proxmox/docs/04-configuration/UDM_PRO_NETWORKS_ROUTING_CONFIGURATION.md

UDM Pro Networks Routing Configuration Guide

Last Updated: 2026-01-13
Status: Active Documentation Issue: Enable routing between Default network (192.168.0.0/24) and MGMT-LAN (VLAN 11 - 192.168.11.0/24)
Access URL: https://192.168.0.1

---

Step-by-Step Configuration Instructions

Step 1: Access UDM Pro Web Interface

1. Open web browser
2. Navigate to: https://192.168.0.1
3. Log in with admin credentials

---

Step 2: Navigate to Networks Settings

1. Click on: Settings (left sidebar)
2. Click on: Networks (under Settings)
   • You should see a list of all networks including:
     • Default (192.168.0.0/24)
     • MGMT-LAN (VLAN 11 - 192.168.11.0/24)
     • BESU-VAL, BESU-SEN, BESU-RPC, etc.

---

Step 3: Configure Default Network

1. Click on: Default network (first row in the networks list)

   • Network: Default
   • VLAN: 1
   • Subnet: 192.168.0.0/24
   • Gateway: UDM Pro

2. Verify/Configure Network Settings:

   • Network Name: Default
   • VLAN ID: 1 (or blank/untagged)
   • Subnet: 192.168.0.0/24
   • Gateway IP/Subnet: Should be 192.168.0.1/24

3. Check Routing Settings:

   • Look for "Enable Inter-VLAN Routing" or "Route Between VLANs" option
   • If present, ensure it's enabled (checked)
   • If not present, inter-VLAN routing may be enabled by default

4. Check Security Posture:

   • Default Security Posture: Should be set appropriately
   • For routing to work, ensure it's not set to "Block All"

5. Click: Save or Apply (if changes were made)

---

Step 4: Configure MGMT-LAN (VLAN 11)

1. Click on: MGMT-LAN network (second row in the networks list)

   • Network: MGMT-LAN
   • VLAN: 11
   • Subnet: 192.168.11.0/24
   • Gateway: UDM Pro

2. Verify/Configure Network Settings:

   • Network Name: MGMT-LAN
   • VLAN ID: 11
   • Subnet: 192.168.11.0/24
   • Gateway IP/Subnet: Should be 192.168.11.1/24

3. Check Routing Settings:

   • Look for "Enable Inter-VLAN Routing" or "Route Between VLANs" option
   • Ensure it's enabled (checked)
   • This allows VLAN 11 to communicate with other VLANs

4. Check Security Posture:

   • Default Security Posture: Should allow inter-VLAN communication
   • Ensure it's not set to "Block All"

5. DHCP Settings (if applicable):

   • Verify DHCP is configured correctly
   • DHCP Range: 192.168.11.100 - 192.168.11.200

6. Click: Save or Apply (if changes were made)

---

Step 5: Verify Global Network Settings

1. Scroll down on the Networks page to see Global Switch Settings

2. Check VLAN Scope:

   • VLAN Scope: Should include both networks
   • Default (1) should be listed
   • MGMT-LAN (11) should be listed
   • All other VLANs should be listed

3. Check Default Security Posture:

   • Default Security Posture:
     • Should be set to "Allow All" or "Auto" for inter-VLAN routing
     • If set to "Block All", change to "Allow All" or "Auto"

4. Gateway mDNS Proxy:

   • This setting doesn't affect routing but may be useful for service discovery
   • Can be left as default

5. IGMP Snooping:

   • Doesn't affect routing
   • Can be left as default

6. Spanning Tree Protocol:

   • Doesn't affect routing
   • Can be left as default

7. Click: Save or Apply (if changes were made)

---

Step 6: Verify Zone-Based Firewall Configuration

Since Zone-Based Firewall is active, verify zone assignments:

1. Navigate to: Settings → Firewall & Security → Zones (or Policy Engine)

2. Verify Zone Assignments:

   • Default network (192.168.0.0/24): Should be in Internal zone
   • MGMT-LAN (VLAN 11): Should be in Internal zone

3. Verify Zone Policy:

   • Internal → Internal: Should be "Allow All"
   • This policy allows all networks in the Internal zone to communicate

4. If networks are in different zones:

   • Create a firewall policy to allow communication
   • Or move both networks to the same zone (Internal)

---

Step 7: Test Routing

1. From source device (192.168.0.23):

   # Test ping
   ping -c 3 192.168.11.10
   
   # Test with traceroute (if available)
   traceroute 192.168.11.10
   

2. Expected Result:

   • Ping should succeed
   • Traceroute should show routing path through UDM Pro

3. If ping still fails:

   • Check firewall rules (ACL rules)
   • Verify Zone-Based Firewall policies
   • Check if static route is needed (see Step 8)

