proxmox/docs/04-configuration/UDM_PRO_ROUTING_TROUBLESHOOTING.md

# UDM Pro Routing Troubleshooting Guide

**Last Updated:** 2026-01-13  
**Status:** Active Documentation
**Issue:** `192.168.0.23` cannot reach `192.168.11.10` (VLAN 11)  
**Error:** "Destination Host Unreachable" from `192.168.0.1`

---

## Problem Summary

**Source:** `192.168.0.23` (on `192.168.0.0/24` - UDM Pro default network)  
**Destination:** `192.168.11.10` (on `192.168.11.0/24` - VLAN 11 MGMT-LAN)  
**Gateway:** `192.168.0.1` (UDM Pro)

**Symptoms:**
- Ping fails with "Destination Host Unreachable"
- Firewall rule created successfully (allows `192.168.0.0/24` → VLAN 11)
- Routing issue persists

---

## Root Cause

The UDM Pro at `192.168.0.1` doesn't have a route configured to reach `192.168.11.0/24`. While inter-VLAN routing is enabled by default for networks configured as VLANs on the UDM Pro, the `192.168.0.0/24` network (UDM Pro's default/management network) may not automatically route to other VLANs.

---

## Solution: Configure Inter-VLAN Routing

### Option 1: Verify VLAN 11 Network Configuration (Recommended)

1. **Access UniFi Network Web Interface:**
   - URL: `https://192.168.0.1`
   - Login with admin credentials

2. **Navigate to Network Settings:**
   - Go to **Settings** → **Networks**
   - Click on **MGMT-LAN** (VLAN 11)

3. **Verify Network Configuration:**
   - **Network Name:** MGMT-LAN
   - **VLAN ID:** 11
   - **Subnet:** `192.168.11.0/24`
   - **Gateway IP/Subnet:** `192.168.11.1/24`
   - **DHCP Mode:** DHCP Server (or DHCP Server with DHCP Guard)
   - **DHCP Range:** `192.168.11.100-192.168.11.200`

4. **Check Routing Settings:**
   - Look for **"Enable Inter-VLAN Routing"** or **"Route Between VLANs"** option
   - Ensure it's enabled
   - Save if changes were made

5. **Verify Default Network Configuration:**
   - Go to **Settings** → **Networks**
   - Find the default network (usually named "Default" or "LAN")
   - Verify it's configured as `192.168.0.0/24`
   - Check if inter-VLAN routing is enabled

### Option 2: Configure Static Route (If Option 1 Doesn't Work)

If inter-VLAN routing is enabled but still not working, you may need to add a static route:

1. **Navigate to Routing Settings:**
   - Go to **Settings** → **Routing & Firewall** → **Static Routes** (or **Routes**)

2. **Add Static Route:**
   - **Name:** Route to VLAN 11
   - **Destination Network:** `192.168.11.0/24`
   - **Gateway:** `192.168.11.1` (or leave blank if using interface routing)
   - **Interface:** Select the interface/VLAN for VLAN 11
   - **Distance:** 1 (or default)
   - Click **Add** or **Save**

3. **Verify Route:**
   - Check the static routes list
   - Ensure the route is active

### Option 3: Check Firewall Rules Order

Even with routing enabled, firewall rules are evaluated first. Verify:

1. **Check ACL Rules Priority:**
   - The "Allow Default Network to Management VLAN" rule should have priority 5
   - Ensure no BLOCK rules with higher priority are blocking the traffic

2. **Verify Rule Status:**
   ```bash
   cd /home/intlc/projects/proxmox
   NODE_TLS_REJECT_UNAUTHORIZED=0 node scripts/unifi/list-acl-rules-node.js
   ```

3. **Check for Default Deny Rules:**
   - UDM Pro may have a default deny policy for inter-VLAN traffic
   - Ensure explicit ALLOW rules are in place

---

## Verification Steps

### Step 1: Test Routing from UDM Pro

1. **SSH to UDM Pro** (if SSH is enabled):
   ```bash
   ssh root@192.168.0.1
   ```

2. **Test ping from UDM Pro:**
   ```bash
   ping -c 3 192.168.11.10
   ```

   **Expected Result:** Should succeed if routing is configured correctly

### Step 2: Check Routing Table

From UDM Pro (via SSH or web interface):

1. **View routing table:**
   - Via SSH: `ip route show` or `route -n`
   - Via Web UI: **Settings** → **Routing & Firewall** → **Routes**

2. **Look for route to `192.168.11.0/24`:**
   - Should show: `192.168.11.0/24 via <gateway> dev <interface>`
   - Or: `192.168.11.0/24 dev <vlan-interface>`

### Step 3: Test from Source Device

From `192.168.0.23`:

```bash
# Test ping
ping -c 3 192.168.11.10

# Test with traceroute (if available)
traceroute 192.168.11.10
```

**Expected Result:** Should succeed after routing is configured

---

## Alternative: Use VLAN 11 Gateway Directly

If routing through UDM Pro continues to fail, you can configure the source device to use the VLAN 11 gateway directly:

1. **Add static route on source device (`192.168.0.23`):**
   ```bash
   # Linux
   sudo ip route add 192.168.11.0/24 via 192.168.11.1
   
   # Or add to /etc/network/interfaces or systemd-networkd
   ```

2. **Or configure default gateway:**
   - Change default gateway to `192.168.11.1` if accessing VLAN 11 is primary use case
   - Not recommended if you need access to both networks

---

## Troubleshooting Checklist

- [ ] Firewall rule created and enabled (Priority 5)
- [ ] VLAN 11 network configured correctly on UDM Pro
- [ ] Inter-VLAN routing enabled on UDM Pro
- [ ] Static route configured (if needed)
- [ ] No BLOCK rules with higher priority blocking traffic
- [ ] UDM Pro can ping `192.168.11.10` directly
- [ ] Routing table shows route to `192.168.11.0/24`
- [ ] Source device can reach UDM Pro (`ping 192.168.0.1`)
- [ ] Destination host is online (`ping 192.168.11.10` from VLAN 11)

---

## Related Documentation

- [UDM_PRO_API_LIMITATIONS.md](./UDM_PRO_API_LIMITATIONS.md) - API limitations
- [UDM_PRO_COMPLETE_MANUAL_GUIDE.md](./UDM_PRO_COMPLETE_MANUAL_GUIDE.md) - Manual configuration guide
- [UDM_PRO_STATUS.md](./UDM_PRO_STATUS.md) - Configuration status

---

**Last Updated:** 2026-01-13