d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
4f85e0bf0e59e78511998aefc5d2076ed13b0a14
proxmox/docs/04-configuration/UDM_PRO_ROUTING_DIAGNOSIS_COMPLETE.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

5.1 KiB
Raw Blame History

UDM Pro Routing Diagnosis - Complete Analysis

Last Updated: 2026-01-14
Status: Routing Working - Device Firewall Likely Blocking

Gateway Ping Test Results

Test: Ping VLAN 11 Gateway from Default Network

ping -c 3 192.168.11.1

Result: SUCCESS

  • 3 packets transmitted, 3 received
  • 0% packet loss
  • Average RTT: 2.36ms

Analysis

UDM Pro IS Routing Correctly

  • Traffic from 192.168.0.0/24 can reach 192.168.11.1
  • Routing path is functional
  • Network isolation is NOT blocking (at gateway level)

Device at 192.168.11.10 is NOT Reachable

  • Cannot ping 192.168.11.10 from 192.168.0.0/24
  • Gateway is reachable, but device is not

Root Cause Analysis

Most Likely Cause: Device Firewall

The device at 192.168.11.10 likely has a firewall that:

  • Allows traffic from same subnet (192.168.11.0/24)
  • Blocks traffic from different subnets (192.168.0.0/24)

Common Firewall Configurations:

  • Windows Firewall: May block traffic from "untrusted" networks
  • Linux iptables: May have rules blocking inter-subnet traffic
  • Application Firewalls: May restrict access by source IP range

Verification Checklist

Confirmed Working

  • UDM Pro routing between networks
  • Gateway (192.168.11.1) is reachable
  • Network isolation is NOT blocking at gateway level
  • Zone policies allow Internal → Internal traffic

⚠️ Still Need to Verify

  • Network Isolation toggle on MGMT-LAN (should be unchecked)
  • Zone Matrix: Internal → Internal = "Allow All"
  • CyberSecure settings (no blocking rules)
  • Device firewall on 192.168.11.10

Solutions

Solution 1: Configure Device Firewall (Recommended)

For Windows:

  1. Open Windows Firewall
  2. Go to "Inbound Rules"
  3. Find rules blocking ICMP or your application
  4. Modify to allow traffic from 192.168.0.0/24
  5. Or create new rule allowing 192.168.0.0/24192.168.11.10

For Linux:

# Allow traffic from Default network
sudo iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
# Or for specific service
sudo iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport <port> -j ACCEPT

For Application Firewalls:

  • Check application-specific firewall settings
  • Add 192.168.0.0/24 to allowed source IPs

Solution 2: Verify Network Isolation (Just to be Sure)

  1. Navigate: Settings → Networks → MGMT-LAN
  2. Scroll to "Network" section
  3. Ensure "Isolate Network" is UNCHECKED
  4. Save if changed
  5. Wait 30 seconds
  6. Test again: ping 192.168.11.10

Solution 3: Check Zone Matrix

  1. Click Grid icon (Policy Engine) in sidebar
  2. Verify: Internal → Internal = "Allow All"
  3. If not, click cell and change to "Allow All"
  4. Save changes
  5. Test again

Solution 4: Check CyberSecure

  1. Click Shield icon (CyberSecure) in sidebar
  2. Check for rules blocking "lateral movement"
  3. Check "Security Posture" mode
  4. If restrictive, consider adjusting or waiting 15 minutes for propagation

Testing Procedure

Step 1: Test Gateway ( Already Passed)

ping -c 3 192.168.11.1

Expected: Success (confirmed)

Step 2: Test Device (Current Issue)

ping -c 3 192.168.11.10

Current: Fails After Fix: Should succeed

Step 3: Test from Device Itself

If you have access to the device at .10:

# From 192.168.11.10
ping -c 3 192.168.0.1  # UDM Pro on Default network
ping -c 3 192.168.0.23 # Source device

Step 4: Test Specific Service

If ping works but service doesn't:

# Test specific port (e.g., SSH on port 22)
nc -zv 192.168.11.10 22
# Or telnet
telnet 192.168.11.10 22

Device-Specific Troubleshooting

If Device is Proxmox Host

Check Proxmox Firewall:

# On Proxmox host (192.168.11.10)
pve-firewall status
# Check rules
cat /etc/pve/firewall/cluster.fw
cat /etc/pve/firewall/host.fw

Allow Default Network:

# Add rule to allow 192.168.0.0/24
# Edit firewall rules via Proxmox web UI or CLI

If Device is Windows Server

Check Windows Firewall:

  1. Open "Windows Defender Firewall with Advanced Security"
  2. Check "Inbound Rules"
  3. Look for rules blocking ICMP or your service
  4. Modify or create rule allowing 192.168.0.0/24

If Device is Linux Server

Check iptables:

sudo iptables -L -n -v
# Look for rules blocking 192.168.0.0/24
# Add allow rule if needed

Check firewalld (if using):

sudo firewall-cmd --list-all
# Add rule to allow 192.168.0.0/24
sudo firewall-cmd --add-source=192.168.0.0/24 --permanent
sudo firewall-cmd --reload

Summary

Status: Routing is Working Correctly

Issue: Device at 192.168.11.10 is blocking traffic from 192.168.0.0/24

Solution: Configure device firewall to allow traffic from Default network

Next Steps:

  1. Check device firewall on 192.168.11.10
  2. Add rule allowing 192.168.0.0/24
  3. Test connectivity: ping 192.168.11.10
  4. Verify Network Isolation toggle (just to be thorough)
  5. Check Zone Matrix (should already be "Allow All")

Last Updated: 2026-01-14

Reference in New Issue View Git Blame Copy Permalink