enabled on MGMT-LAN 2. **Policy Engine Zone Matrix** - Inter-VLAN blocking in Internal → Internal zone 3. **CyberSecure Interference** - Security policies blocking management traffic --- ## Step 1: Gateway Ping Test **Purpose:** Verify if UDM Pro is routing correctly ```bash # From Default network (192.168.0.x) ping -c 3 192.168.11.1 # VLAN 11 Gateway ``` **Expected Results:** - ✅ **Can ping gateway (.1) but not device (.10):** UDM is routing correctly, but destination device firewall is blocking - ❌ **Cannot ping gateway (.1):** UDM routing/policy is blocking --- ## Step 2: Check Network Isolation Toggle ### Location 1. Navigate: **Settings → Networks** 2. Click on **MGMT-LAN** (VLAN 11) 3. Scroll to **"Network"** section (above DHCP section) 4. Look for **"Isolate Network"** toggle ### Action Required - ✅ **UNCHECK** "Isolate Network" if enabled - ⚠️ **Why:** This applies "Zero Trust" and blocks ALL inter-VLAN communication ### Verification - After unchecking, wait 30-60 seconds for changes to propagate - Test connectivity: `ping 192.168.11.10` --- ## Step 3: Verify Zone Matrix (Policy Engine) ### Location 1. Click the **Grid icon** in sidebar (under "Policy Engine") 2. Find the cell: **Source: Internal** → **Destination: Internal** 3. Check the policy for this zone pair ### Action Required - ✅ Ensure policy says **"Allow All"** (not "Block Inter-VLAN") - ⚠️ **If blocked:** Click the cell and change to "Allow All" ### Zone Matrix Structure ``` Source Zone → Destination Zone Internal → Internal [Should be "Allow All"] Internal → External [Usually "Allow All"] External → Internal [Usually "Block All"] ``` --- ## Step 4: Check CyberSecure Settings ### Location 1. Click the **Shield icon** in sidebar (CyberSecure) 2. Check **"Simple App Blocking"** settings 3. Check **"Protection Rules"** for inter-VLAN blocking 4. Check **"Security Posture"** mode ### Action Required - ⚠️ **If CyberSecure is active:** Check if it's blocking "lateral movement" or "suspicious traffic" - ⚠️ **Security Posture:** If set to "Restrictive" or "High Security", it may block inter-VLAN traffic - ⚠️ **Propagation Time:** If just activated, wait 15 minutes for signatures to propagate ### Common CyberSecure Rules That Block Inter-VLAN - "Block Lateral Movement" - "Block Suspicious Traffic" - "Zero Trust Network Access" - "Network Segmentation" --- ## Step 5: Check Traffic Flows (Insights) ### Location 1. Click **Insights** in sidebar 2. Go to **"Traffic Flows"** or **"Traffic Analysis"** 3. Filter for traffic from `192.168.0.0/24` to `192.168.11.0/24` ### What to Look For - **Blocked/Dropped packets** - Shows which policy is blocking - **Source/Destination** - Verify traffic is reaching UDM Pro - **Policy Name** - Identifies which rule is blocking --- ## Step 6: Verify Firewall Rules (ACL Rules) Even with zones configured, check explicit firewall rules: ```bash cd /home/intlc/projects/proxmox NODE_TLS_REJECT_UNAUTHORIZED=0 node scripts/unifi/list-acl-rules-node.js ``` **Look for:** - ✅ Allow rule: `192.168.0.0/24` → `192.168.11.0/24` (Priority 5) - ❌ Block rule: Higher priority blocking the same traffic --- ## Quick Diagnostic Checklist - [ ] Gateway ping test: `ping 192.168.11.1` (from Default network) - [ ] Network Isolation: **UNCHECKED** on MGMT-LAN - [ ] Zone Matrix: Internal → Internal = **"Allow All"** - [ ] CyberSecure: No blocking rules for inter-VLAN traffic - [ ] Firewall Rules: Allow rule exists and has correct priority - [ ] Traffic Flows: Check Insights for blocked packets --- ## Expected Configuration ### MGMT-LAN (VLAN 11) Settings - **Network Isolation:** ❌ Disabled (UNCHECKED) - **Zone:** Internal - **DHCP:** Enabled - **Auto Default Gateway:** ✅ Enabled ### Policy Engine Zone Matrix - **Internal → Internal:** Allow All - **Internal → External:** Allow All (or as needed) - **External → Internal:** Block All (default) ### Firewall Rules - **Priority 5:** Allow `192.168.0.0/24` → `192.168.11.0/24` (All protocols) --- ## Troubleshooting Order 1. **First:** Check Network Isolation toggle (fastest fix) 2. **Second:** Verify Zone Matrix policy 3. **Third:** Check CyberSecure settings 4. **Fourth:** Review Traffic Flows in Insights 5. **Last:** Verify firewall rules priority --- ## After Making Changes 1. **Wait 30-60 seconds** for changes to propagate 2. **Test connectivity:** ```bash ping -c 3 192.168.11.1 # Gateway ping -c 3 192.168.11.10 # Device ``` 3. **Check Traffic Flows** in Insights to verify traffic is flowing --- ## References - [UniFi Network 9.x Policy Engine Guide](https://help.ui.com/articles/000001506) - [Network Isolation Documentation](https://help.ui.com/articles/000001507) - [CyberSecure Documentation](https://help.ui.com/articles/000001508) --- **Last Updated:** 2026-01-14