d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
e4a19db0ae96721b9ed70ff8dee304bb35bc6389
proxmox/docs/04-configuration/UDM_PRO_NETWORK_ISOLATION_CHECK.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

5.2 KiB
Raw Blame History

UDM Pro Network Isolation & Policy Engine Check

Last Updated: 2026-01-14
Status: Active Documentation Issue: Routing blocked by Network Isolation or Policy Engine (UniFi Network 9.x)

Problem Analysis

Based on UniFi Network 9.x interface analysis, the routing issue may NOT be about static routes, but rather:

  1. Network Isolation Toggle - "Isolate Network" enabled on MGMT-LAN
  2. Policy Engine Zone Matrix - Inter-VLAN blocking in Internal → Internal zone
  3. CyberSecure Interference - Security policies blocking management traffic

Step 1: Gateway Ping Test

Purpose: Verify if UDM Pro is routing correctly

# From Default network (192.168.0.x)
ping -c 3 192.168.11.1  # VLAN 11 Gateway

Expected Results:

  • Can ping gateway (.1) but not device (.10): UDM is routing correctly, but destination device firewall is blocking
  • Cannot ping gateway (.1): UDM routing/policy is blocking

Step 2: Check Network Isolation Toggle

Location

  1. Navigate: Settings → Networks
  2. Click on MGMT-LAN (VLAN 11)
  3. Scroll to "Network" section (above DHCP section)
  4. Look for "Isolate Network" toggle

Action Required

  • UNCHECK "Isolate Network" if enabled
  • ⚠️ Why: This applies "Zero Trust" and blocks ALL inter-VLAN communication

Verification

  • After unchecking, wait 30-60 seconds for changes to propagate
  • Test connectivity: ping 192.168.11.10

Step 3: Verify Zone Matrix (Policy Engine)

Location

  1. Click the Grid icon in sidebar (under "Policy Engine")
  2. Find the cell: Source: InternalDestination: Internal
  3. Check the policy for this zone pair

Action Required

  • Ensure policy says "Allow All" (not "Block Inter-VLAN")
  • ⚠️ If blocked: Click the cell and change to "Allow All"

Zone Matrix Structure

Source Zone → Destination Zone
Internal    → Internal    [Should be "Allow All"]
Internal    → External    [Usually "Allow All"]
External    → Internal    [Usually "Block All"]

Step 4: Check CyberSecure Settings

Location

  1. Click the Shield icon in sidebar (CyberSecure)
  2. Check "Simple App Blocking" settings
  3. Check "Protection Rules" for inter-VLAN blocking
  4. Check "Security Posture" mode

Action Required

  • ⚠️ If CyberSecure is active: Check if it's blocking "lateral movement" or "suspicious traffic"
  • ⚠️ Security Posture: If set to "Restrictive" or "High Security", it may block inter-VLAN traffic
  • ⚠️ Propagation Time: If just activated, wait 15 minutes for signatures to propagate

Common CyberSecure Rules That Block Inter-VLAN

  • "Block Lateral Movement"
  • "Block Suspicious Traffic"
  • "Zero Trust Network Access"
  • "Network Segmentation"

Step 5: Check Traffic Flows (Insights)

Location

  1. Click Insights in sidebar
  2. Go to "Traffic Flows" or "Traffic Analysis"
  3. Filter for traffic from 192.168.0.0/24 to 192.168.11.0/24

What to Look For

  • Blocked/Dropped packets - Shows which policy is blocking
  • Source/Destination - Verify traffic is reaching UDM Pro
  • Policy Name - Identifies which rule is blocking

Step 6: Verify Firewall Rules (ACL Rules)

Even with zones configured, check explicit firewall rules:

cd /home/intlc/projects/proxmox
NODE_TLS_REJECT_UNAUTHORIZED=0 node scripts/unifi/list-acl-rules-node.js

Look for:

  • Allow rule: 192.168.0.0/24192.168.11.0/24 (Priority 5)
  • Block rule: Higher priority blocking the same traffic

Quick Diagnostic Checklist

  • Gateway ping test: ping 192.168.11.1 (from Default network)
  • Network Isolation: UNCHECKED on MGMT-LAN
  • Zone Matrix: Internal → Internal = "Allow All"
  • CyberSecure: No blocking rules for inter-VLAN traffic
  • Firewall Rules: Allow rule exists and has correct priority
  • Traffic Flows: Check Insights for blocked packets

Expected Configuration

MGMT-LAN (VLAN 11) Settings

  • Network Isolation: Disabled (UNCHECKED)
  • Zone: Internal
  • DHCP: Enabled
  • Auto Default Gateway: Enabled

Policy Engine Zone Matrix

  • Internal → Internal: Allow All
  • Internal → External: Allow All (or as needed)
  • External → Internal: Block All (default)

Firewall Rules

  • Priority 5: Allow 192.168.0.0/24192.168.11.0/24 (All protocols)

Troubleshooting Order

  1. First: Check Network Isolation toggle (fastest fix)
  2. Second: Verify Zone Matrix policy
  3. Third: Check CyberSecure settings
  4. Fourth: Review Traffic Flows in Insights
  5. Last: Verify firewall rules priority

After Making Changes

  1. Wait 30-60 seconds for changes to propagate
  2. Test connectivity: 
    ping -c 3 192.168.11.1   # Gateway
ping -c 3 192.168.11.10  # Device
  3. Check Traffic Flows in Insights to verify traffic is flowing

References

Last Updated: 2026-01-14

Reference in New Issue View Git Blame Copy Permalink