# VMID 7810 Gateway Layer-2/Layer-3 Boundary Diagnostic **Date**: 2026-01-05 **Issue**: Gateway 192.168.11.1 not reachable - suspected Layer-2/Layer-3 boundary problem --- ## Problem Statement **Observation**: VLAN 11 switching works (containers can reach each other), but VLAN 11's default gateway (192.168.11.1 on UDM Pro) is not reachable from VLAN 11 devices. This points to a **Layer-2/Layer-3 boundary issue** between VLAN 11 devices and the UDM Pro's VLAN 11 SVI, not an "internet" or routing issue. --- ## Diagnostic Tests Performed ### Test 1: TCP Connectivity (Bypass ICMP) **Purpose**: Determine if ICMP is blocked but TCP routing still works. **Commands**: ```bash nc -zv 192.168.11.1 53 # DNS nc -zv 192.168.11.1 443 # HTTPS ``` **Results**: [See test output above] --- ### Test 2: ARP/ARPing Gateway Discovery **Purpose**: Check if gateway responds to ARP and verify MAC address. **Commands**: ```bash ip neigh flush all arping -I eth0 192.168.11.1 -c 3 ip neigh show | grep 192.168.11.1 ``` **Results**: [See test output above] **What to Look For**: - If arping shows responses from wrong MAC → duplicate gateway/ARP issue - If no response → VLAN 11 not reaching UDM / port profile mismatch --- ### Test 3: Proxmox Bridge VLAN Configuration **Purpose**: Verify bridge VLAN awareness and tagging. **Commands**: ```bash cat /etc/network/interfaces bridge vlan show ``` **Results**: [See test output above] **What to Check**: - `bridge-vlan-aware yes` on the bridge - VLAN 11 present as expected - No mismatch where VMs are tagged but switch port is access/native (or vice versa) --- ### Test 4: HTTP Test to Gateway **Purpose**: Additional TCP-based connectivity test. **Command**: ```bash curl -m 3 http://192.168.11.1 ``` **Results**: [See test output above] --- ### Test 5: Gateway MAC Address Check **Purpose**: Verify ARP table entries for gateway. **Commands**: ```bash ip neigh show 192.168.11.1 ip neigh show | head -10 ``` **Results**: [See test output above] --- ### Test 6: Multi-Port TCP Test **Purpose**: Test multiple TCP ports to see if any are reachable. **Command**: ```bash for port in 53 443 80 22; do timeout 2 bash -c "echo > /dev/tcp/192.168.11.1/$port" done ``` **Results**: [See test output above] --- ## Recommended Additional Checks (On UDM Pro) ### Check 1: Verify UDM Pro VLAN 11 SVI Exists **SSH to UDM Pro and run**: ```bash ip addr | grep -E "192.168.11.1|vlan|br" ip route | head ``` **What to Look For**: - Interface that has `192.168.11.1/24` bound - If **not present**: MGMT-LAN configured in controller but dataplane not applying it - If **present**: Problem is likely tagging/port profile/ACL --- ### Check 2: Verify VLAN Trunking to UDM Pro **In UniFi Controller**: 1. Check switch port that uplinks from switch to UDM Pro 2. Check switch ports that uplink to Proxmox hosts 3. Verify all are trunked ("All" or profile with VLAN 11 tagged) **Common Issue**: VLAN 11 exists on downstream switches but not properly trunked to UDM --- ### Check 3: Check LAN LOCAL Firewall Rules **UniFi can block ping to gateway while still routing.** **Verify**: - Check if LAN LOCAL rules block ICMP to gateway - If ping fails but TCP 53/443 succeeds → LAN LOCAL blocking ICMP, routing may still work --- ## Decision Tree 1. **Does `192.168.11.1` exist on UDM interface?** - **No** → Restart Network app / reboot UDM - **Yes** → Continue 2. **Does `nc -zv 192.168.11.1 53` work?** - **Yes** → ICMP blocked; routing might still work; check DNS config - **No** → Continue 3. **Does `arping 192.168.11.1` return anything?** - **Response from wrong MAC** → Duplicate gateway/ARP issue - **No response** → VLAN 11 not reaching UDM / port profile mismatch 4. **Confirm uplink port profiles**: - Switch↔UDM: trunking VLAN 11? - Switch↔Proxmox: trunking VLAN 11? --- ## Most Likely Scenarios ### Scenario A: UDM Not Binding VLAN 11 SVI - **Symptom**: `ip addr` on UDM shows no `192.168.11.1` - **Fix**: Restart Network app or reboot UDM Pro ### Scenario B: VLAN Tagging Path Issue - **Symptom**: VLAN 11 works locally but not trunked to UDM - **Fix**: Configure trunk ports properly in UniFi ### Scenario C: LAN LOCAL Blocking Gateway - **Symptom**: Ping fails but TCP works - **Fix**: Adjust LAN LOCAL firewall rules ### Scenario D: Gateway/ARP Conflict - **Symptom**: ARP shows wrong MAC for gateway - **Fix**: Find and remove duplicate 192.168.11.1 device --- ## Next Steps 1. ✅ Run diagnostic tests above (in progress) 2. ⏳ Check UDM Pro VLAN 11 SVI (requires UDM SSH access) 3. ⏳ Verify VLAN trunking configuration in UniFi 4. ⏳ Review LAN LOCAL firewall rules 5. ⏳ Check for duplicate gateway IPs --- **Last Updated**: 2026-01-05 **Status**: Diagnostic tests running