# UDM Pro Manual Diagnosis Commands

**Date**: 2026-01-21  
**SSH Credentials**: OQmQuS@192.168.11.1  
**Password**: m0MFXHdgMFKGB2l3bO4

---

## Connect to UDM Pro

```bash
ssh OQmQuS@192.168.11.1
# Enter password when prompted
```

---

## Critical Diagnosis Commands

### 1. Check Port Forwarding (NAT Rules)

```bash
sudo iptables -t nat -L PREROUTING -n -v | grep -A 3 "76.53.10.36"
```

**What to look for:**
- Should show DNAT rules for ports 80 and 443
- If empty: Port forwarding rules are NOT active

**Expected output (if working):**
```
DNAT       tcp  --  0.0.0.0/0      76.53.10.36        tcp dpt:80  to:192.168.11.166:80
DNAT       tcp  --  0.0.0.0/0      76.53.10.36        tcp dpt:443 to:192.168.11.166:443
```

---

### 2. Check Firewall Rules for NPMplus

```bash
sudo iptables -L FORWARD -n -v | grep -A 3 "192.168.11.166"
```

**What to look for:**
- Should show ACCEPT rules for ports 80 and 443
- Should NOT show DROP or REJECT rules

**Expected output (if working):**
```
ACCEPT     tcp  --  0.0.0.0/0      192.168.11.166     tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0      192.168.11.166     tcp dpt:443
```

---

### 3. Check Firewall Rule Order

```bash
sudo iptables -L FORWARD -n -v --line-numbers | head -50
```

**What to look for:**
- **Allow rules** for 192.168.11.166 should be **BEFORE** any **block rules**
- If block rules come first, they will block the traffic

---

### 4. Complete Check (All in One)

```bash
echo "=== Port Forwarding (NAT) ==="
sudo iptables -t nat -L PREROUTING -n -v | grep -A 3 "76.53.10.36"
echo ""
echo "=== Firewall Rules (FORWARD) ==="
sudo iptables -L FORWARD -n -v | grep -A 3 "192.168.11.166"
echo ""
echo "=== Rule Order (First 30 rules) ==="
sudo iptables -L FORWARD -n -v --line-numbers | head -30
```

---

## What Each Result Means

### If NAT Rules Are Missing:
**Problem**: Port forwarding rules are not active  
**Fix**: Go to Web UI → Port Forwarding → Enable rules for 76.53.10.36:80/443

### If Firewall Rules Are Missing:
**Problem**: Firewall is blocking traffic  
**Fix**: Go to Web UI → Firewall Rules → Add "Allow Port Forward..." rules

### If Block Rules Come Before Allow Rules:
**Problem**: Rule order is wrong  
**Fix**: Go to Web UI → Firewall Rules → Move allow rules to the top

---

## Quick Fix Checklist

Based on diagnosis results:

- [ ] **Port forwarding rules enabled** in Web UI
- [ ] **Firewall allow rules exist** for 192.168.11.166:80/443
- [ ] **Allow rules are at the top** of firewall rules list
- [ ] **Rules are saved and applied**

---

## After Making Changes

1. Wait 30 seconds for rules to apply
2. Re-run diagnosis commands to verify
3. Test external access:
   ```bash
   curl -v http://76.53.10.36
   curl -v https://76.53.10.36
   ```

---

**Run these commands manually and share the output for analysis**