# UDM Pro Routing Troubleshooting Guide **Last Updated:** 2026-01-13 **Status:** Active Documentation **Issue:** `192.168.0.23` cannot reach `192.168.11.10` (VLAN 11) **Error:** "Destination Host Unreachable" from `192.168.0.1` --- ## Problem Summary **Source:** `192.168.0.23` (on `192.168.0.0/24` - UDM Pro default network) **Destination:** `192.168.11.10` (on `192.168.11.0/24` - VLAN 11 MGMT-LAN) **Gateway:** `192.168.0.1` (UDM Pro) **Symptoms:** - Ping fails with "Destination Host Unreachable" - Firewall rule created successfully (allows `192.168.0.0/24` → VLAN 11) - Routing issue persists --- ## Root Cause The UDM Pro at `192.168.0.1` doesn't have a route configured to reach `192.168.11.0/24`. While inter-VLAN routing is enabled by default for networks configured as VLANs on the UDM Pro, the `192.168.0.0/24` network (UDM Pro's default/management network) may not automatically route to other VLANs. --- ## Solution: Configure Inter-VLAN Routing ### Option 1: Verify VLAN 11 Network Configuration (Recommended) 1. **Access UniFi Network Web Interface:** - URL: `https://192.168.0.1` - Login with admin credentials 2. **Navigate to Network Settings:** - Go to **Settings** → **Networks** - Click on **MGMT-LAN** (VLAN 11) 3. **Verify Network Configuration:** - **Network Name:** MGMT-LAN - **VLAN ID:** 11 - **Subnet:** `192.168.11.0/24` - **Gateway IP/Subnet:** `192.168.11.1/24` - **DHCP Mode:** DHCP Server (or DHCP Server with DHCP Guard) - **DHCP Range:** `192.168.11.100-192.168.11.200` 4. **Check Routing Settings:** - Look for **"Enable Inter-VLAN Routing"** or **"Route Between VLANs"** option - Ensure it's enabled - Save if changes were made 5. **Verify Default Network Configuration:** - Go to **Settings** → **Networks** - Find the default network (usually named "Default" or "LAN") - Verify it's configured as `192.168.0.0/24` - Check if inter-VLAN routing is enabled ### Option 2: Configure Static Route (If Option 1 Doesn't Work) If inter-VLAN routing is enabled but still not working, you may need to add a static route: 1. **Navigate to Routing Settings:** - Go to **Settings** → **Routing & Firewall** → **Static Routes** (or **Routes**) 2. **Add Static Route:** - **Name:** Route to VLAN 11 - **Destination Network:** `192.168.11.0/24` - **Gateway:** `192.168.11.1` (or leave blank if using interface routing) - **Interface:** Select the interface/VLAN for VLAN 11 - **Distance:** 1 (or default) - Click **Add** or **Save** 3. **Verify Route:** - Check the static routes list - Ensure the route is active ### Option 3: Check Firewall Rules Order Even with routing enabled, firewall rules are evaluated first. Verify: 1. **Check ACL Rules Priority:** - The "Allow Default Network to Management VLAN" rule should have priority 5 - Ensure no BLOCK rules with higher priority are blocking the traffic 2. **Verify Rule Status:** ```bash cd /home/intlc/projects/proxmox NODE_TLS_REJECT_UNAUTHORIZED=0 node scripts/unifi/list-acl-rules-node.js ``` 3. **Check for Default Deny Rules:** - UDM Pro may have a default deny policy for inter-VLAN traffic - Ensure explicit ALLOW rules are in place --- ## Verification Steps ### Step 1: Test Routing from UDM Pro 1. **SSH to UDM Pro** (if SSH is enabled): ```bash ssh root@192.168.0.1 ``` 2. **Test ping from UDM Pro:** ```bash ping -c 3 192.168.11.10 ``` **Expected Result:** Should succeed if routing is configured correctly ### Step 2: Check Routing Table From UDM Pro (via SSH or web interface): 1. **View routing table:** - Via SSH: `ip route show` or `route -n` - Via Web UI: **Settings** → **Routing & Firewall** → **Routes** 2. **Look for route to `192.168.11.0/24`:** - Should show: `192.168.11.0/24 via dev ` - Or: `192.168.11.0/24 dev ` ### Step 3: Test from Source Device From `192.168.0.23`: ```bash # Test ping ping -c 3 192.168.11.10 # Test with traceroute (if available) traceroute 192.168.11.10 ``` **Expected Result:** Should succeed after routing is configured --- ## Alternative: Use VLAN 11 Gateway Directly If routing through UDM Pro continues to fail, you can configure the source device to use the VLAN 11 gateway directly: 1. **Add static route on source device (`192.168.0.23`):** ```bash # Linux sudo ip route add 192.168.11.0/24 via 192.168.11.1 # Or add to /etc/network/interfaces or systemd-networkd ``` 2. **Or configure default gateway:** - Change default gateway to `192.168.11.1` if accessing VLAN 11 is primary use case - Not recommended if you need access to both networks --- ## Troubleshooting Checklist - [ ] Firewall rule created and enabled (Priority 5) - [ ] VLAN 11 network configured correctly on UDM Pro - [ ] Inter-VLAN routing enabled on UDM Pro - [ ] Static route configured (if needed) - [ ] No BLOCK rules with higher priority blocking traffic - [ ] UDM Pro can ping `192.168.11.10` directly - [ ] Routing table shows route to `192.168.11.0/24` - [ ] Source device can reach UDM Pro (`ping 192.168.0.1`) - [ ] Destination host is online (`ping 192.168.11.10` from VLAN 11) --- ## Related Documentation - [UDM_PRO_API_LIMITATIONS.md](./UDM_PRO_API_LIMITATIONS.md) - API limitations - [UDM_PRO_COMPLETE_MANUAL_GUIDE.md](./UDM_PRO_COMPLETE_MANUAL_GUIDE.md) - Manual configuration guide - [UDM_PRO_STATUS.md](./UDM_PRO_STATUS.md) - Configuration status --- **Last Updated:** 2026-01-13