proxmox/docs/04-configuration/UDM_PRO_IP_CHANGE_GUIDE.md

# UDM Pro - IP Address Change Guide

**Last Updated:** 2026-01-14  
**Status:** Active Documentation
**Question:** Should I change dev machine IP to 192.168.11.4 to access ml110 at 192.168.11.10?

---

## Analysis: IP Change vs Fix Firewall

### Current Situation
- **Dev Machine:** On `192.168.0.0/24` network
- **Target:** ml110 at `192.168.11.10` on `192.168.11.0/24` network
- **Routing:** ✅ Working (can ping gateway 192.168.11.1)
- **Issue:** Device firewall on ml110 likely blocking traffic from different subnet

### Option 1: Change Dev Machine IP to 192.168.11.4 (Quick Workaround)

**Pros:**
- ✅ Quick solution - bypasses inter-VLAN routing
- ✅ Same subnet = no firewall blocking issues
- ✅ Direct communication without routing complexity
- ✅ Good for testing/development

**Cons:**
- ⚠️ Dev machine moves to management network (may not be desired)
- ⚠️ May need to reconfigure network settings
- ⚠️ Doesn't solve the root cause (firewall blocking)

**When to Use:**
- Need immediate access for testing
- Temporary solution while fixing firewall
- Dev machine should be on management network anyway

### Option 2: Fix Firewall on ml110 (Proper Solution)

**Pros:**
- ✅ Maintains network segmentation
- ✅ Dev machine stays on Default network
- ✅ Proper security configuration
- ✅ Solves root cause

**Cons:**
- ⚠️ Requires access to ml110 to configure firewall
- ⚠️ May take longer to implement

**When to Use:**
- Want to maintain network separation
- Dev machine should stay on Default network
- Proper long-term solution

---

## Recommendation

**For Immediate Access:** Change IP to `192.168.11.4` (quick workaround)

**For Long-term:** Fix firewall on ml110 to allow `192.168.0.0/24` (proper solution)

**Best Approach:** Do both - change IP now for immediate access, then fix firewall for proper solution

---

## Option 1: Change Dev Machine IP to 192.168.11.4

### Step 1: Check Current Network Configuration

```bash
# Check current IP
ip addr show
# Or
ifconfig

# Check current network
ip route show
```

### Step 2: Change IP Address

#### Method A: Static IP via NetworkManager (if using)

```bash
# Check current connection name
nmcli connection show

# Change IP address
sudo nmcli connection modify <connection-name> ipv4.addresses 192.168.11.4/24
sudo nmcli connection modify <connection-name> ipv4.gateway 192.168.11.1
sudo nmcli connection modify <connection-name> ipv4.method manual
sudo nmcli connection down <connection-name>
sudo nmcli connection up <connection-name>
```

#### Method B: Static IP via netplan (Ubuntu/Debian)

```bash
# Edit netplan config
sudo nano /etc/netplan/01-netcfg.yaml
```

Add/modify:
```yaml
network:
  version: 2
  renderer: networkd
  ethernets:
    <interface-name>:
      addresses:
        - 192.168.11.4/24
      gateway4: 192.168.11.1
      nameservers:
        addresses:
          - 192.168.11.1
          - 8.8.8.8
```

Apply:
```bash
sudo netplan apply
```

#### Method C: Static IP via /etc/network/interfaces (older Debian)

```bash
sudo nano /etc/network/interfaces
```

Add/modify:
```
auto <interface-name>
iface <interface-name> inet static
    address 192.168.11.4
    netmask 255.255.255.0
    gateway 192.168.11.1
    dns-nameservers 192.168.11.1 8.8.8.8
```

Restart:
```bash
sudo systemctl restart networking
# Or
sudo ifdown <interface-name> && sudo ifup <interface-name>
```

### Step 3: Verify New IP

```bash
# Check IP address
ip addr show
# Should show 192.168.11.4

# Check routing
ip route show
# Should show default via 192.168.11.1

# Test connectivity
ping -c 3 192.168.11.1  # Gateway
ping -c 3 192.168.11.10 # ml110
```

### Step 4: Test Access to ml110

```bash
# Test ping
ping -c 3 192.168.11.10

# Test specific service (if applicable)
# e.g., SSH
ssh user@192.168.11.10

# e.g., HTTP
curl http://192.168.11.10
```

