proxmox/docs/04-configuration/UDM_PRO_ROUTING_API_LIMITATIONS.md

# UDM Pro Routing Configuration via API

**Last Updated:** 2026-01-13  
**Status:** Routing configuration NOT available via API

---

## Summary

**Answer: No, routing configuration cannot be handled via the API.**

The UniFi Network API provides **read-only** access to routing information but does **not** support configuring static routes or inter-VLAN routing via API endpoints.

---

## API Routing Endpoints

### Available (Read-Only)

| Endpoint | Method | Access | Description |
|----------|--------|--------|-------------|
| `/api/s/{site}/stat/routing` | GET | ✅ Read | Routing statistics |
| `/api/s/{site}/rest/routing` | GET | ✅ Read | Routing configuration (varies by version) |

**Note:** These endpoints are **read-only**. They allow you to view routing information but cannot be used to create, modify, or delete routes.

### Not Available (Write Access)

| Configuration | API Endpoint | Status |
|---------------|--------------|--------|
| Static Routes | ❌ Not available | Requires web UI |
| Inter-VLAN Routing | ❌ Not available | Requires web UI |
| Route Configuration | ❌ Not available | Requires web UI |
| Network Routing Settings | ❌ Not available | Requires web UI |

---

## Current API Capabilities

### Official API (API Key)

**Write Access Available:**
- ✅ ACL Rules (`/sites/{siteId}/acl-rules`)
- ✅ Firewall Zones (`/sites/{siteId}/firewall/zones`)
- ✅ Traffic Matching Lists (`/sites/{siteId}/traffic-matching-lists`)

**Write Access NOT Available:**
- ❌ Network/VLAN creation/modification
- ❌ Static routes configuration
- ❌ Inter-VLAN routing configuration
- ❌ DHCP reservations
- ❌ Port profiles
- ❌ System configuration

### Private API (Username/Password)

**Write Access:**
- ❌ Network creation/modification (403 Forbidden - permission issue)
- ❌ Routing configuration (not available)

---

## Why Routing Configuration Requires Manual Setup

1. **Security:** Routing configuration is a critical network function that affects all traffic
2. **Complexity:** Routing involves multiple network interfaces and requires careful configuration
3. **API Limitations:** UniFi Network API focuses on firewall/ACL rules, not routing
4. **UDM Pro Design:** Routing is typically configured during initial setup or via web UI

---

## Solutions for Routing Configuration

### Option 1: Manual Configuration via Web UI (Recommended)

1. **Access UniFi Network Web Interface:**
   - URL: `https://192.168.0.1`
   - Navigate to: **Settings** → **Networks**

2. **Verify Inter-VLAN Routing:**
   - Check each network's settings
   - Ensure "Enable Inter-VLAN Routing" or similar option is enabled
   - This is typically enabled by default for VLANs

3. **Configure Static Route (if needed):**
   - Navigate to: **Settings** → **Routing & Firewall** → **Static Routes**
   - Add route: `192.168.11.0/24` via `192.168.11.1`
   - Save configuration

**Reference:** [UDM_PRO_ROUTING_TROUBLESHOOTING.md](./UDM_PRO_ROUTING_TROUBLESHOOTING.md)

### Option 2: Verify Network Configuration

The routing issue may be resolved by ensuring:
- Both networks are properly configured as VLANs
- Inter-VLAN routing is enabled (default for VLANs)
- Networks are in the same zone (Internal zone allows "Allow All" policy)

**Current Status:**
- Default network: `192.168.0.0/24` → Internal zone
- MGMT-LAN (VLAN 11): `192.168.11.0/24` → Internal zone
- Zone Policy: Internal → Internal = "Allow All"

Since both networks are in the Internal zone with "Allow All" policy, the firewall/zone should allow traffic. The issue is likely routing configuration.

---

## Workaround: Use Firewall Rules

While routing cannot be configured via API, you can use firewall rules to control traffic:

1. **Firewall Rules (ACL Rules) - Available via API:**
   - ✅ Create rules to allow/block traffic between networks
   - ✅ Configure source/destination filters
   - ✅ Set protocol and port filters

2. **Current Firewall Rule:**
   - Rule: "Allow Default Network to Management VLAN"
   - Priority: 5
   - Allows: `192.168.0.0/24` → VLAN 11 (all protocols)
   - Status: ✅ Created via API

**Note:** Firewall rules control **access** but don't configure **routing**. If routing isn't configured, traffic won't reach the firewall rules.

---

## Testing Routing Configuration

### Check Current Routing (Read-Only via API)

You can query routing information to verify configuration:

```bash
# Using Private API (if available)
curl -k -X GET 'https://192.168.0.1/proxy/network/api/s/default/stat/routing' \
  -H 'Cookie: unifises=<session-cookie>'

# Or via Official API (if routing endpoint exists)
curl -k -X GET 'https://192.168.0.1/proxy/network/integration/v1/sites/{siteId}/routing' \
  -H 'X-API-KEY: <api-key>'
```

**Note:** These endpoints may not exist or may return limited information.

### Manual Verification

1. **SSH to UDM Pro:**
   ```bash
   ssh root@192.168.0.1
   ```

2. **Check routing table:**
   ```bash
   ip route show
   # or
   route -n
   ```

3. **Look for route to VLAN 11:**
   - Should show: `192.168.11.0/24 dev <interface>` or `192.168.11.0/24 via <gateway>`

---

## Conclusion

**Routing configuration must be done manually via the UDM Pro web interface.** The API cannot be used to:
- Create static routes
- Enable/disable inter-VLAN routing
- Configure routing between networks

**What the API CAN do:**
- ✅ Read routing statistics (if endpoint exists)
- ✅ Create firewall/ACL rules to control traffic
- ✅ Configure firewall zones

**Next Steps:**
1. Access UDM Pro web UI: `https://192.168.0.1`
2. Verify inter-VLAN routing is enabled
3. Add static route if needed (Settings → Routing & Firewall → Static Routes)
4. Test connectivity: `ping 192.168.11.10` from `192.168.0.23`

---

## Related Documentation

- [UDM_PRO_API_LIMITATIONS.md](./UDM_PRO_API_LIMITATIONS.md) - Complete API limitations
- [UDM_PRO_ROUTING_TROUBLESHOOTING.md](./UDM_PRO_ROUTING_TROUBLESHOOTING.md) - Routing troubleshooting guide
- [VLAN_11_SETTINGS_REFERENCE.md](./VLAN_11_SETTINGS_REFERENCE.md) - VLAN 11 configuration

---

**Last Updated:** 2026-01-13