d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4eead3e53fecdb2b7e629bb9f56b22ff92c61d2e
proxmox/docs/04-configuration/UDM_PRO_ROUTING_ISSUE_RESOLVED.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

181 lines
5.0 KiB
Markdown
Raw Blame History

# UDM Pro Routing Issue - RESOLVED ✅
**Last Updated:** 2026-01-14
**Status:****ISSUE RESOLVED** - ml110 is now reachable
---
## Problem Summary
**Initial Issue:** Cannot reach `192.168.11.10` (ml110) from `192.168.0.23` (dev machine)
**Root Cause Analysis:**
1. ✅ UDM Pro routing was working correctly (could ping gateway `192.168.11.1`)
2. ❌ Device at `192.168.11.10` was blocking traffic from different subnet
3. ❌ Network Isolation or Policy Engine may have been blocking
---
## Solution Applied
### Primary Solution: IP Address Change
**Changed dev machine IP from:**
- `192.168.0.23/24` (Default network)
- Gateway: `192.168.0.1`
**To:**
- `192.168.11.4/24` (MGMT-LAN / VLAN 11)
- Gateway: `192.168.11.1`
**Result:****SUCCESS** - ml110 is now reachable
---
## Verification Results
### Ping Test Results
```bash
ping -c 3 192.168.11.10
```
**Output:**
```
PING 192.168.11.10 (192.168.11.10) 56(84) bytes of data.
64 bytes from 192.168.11.10: icmp_seq=1 ttl=64 time=2.28 ms
64 bytes from 192.168.11.10: icmp_seq=2 ttl=64 time=1.65 ms
64 bytes from 192.168.11.10: icmp_seq=3 ttl=64 time=0.455 ms
--- 192.168.11.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.455/1.463/2.284/0.758 ms
```
**Status:****SUCCESS**
- 3 packets transmitted, 3 received
- 0% packet loss
- Average RTT: 1.46ms
- All pings successful
---
## Current Network Configuration
### Dev Machine (ASERET)
- **IP Address:** `192.168.11.4/24`
- **Gateway:** `192.168.11.1`
- **Network:** MGMT-LAN (VLAN 11)
- **Interface:** eth0
### Target Device (ml110)
- **IP Address:** `192.168.11.10/24`
- **Network:** MGMT-LAN (VLAN 11)
- **Status:** ✅ Reachable
---
## What Was Done
### 1. Diagnosis
- ✅ Verified UDM Pro routing (gateway ping successful)
- ✅ Identified device firewall as likely cause
- ✅ Determined IP change as quickest solution
### 2. IP Address Change
- ✅ Changed dev machine IP to `192.168.11.4`
- ✅ Updated gateway to `192.168.11.1`
- ✅ Applied netplan configuration
### 3. Verification
- ✅ Tested connectivity to ml110
- ✅ Confirmed 0% packet loss
- ✅ Verified low latency (1.46ms average)
---
## Additional Verification Steps (Optional)
### Network Isolation Check
- **Location:** Settings → Networks → MGMT-LAN
- **Action:** Verify "Isolate Network" is unchecked
- **Status:** Should be unchecked (both networks in Internal zone)
### Zone Matrix Check
- **Location:** Policy Engine (Grid icon) → Internal → Internal
- **Action:** Verify policy is "Allow All"
- **Status:** Should be "Allow All" (both networks in Internal zone)
### CyberSecure Check
- **Location:** CyberSecure (Shield icon)
- **Action:** Verify no blocking rules for inter-VLAN traffic
- **Status:** Should not block Internal → Internal traffic
---
## Long-Term Recommendations
### Option 1: Keep Current Configuration
- ✅ Dev machine on MGMT-LAN network
- ✅ Direct access to management devices
- ✅ No inter-VLAN routing needed
### Option 2: Fix ml110 Firewall (Then Revert IP)
1. Configure ml110 firewall to allow `192.168.0.0/24`
2. Revert dev machine IP back to `192.168.0.x`
3. Test connectivity from Default network
4. Maintain network segmentation
**Recommendation:** Keep current configuration (Option 1) unless there's a specific need for dev machine to be on Default network.
---
## Files Created During Troubleshooting
1. `scripts/unifi/change-ip-to-vlan11-netplan.sh` - IP change automation script
2. `docs/04-configuration/UDM_PRO_IP_CHANGE_GUIDE.md` - Detailed IP change guide
3. `docs/04-configuration/UDM_PRO_IP_CHANGE_MANUAL_STEPS.md` - Manual steps
4. `docs/04-configuration/UDM_PRO_QUICK_FIX_SUMMARY.md` - Quick reference
5. `docs/04-configuration/UDM_PRO_NETWORK_ISOLATION_CHECK.md` - Isolation check guide
6. `docs/04-configuration/UDM_PRO_ROUTING_DIAGNOSIS_COMPLETE.md` - Complete diagnosis
7. `docs/04-configuration/UDM_PRO_ROUTING_ISSUE_RESOLVED.md` - This file
---
## Key Learnings
1. **Gateway Ping Test:** Critical diagnostic tool - if gateway is reachable, routing works
2. **Device Firewalls:** Often block traffic from different subnets by default
3. **IP Change:** Quick solution when device firewall can't be easily modified
4. **Network Isolation:** Should be unchecked for inter-VLAN communication
5. **Zone Matrix:** Internal → Internal should be "Allow All"
---
## Next Steps (Optional)
1.**Access ml110** - Now working!
2.**Verify Network Isolation** - Check Web UI (optional)
3.**Verify Zone Matrix** - Check Web UI (optional)
4.**Fix ml110 Firewall** - If reverting IP is desired (optional)
---
## Success Metrics
-**Connectivity:** 100% (3/3 packets successful)
-**Latency:** Excellent (1.46ms average)
-**Packet Loss:** 0%
-**Solution Time:** < 30 minutes
-**Documentation:** Complete
---
**Status:****ISSUE RESOLVED**
**Resolution Date:** 2026-01-14
**Solution:** IP address change to same subnet (192.168.11.4)
---
**Last Updated:** 2026-01-14
Reference in New Issue View Git Blame Copy Permalink