---

Step 8: Configure Static Route (If Needed)

If inter-VLAN routing is enabled but traffic still doesn't work:

1. Navigate to: Settings → Routing & Firewall → Static Routes

2. Add Static Route:

   • Name: Route to VLAN 11
   • Destination Network: 192.168.11.0/24
   • Gateway: 192.168.11.1 (or leave blank if using interface routing)
   • Interface: Select VLAN 11 interface (or leave as default)
   • Distance: 1 (or default)
   • Enabled: ✅ Checked

3. Click: Add or Save

4. Verify Route:

   • Route should appear in the static routes list
   • Status should show as active/enabled

---

Troubleshooting

Issue: Cannot see "Enable Inter-VLAN Routing" option

Possible Causes:

• Option may be named differently in your UDM Pro version
• Inter-VLAN routing may be enabled by default
• Option may be in a different location

Solutions:

1. Check network settings for any routing-related options
2. Verify both networks are configured as VLANs
3. Check Zone-Based Firewall policies instead

Issue: Networks are in different zones

Solution:

1. Move both networks to the same zone (Internal)
2. Or create firewall policy between zones
3. Reference: UDM_PRO_ZONE_BASED_FIREWALL_GUIDE.md

Issue: "Block All" security posture is enabled

Solution:

1. Change Default Security Posture to "Allow All" or "Auto"
2. This is in Global Switch Settings on the Networks page
3. Save changes

Issue: Routing works but firewall blocks traffic

Solution:

1. Check ACL rules (firewall rules)
2. Verify "Allow Default Network to Management VLAN" rule exists
3. Check rule priority (lower numbers = higher priority)
4. Ensure no BLOCK rules with higher priority

---

Verification Checklist

After configuration, verify:

• Default network (192.168.0.0/24) is configured correctly
• MGMT-LAN (VLAN 11 - 192.168.11.0/24) is configured correctly
• Inter-VLAN routing is enabled (or enabled by default)
• Both networks are in the same zone (Internal)
• Zone policy allows Internal → Internal communication
• Default Security Posture is not "Block All"
• Firewall rule exists: "Allow Default Network to Management VLAN"
• Static route added (if needed)
• Ping test succeeds: ping 192.168.11.10 from 192.168.0.23

---

Current Network Status

Based on the Networks settings page:

Network	VLAN	Subnet	Gateway	DHCP Status	Clients
Default	1	192.168.0.0/24	UDM Pro	Server	2/249
MGMT-LAN	11	192.168.11.0/24	UDM Pro	Server	0/249
BESU-VAL	110	10.110.0.0/24	UDM Pro	Server	0/249
BESU-SEN	111	10.111.0.0/24	UDM Pro	Server	0/249
BESU-RPC	112	10.112.0.0/24	UDM Pro	Server	0/249
BLOCKSCOUT	120	10.120.0.0/24	UDM Pro	Server	0/249
CACTI	121	10.121.0.0/24	UDM Pro	Server	0/249
CCIP-OPS	130	10.130.0.0/24	UDM Pro	Server	0/249
CCIP-COMMIT	132	10.132.0.0/24	UDM Pro	Server	0/249
CCIP-EXEC	133	10.133.0.0/24	UDM Pro	Server	0/249
CCIP-RMN	134	10.134.0.0/24	UDM Pro	Server	0/249
FABRIC	140	10.140.0.0/24	UDM Pro	Server	0/249
FIREFLY	141	10.141.0.0/24	UDM Pro	Server	0/249
INDY	150	10.150.0.0/24	UDM Pro	Server	0/249
SANKOFA-SVC	160	10.160.0.0/22	UDM Pro	Server	0/1007
PHX-SOV-SMOM	200	10.200.0.0/20	UDM Pro	Server	0/4069
PHX-SOV-ICCC	201	10.201.0.0/20	UDM Pro	Server	0/4069
PHX-SOV-DBIS	202	10.202.0.0/24	UDM Pro	Server	0/249
PHX-SOV-AR	203	10.203.0.0/20	UDM Pro	Server	0/4069

Note: All networks show "Server" for DHCP, indicating DHCP servers are configured. Default network has 2 active clients.

---

Related Documentation

• UDM_PRO_ROUTING_TROUBLESHOOTING.md - Detailed troubleshooting guide
• UDM_PRO_ZONE_BASED_FIREWALL_GUIDE.md - Zone-Based Firewall configuration
• VLAN_11_SETTINGS_REFERENCE.md - VLAN 11 complete settings
• UDM_PRO_ROUTING_API_LIMITATIONS.md - API limitations for routing

---

Last Updated: 2026-01-13