# UDM Pro Routing Diagnosis - Complete Analysis **Last Updated:** 2026-01-14 **Status:** ✅ Routing Working - Device Firewall Likely Blocking --- ## Gateway Ping Test Results ### Test: Ping VLAN 11 Gateway from Default Network ```bash ping -c 3 192.168.11.1 ``` **Result:** ✅ **SUCCESS** - 3 packets transmitted, 3 received - 0% packet loss - Average RTT: 2.36ms ### Analysis **✅ UDM Pro IS Routing Correctly** - Traffic from `192.168.0.0/24` can reach `192.168.11.1` - Routing path is functional - Network isolation is NOT blocking (at gateway level) **❌ Device at 192.168.11.10 is NOT Reachable** - Cannot ping `192.168.11.10` from `192.168.0.0/24` - Gateway is reachable, but device is not --- ## Root Cause Analysis ### Most Likely Cause: Device Firewall The device at `192.168.11.10` likely has a firewall that: - ✅ Allows traffic from same subnet (`192.168.11.0/24`) - ❌ Blocks traffic from different subnets (`192.168.0.0/24`) **Common Firewall Configurations:** - **Windows Firewall:** May block traffic from "untrusted" networks - **Linux iptables:** May have rules blocking inter-subnet traffic - **Application Firewalls:** May restrict access by source IP range --- ## Verification Checklist ### ✅ Confirmed Working - [x] UDM Pro routing between networks - [x] Gateway (192.168.11.1) is reachable - [x] Network isolation is NOT blocking at gateway level - [x] Zone policies allow Internal → Internal traffic ### ⚠️ Still Need to Verify - [ ] Network Isolation toggle on MGMT-LAN (should be unchecked) - [ ] Zone Matrix: Internal → Internal = "Allow All" - [ ] CyberSecure settings (no blocking rules) - [ ] Device firewall on 192.168.11.10 --- ## Solutions ### Solution 1: Configure Device Firewall (Recommended) **For Windows:** 1. Open Windows Firewall 2. Go to "Inbound Rules" 3. Find rules blocking ICMP or your application 4. Modify to allow traffic from `192.168.0.0/24` 5. Or create new rule allowing `192.168.0.0/24` → `192.168.11.10` **For Linux:** ```bash # Allow traffic from Default network sudo iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT # Or for specific service sudo iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport -j ACCEPT ``` **For Application Firewalls:** - Check application-specific firewall settings - Add `192.168.0.0/24` to allowed source IPs ### Solution 2: Verify Network Isolation (Just to be Sure) 1. Navigate: **Settings → Networks → MGMT-LAN** 2. Scroll to **"Network"** section 3. Ensure **"Isolate Network"** is **UNCHECKED** 4. Save if changed 5. Wait 30 seconds 6. Test again: `ping 192.168.11.10` ### Solution 3: Check Zone Matrix 1. Click **Grid icon** (Policy Engine) in sidebar 2. Verify: **Internal → Internal = "Allow All"** 3. If not, click cell and change to "Allow All" 4. Save changes 5. Test again ### Solution 4: Check CyberSecure 1. Click **Shield icon** (CyberSecure) in sidebar 2. Check for rules blocking "lateral movement" 3. Check "Security Posture" mode 4. If restrictive, consider adjusting or waiting 15 minutes for propagation --- ## Testing Procedure ### Step 1: Test Gateway (✅ Already Passed) ```bash ping -c 3 192.168.11.1 ``` **Expected:** ✅ Success (confirmed) ### Step 2: Test Device (Current Issue) ```bash ping -c 3 192.168.11.10 ``` **Current:** ❌ Fails **After Fix:** Should succeed ### Step 3: Test from Device Itself If you have access to the device at `.10`: ```bash # From 192.168.11.10 ping -c 3 192.168.0.1 # UDM Pro on Default network ping -c 3 192.168.0.23 # Source device ``` ### Step 4: Test Specific Service If ping works but service doesn't: ```bash # Test specific port (e.g., SSH on port 22) nc -zv 192.168.11.10 22 # Or telnet telnet 192.168.11.10 22 ``` --- ## Device-Specific Troubleshooting ### If Device is Proxmox Host **Check Proxmox Firewall:** ```bash # On Proxmox host (192.168.11.10) pve-firewall status # Check rules cat /etc/pve/firewall/cluster.fw cat /etc/pve/firewall/host.fw ``` **Allow Default Network:** ```bash # Add rule to allow 192.168.0.0/24 # Edit firewall rules via Proxmox web UI or CLI ``` ### If Device is Windows Server **Check Windows Firewall:** 1. Open "Windows Defender Firewall with Advanced Security" 2. Check "Inbound Rules" 3. Look for rules blocking ICMP or your service 4. Modify or create rule allowing `192.168.0.0/24` ### If Device is Linux Server **Check iptables:** ```bash sudo iptables -L -n -v # Look for rules blocking 192.168.0.0/24 # Add allow rule if needed ``` **Check firewalld (if using):** ```bash sudo firewall-cmd --list-all # Add rule to allow 192.168.0.0/24 sudo firewall-cmd --add-source=192.168.0.0/24 --permanent sudo firewall-cmd --reload ``` --- ## Summary **Status:** ✅ **Routing is Working Correctly** **Issue:** Device at `192.168.11.10` is blocking traffic from `192.168.0.0/24` **Solution:** Configure device firewall to allow traffic from Default network **Next Steps:** 1. Check device firewall on `192.168.11.10` 2. Add rule allowing `192.168.0.0/24` 3. Test connectivity: `ping 192.168.11.10` 4. Verify Network Isolation toggle (just to be thorough) 5. Check Zone Matrix (should already be "Allow All") --- **Last Updated:** 2026-01-14