d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
proxmox/docs/04-configuration/UDM_PRO_NETWORK_ISOLATION_CHECK.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

183 lines
5.2 KiB
Markdown
Raw Permalink Blame History

# UDM Pro Network Isolation & Policy Engine Check
**Last Updated:** 2026-01-14
**Status:** Active Documentation
**Issue:** Routing blocked by Network Isolation or Policy Engine (UniFi Network 9.x)
---
## Problem Analysis
Based on UniFi Network 9.x interface analysis, the routing issue may NOT be about static routes, but rather:
1. **Network Isolation Toggle** - "Isolate Network" enabled on MGMT-LAN
2. **Policy Engine Zone Matrix** - Inter-VLAN blocking in Internal → Internal zone
3. **CyberSecure Interference** - Security policies blocking management traffic
---
## Step 1: Gateway Ping Test
**Purpose:** Verify if UDM Pro is routing correctly
```bash
# From Default network (192.168.0.x)
ping -c 3 192.168.11.1 # VLAN 11 Gateway
```
**Expected Results:**
-**Can ping gateway (.1) but not device (.10):** UDM is routing correctly, but destination device firewall is blocking
-**Cannot ping gateway (.1):** UDM routing/policy is blocking
---
## Step 2: Check Network Isolation Toggle
### Location
1. Navigate: **Settings → Networks**
2. Click on **MGMT-LAN** (VLAN 11)
3. Scroll to **"Network"** section (above DHCP section)
4. Look for **"Isolate Network"** toggle
### Action Required
-**UNCHECK** "Isolate Network" if enabled
- ⚠️ **Why:** This applies "Zero Trust" and blocks ALL inter-VLAN communication
### Verification
- After unchecking, wait 30-60 seconds for changes to propagate
- Test connectivity: `ping 192.168.11.10`
---
## Step 3: Verify Zone Matrix (Policy Engine)
### Location
1. Click the **Grid icon** in sidebar (under "Policy Engine")
2. Find the cell: **Source: Internal****Destination: Internal**
3. Check the policy for this zone pair
### Action Required
- ✅ Ensure policy says **"Allow All"** (not "Block Inter-VLAN")
- ⚠️ **If blocked:** Click the cell and change to "Allow All"
### Zone Matrix Structure
```
Source Zone → Destination Zone
Internal → Internal [Should be "Allow All"]
Internal → External [Usually "Allow All"]
External → Internal [Usually "Block All"]
```
---
## Step 4: Check CyberSecure Settings
### Location
1. Click the **Shield icon** in sidebar (CyberSecure)
2. Check **"Simple App Blocking"** settings
3. Check **"Protection Rules"** for inter-VLAN blocking
4. Check **"Security Posture"** mode
### Action Required
- ⚠️ **If CyberSecure is active:** Check if it's blocking "lateral movement" or "suspicious traffic"
- ⚠️ **Security Posture:** If set to "Restrictive" or "High Security", it may block inter-VLAN traffic
- ⚠️ **Propagation Time:** If just activated, wait 15 minutes for signatures to propagate
### Common CyberSecure Rules That Block Inter-VLAN
- "Block Lateral Movement"
- "Block Suspicious Traffic"
- "Zero Trust Network Access"
- "Network Segmentation"
---
## Step 5: Check Traffic Flows (Insights)
### Location
1. Click **Insights** in sidebar
2. Go to **"Traffic Flows"** or **"Traffic Analysis"**
3. Filter for traffic from `192.168.0.0/24` to `192.168.11.0/24`
### What to Look For
- **Blocked/Dropped packets** - Shows which policy is blocking
- **Source/Destination** - Verify traffic is reaching UDM Pro
- **Policy Name** - Identifies which rule is blocking
---
## Step 6: Verify Firewall Rules (ACL Rules)
Even with zones configured, check explicit firewall rules:
```bash
cd /home/intlc/projects/proxmox
NODE_TLS_REJECT_UNAUTHORIZED=0 node scripts/unifi/list-acl-rules-node.js
```
**Look for:**
- ✅ Allow rule: `192.168.0.0/24``192.168.11.0/24` (Priority 5)
- ❌ Block rule: Higher priority blocking the same traffic
---
## Quick Diagnostic Checklist
- [ ] Gateway ping test: `ping 192.168.11.1` (from Default network)
- [ ] Network Isolation: **UNCHECKED** on MGMT-LAN
- [ ] Zone Matrix: Internal → Internal = **"Allow All"**
- [ ] CyberSecure: No blocking rules for inter-VLAN traffic
- [ ] Firewall Rules: Allow rule exists and has correct priority
- [ ] Traffic Flows: Check Insights for blocked packets
---
## Expected Configuration
### MGMT-LAN (VLAN 11) Settings
- **Network Isolation:** ❌ Disabled (UNCHECKED)
- **Zone:** Internal
- **DHCP:** Enabled
- **Auto Default Gateway:** ✅ Enabled
### Policy Engine Zone Matrix
- **Internal → Internal:** Allow All
- **Internal → External:** Allow All (or as needed)
- **External → Internal:** Block All (default)
### Firewall Rules
- **Priority 5:** Allow `192.168.0.0/24``192.168.11.0/24` (All protocols)
---
## Troubleshooting Order
1. **First:** Check Network Isolation toggle (fastest fix)
2. **Second:** Verify Zone Matrix policy
3. **Third:** Check CyberSecure settings
4. **Fourth:** Review Traffic Flows in Insights
5. **Last:** Verify firewall rules priority
---
## After Making Changes
1. **Wait 30-60 seconds** for changes to propagate
2. **Test connectivity:**
```bash
ping -c 3 192.168.11.1 # Gateway
ping -c 3 192.168.11.10 # Device
```
3. **Check Traffic Flows** in Insights to verify traffic is flowing
---
## References
- [UniFi Network 9.x Policy Engine Guide](https://help.ui.com/articles/000001506)
- [Network Isolation Documentation](https://help.ui.com/articles/000001507)
- [CyberSecure Documentation](https://help.ui.com/articles/000001508)
---
**Last Updated:** 2026-01-14
Reference in New Issue View Git Blame Copy Permalink