proxmox/docs/04-configuration/UDM_PRO_WHY_PUBLIC_IP_HITS_NPMPLUS.md

Why Public IP (76.53.10.34 / 76.53.10.36) Hits NPMplus Instead of UDM Pro

Last Updated: 2026-01-31
Document Version: 1.0
Status: Active Documentation

---

Purpose: Explain why https://76.53.10.34 (or 76.53.10.36) returns NPMplus default page instead of the UniFi/UDM Pro API, and what Proxmox VE shows.

Note: ER605 was replaced by the UDM Pro (76.53.10.34). Proxmox hosts: 192.168.11.10–12. NPMplus LXC has 192.168.11.166 and 192.168.11.167; only 192.168.11.167 is used in UDM Pro port forwarding: 76.53.10.36:80/443 → 192.168.11.167:80/443.

---

What’s Happening

• Request: https://76.53.10.34/ or https://76.53.10.36/ (or any path like /proxy/network/...).
• Response: NPMplus “Default Page” (HTML), not the UniFi controller.
• UniFi API (sites, config, etc.): Only works when talking to the UDM’s LAN IP (e.g. https://192.168.11.1), not the public IP.

---

Why (Architecture)

1. Port forwarding is by design

The router (UDM Pro or ER605) forwards all traffic to the public IP on ports 80/443 to NPMplus:

Public IP	Port	Forwarded to	Service
76.53.10.36	80	192.168.11.167:80	NPMplus
76.53.10.36	443	192.168.11.167:443	NPMplus
76.53.10.34	UDM Pro (edge; replaced ER605)	—	—

So any HTTPS request to the public IP (e.g. 76.53.10.34 or 76.53.10.36) goes to NPMplus, not to the UDM. The UDM is not listening on the public IP for 80/443; it only does NAT/forwarding to NPMplus.

2. NPMplus is the only service on 80/443 for that IP

• NPMplus = VMID 10233 on Proxmox host r630-01 (192.168.11.11).
• IP: 192.168.11.167 (eth1).
• NPMplus handles all hostnames/paths that don’t match a specific proxy host. For unknown paths (e.g. /proxy/network/... or bare /) it serves the default page (the HTML you see).

So “why do I see NPMplus?” → Because the public IP’s 80/443 are forwarded to NPMplus, and NPMplus is the only thing answering there.

3. UDM Pro UniFi API is only on the LAN

• UniFi controller/API is served by the UDM on its LAN interface (e.g. https://192.168.11.1).
• It is not exposed on the WAN/public IP. So:
  • https://76.53.10.34 or https://76.53.10.36 → always NPMplus (by design).
  • https://192.168.11.1 (or your UDM LAN IP) → UniFi controller/API (when on the same LAN).

---

Proxmox VE Check (What We Verified)

Script used: scripts/ensure-npmplus-vm-operational.sh.

Check	Result
Container 10233 on r630-01	Running
NPMplus 192.168.11.167:80	HTTP 200
NPMplus 192.168.11.167:81	HTTP 301 (admin UI)
NPMplus 192.168.11.167:443	HTTP 200
NPM API login	OK

So Proxmox VE is not the cause of “public IP shows NPMplus.” The cause is routing: public 80/443 → NPMplus. NPMplus VM is up and responding as designed.

---

What To Do

To use the UniFi API (sites, devices, config, etc.)

1. Use the UDM’s LAN IP, not the public IP:

   UNIFI_UDM_URL=https://192.168.11.1   # or your UDM LAN IP
   

2. Run the UniFi CLI from a machine on the same LAN as the UDM (so it can reach 192.168.11.1).
3. For Private API (username/password): ensure “Local Login” (or equivalent) is enabled on the UDM so /api/auth/login is allowed (otherwise you get 405).
4. For TLS: use NODE_TLS_REJECT_UNAUTHORIZED=0 if the UDM uses a self-signed cert.

If you must reach the UDM via a hostname on the public IP

• Add a separate proxy in NPMplus (or another reverse proxy) that forwards a dedicated hostname (e.g. udm.yourdomain.com) to the UDM’s LAN IP and port 443.
• Do not expect the existing public IP:80/443 (which today goes to NPMplus) to serve the UniFi API; that would require changing the router’s port-forward target away from NPMplus, which would break current web traffic.

---

Summary

Question	Answer
Why does 76.53.10.34/36 show NPMplus?	Port forwarding sends 80/443 to NPMplus (192.168.11.167).
Is Proxmox/VMID 10233 the problem?	No. NPMplus is running and responding as designed.
Where is the UDM Pro API?	On the UDM’s LAN IP (e.g. https://192.168.11.1). Use that URL from a host on the same LAN.