# UDM Pro Routing Issue - RESOLVED ✅ **Last Updated:** 2026-01-14 **Status:** ✅ **ISSUE RESOLVED** - ml110 is now reachable --- ## Problem Summary **Initial Issue:** Cannot reach `192.168.11.10` (ml110) from `192.168.0.23` (dev machine) **Root Cause Analysis:** 1. ✅ UDM Pro routing was working correctly (could ping gateway `192.168.11.1`) 2. ❌ Device at `192.168.11.10` was blocking traffic from different subnet 3. ❌ Network Isolation or Policy Engine may have been blocking --- ## Solution Applied ### Primary Solution: IP Address Change **Changed dev machine IP from:** - `192.168.0.23/24` (Default network) - Gateway: `192.168.0.1` **To:** - `192.168.11.4/24` (MGMT-LAN / VLAN 11) - Gateway: `192.168.11.1` **Result:** ✅ **SUCCESS** - ml110 is now reachable --- ## Verification Results ### Ping Test Results ```bash ping -c 3 192.168.11.10 ``` **Output:** ``` PING 192.168.11.10 (192.168.11.10) 56(84) bytes of data. 64 bytes from 192.168.11.10: icmp_seq=1 ttl=64 time=2.28 ms 64 bytes from 192.168.11.10: icmp_seq=2 ttl=64 time=1.65 ms 64 bytes from 192.168.11.10: icmp_seq=3 ttl=64 time=0.455 ms --- 192.168.11.10 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 0.455/1.463/2.284/0.758 ms ``` **Status:** ✅ **SUCCESS** - 3 packets transmitted, 3 received - 0% packet loss - Average RTT: 1.46ms - All pings successful --- ## Current Network Configuration ### Dev Machine (ASERET) - **IP Address:** `192.168.11.4/24` - **Gateway:** `192.168.11.1` - **Network:** MGMT-LAN (VLAN 11) - **Interface:** eth0 ### Target Device (ml110) - **IP Address:** `192.168.11.10/24` - **Network:** MGMT-LAN (VLAN 11) - **Status:** ✅ Reachable --- ## What Was Done ### 1. Diagnosis - ✅ Verified UDM Pro routing (gateway ping successful) - ✅ Identified device firewall as likely cause - ✅ Determined IP change as quickest solution ### 2. IP Address Change - ✅ Changed dev machine IP to `192.168.11.4` - ✅ Updated gateway to `192.168.11.1` - ✅ Applied netplan configuration ### 3. Verification - ✅ Tested connectivity to ml110 - ✅ Confirmed 0% packet loss - ✅ Verified low latency (1.46ms average) --- ## Additional Verification Steps (Optional) ### Network Isolation Check - **Location:** Settings → Networks → MGMT-LAN - **Action:** Verify "Isolate Network" is unchecked - **Status:** Should be unchecked (both networks in Internal zone) ### Zone Matrix Check - **Location:** Policy Engine (Grid icon) → Internal → Internal - **Action:** Verify policy is "Allow All" - **Status:** Should be "Allow All" (both networks in Internal zone) ### CyberSecure Check - **Location:** CyberSecure (Shield icon) - **Action:** Verify no blocking rules for inter-VLAN traffic - **Status:** Should not block Internal → Internal traffic --- ## Long-Term Recommendations ### Option 1: Keep Current Configuration - ✅ Dev machine on MGMT-LAN network - ✅ Direct access to management devices - ✅ No inter-VLAN routing needed ### Option 2: Fix ml110 Firewall (Then Revert IP) 1. Configure ml110 firewall to allow `192.168.0.0/24` 2. Revert dev machine IP back to `192.168.0.x` 3. Test connectivity from Default network 4. Maintain network segmentation **Recommendation:** Keep current configuration (Option 1) unless there's a specific need for dev machine to be on Default network. --- ## Files Created During Troubleshooting 1. `scripts/unifi/change-ip-to-vlan11-netplan.sh` - IP change automation script 2. `docs/04-configuration/UDM_PRO_IP_CHANGE_GUIDE.md` - Detailed IP change guide 3. `docs/04-configuration/UDM_PRO_IP_CHANGE_MANUAL_STEPS.md` - Manual steps 4. `docs/04-configuration/UDM_PRO_QUICK_FIX_SUMMARY.md` - Quick reference 5. `docs/04-configuration/UDM_PRO_NETWORK_ISOLATION_CHECK.md` - Isolation check guide 6. `docs/04-configuration/UDM_PRO_ROUTING_DIAGNOSIS_COMPLETE.md` - Complete diagnosis 7. `docs/04-configuration/UDM_PRO_ROUTING_ISSUE_RESOLVED.md` - This file --- ## Key Learnings 1. **Gateway Ping Test:** Critical diagnostic tool - if gateway is reachable, routing works 2. **Device Firewalls:** Often block traffic from different subnets by default 3. **IP Change:** Quick solution when device firewall can't be easily modified 4. **Network Isolation:** Should be unchecked for inter-VLAN communication 5. **Zone Matrix:** Internal → Internal should be "Allow All" --- ## Next Steps (Optional) 1. ✅ **Access ml110** - Now working! 2. ⏳ **Verify Network Isolation** - Check Web UI (optional) 3. ⏳ **Verify Zone Matrix** - Check Web UI (optional) 4. ⏳ **Fix ml110 Firewall** - If reverting IP is desired (optional) --- ## Success Metrics - ✅ **Connectivity:** 100% (3/3 packets successful) - ✅ **Latency:** Excellent (1.46ms average) - ✅ **Packet Loss:** 0% - ✅ **Solution Time:** < 30 minutes - ✅ **Documentation:** Complete --- **Status:** ✅ **ISSUE RESOLVED** **Resolution Date:** 2026-01-14 **Solution:** IP address change to same subnet (192.168.11.4) --- **Last Updated:** 2026-01-14