---

## Option 2: Fix Firewall on ml110 (Keep Dev Machine on Default Network)

### If ml110 is Proxmox Host

**Check Proxmox Firewall:**
```bash
# SSH to ml110 (192.168.11.10)
ssh root@192.168.11.10

# Check firewall status
pve-firewall status

# Check firewall rules
cat /etc/pve/firewall/cluster.fw
cat /etc/pve/firewall/host.fw
```

**Allow Default Network:**
```bash
# Edit host firewall
nano /etc/pve/firewall/host.fw
```

Add rule:
```
[OPTIONS]
enable: 1

[RULES]
IN ACCEPT -source 192.168.0.0/24 -log nocomment
```

Or via Proxmox Web UI:
1. Navigate to: **Datacenter → Firewall → Host Firewall**
2. Add rule:
   - **Action:** Accept
   - **Source:** `192.168.0.0/24`
   - **Protocol:** All
   - **Comment:** Allow Default Network

### If ml110 is Windows Server

**Windows Firewall:**
1. Open "Windows Defender Firewall with Advanced Security"
2. Click "Inbound Rules" → "New Rule"
3. Rule Type: Custom
4. Program: All programs
5. Protocol: Any
6. Scope:
   - Remote IP: `192.168.0.0/24`
7. Action: Allow
8. Profile: All
9. Name: "Allow Default Network"

### If ml110 is Linux Server

**iptables:**
```bash
# SSH to ml110
ssh user@192.168.11.10

# Allow traffic from Default network
sudo iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT

# Save rules (Ubuntu/Debian)
sudo iptables-save | sudo tee /etc/iptables/rules.v4

# Or (CentOS/RHEL)
sudo service iptables save
```

**firewalld:**
```bash
# Allow source network
sudo firewall-cmd --add-source=192.168.0.0/24 --permanent
sudo firewall-cmd --reload
```

---

## Comparison: Both Approaches

| Aspect | Change IP to 192.168.11.4 | Fix Firewall on ml110 |
|--------|---------------------------|----------------------|
| **Speed** | ⚡ Fast (5 minutes) | 🐌 Slower (requires ml110 access) |
| **Network Segregation** | ❌ Dev machine on management network | ✅ Maintains separation |
| **Security** | ⚠️ Depends on use case | ✅ Proper firewall rules |
| **Long-term** | ⚠️ May not be desired | ✅ Proper solution |
| **Complexity** | ✅ Simple | ⚠️ Requires ml110 access |

---

## Recommended Approach

### Immediate (Today)
1. **Change dev machine IP to 192.168.11.4** for immediate access
2. Test connectivity: `ping 192.168.11.10`
3. Verify access to ml110 services

### Long-term (This Week)
1. **Fix firewall on ml110** to allow `192.168.0.0/24`
2. **Revert dev machine IP** back to `192.168.0.x` (if desired)
3. Test connectivity from Default network
4. Document firewall rules

---

## Verification After IP Change

```bash
# Verify new IP
ip addr show | grep 192.168.11.4

# Test gateway
ping -c 3 192.168.11.1

# Test ml110
ping -c 3 192.168.11.10

# Test DNS (if applicable)
nslookup ml110 192.168.11.1
```

---

## Troubleshooting

### Can't Access After IP Change

1. **Check IP assignment:**
   ```bash
   ip addr show
   ```

2. **Check routing:**
   ```bash
   ip route show
   ```

3. **Check gateway:**
   ```bash
   ping -c 3 192.168.11.1
   ```

4. **Check ml110:**
   ```bash
   ping -c 3 192.168.11.10
   ```

5. **Check firewall on ml110:**
   - Verify firewall allows traffic from `192.168.11.4`
   - Even on same subnet, firewall might block

### Want to Revert IP Change

```bash
# Change back to DHCP (if was using DHCP)
sudo nmcli connection modify <connection-name> ipv4.method auto
sudo nmcli connection down <connection-name>
sudo nmcli connection up <connection-name>

# Or change to specific IP on Default network
sudo nmcli connection modify <connection-name> ipv4.addresses 192.168.0.X/24
sudo nmcli connection modify <connection-name> ipv4.gateway 192.168.0.1
```

---

**Last Updated:** 2026-01-14