# UDM Pro Manual SSH Diagnosis Guide **Date**: 2026-01-21 **Purpose**: Manual commands to run on UDM Pro via SSH to diagnose firewall/port forwarding **SSH Credentials:** - **Username**: `OQmQuS` - **Password**: `m0MFXHdgMFKGB213b04` - **IP**: `192.168.11.1` (or your UDM Pro IP) --- ## Connect to UDM Pro ```bash ssh OQmQuS@192.168.11.1 # Enter password when prompted: m0MFXHdgMFKGB213b04 ``` --- ## Diagnosis Commands ### 1. Check Port Forwarding Rules (NAT Table) ```bash # Check if port forwarding rules exist for 76.53.10.36 iptables -t nat -L -n -v | grep -A 5 "76.53.10.36" ``` **Expected Output (if working):** ``` DNAT tcp -- 0.0.0.0/0 76.53.10.36 tcp dpt:80 to:192.168.11.166:80 DNAT tcp -- 0.0.0.0/0 76.53.10.36 tcp dpt:443 to:192.168.11.166:443 ``` **If empty**: Port forwarding rules are not active --- ### 2. Check Firewall Rules for NPMplus ```bash # Check if firewall allows traffic to 192.168.11.166 iptables -L FORWARD -n -v | grep -A 5 "192.168.11.166" ``` **Expected Output (if working):** ``` ACCEPT tcp -- 0.0.0.0/0 192.168.11.166 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 192.168.11.166 tcp dpt:443 ``` **If empty**: Firewall may be blocking traffic --- ### 3. Check Firewall Rule Order ```bash # List all FORWARD rules with line numbers iptables -L FORWARD -n -v --line-numbers ``` **What to look for:** - **Allow rules** for 192.168.11.166 should be **BEFORE** any **block rules** - If block rules come first, they will block the traffic --- ### 4. Check All NAT Rules ```bash # List all NAT rules iptables -t nat -L -n -v ``` **What to look for:** - DNAT rules for 76.53.10.36:80 → 192.168.11.166:80 - DNAT rules for 76.53.10.36:443 → 192.168.11.166:443 --- ### 5. Check Network Interfaces ```bash # Check if 76.53.10.36 is on a network interface ip addr show | grep "76.53.10" ``` **Expected**: Should show the IP on a WAN interface --- ### 6. Check Configuration Files ```bash # Check firewall configuration cat /mnt/data/udapi-config/firewall.json | grep -A 10 "76.53.10.36" # Check UniFi gateway config cat /mnt/data/unifi/config/config.gateway.json | grep -A 20 "port-forward" ``` --- ## Quick Diagnosis Script Run this complete check: ```bash echo "=== Port Forwarding (NAT) ===" iptables -t nat -L -n -v | grep -A 3 "76.53.10.36" echo "" echo "=== Firewall Rules (FORWARD) ===" iptables -L FORWARD -n -v --line-numbers | grep -A 3 "192.168.11.166" echo "" echo "=== All FORWARD Rules (First 20) ===" iptables -L FORWARD -n -v --line-numbers | head -20 ``` --- ## What to Look For ### ✅ If Port Forwarding is Working: - NAT table shows DNAT rules for 76.53.10.36:80/443 - Rules have packet/byte counts (showing traffic) ### ❌ If Port Forwarding is NOT Working: - NAT table is empty for 76.53.10.36 - No DNAT rules found ### ✅ If Firewall Allows Traffic: - FORWARD chain shows ACCEPT rules for 192.168.11.166:80/443 - Allow rules come BEFORE block rules ### ❌ If Firewall is Blocking: - No ACCEPT rules for 192.168.11.166 - Block rules come BEFORE allow rules - DROP/REJECT rules for 192.168.11.166 --- ## Common Issues and Fixes ### Issue 1: Port Forwarding Rules Not in NAT Table **Symptom**: `iptables -t nat -L` shows no rules for 76.53.10.36 **Fix**: - Go to UDM Pro Web UI - Settings → Firewall & Security → Port Forwarding - Verify rules are **enabled** - If disabled, enable them - Save and wait 30 seconds ### Issue 2: Firewall Blocking Traffic **Symptom**: NAT rules exist but no ACCEPT rules in FORWARD chain **Fix**: - Go to UDM Pro Web UI - Settings → Firewall & Security → Firewall Rules - Ensure "Allow Port Forward..." rules exist - Move them to the **top** of the list - Save and wait 30 seconds ### Issue 3: Rule Order Issue **Symptom**: Block rules come before allow rules **Fix**: - Go to UDM Pro Web UI - Settings → Firewall & Security → Firewall Rules - Reorder rules: Allow rules at top, Block rules below - Save and wait 30 seconds --- ## After Making Changes 1. **Wait 30 seconds** for rules to apply 2. **Re-run diagnosis commands** to verify 3. **Test external access**: ```bash curl -v http://76.53.10.36 curl -v https://76.53.10.36 ``` --- ## Summary **SSH Access Allows:** - ✅ View current firewall/port forwarding configuration - ✅ Diagnose why ports are blocked - ✅ Verify rule order - ⚠️ Changes via CLI may not persist (use Web UI for changes) **Recommended Workflow:** 1. SSH to UDM Pro 2. Run diagnosis commands 3. Identify the issue 4. Make changes via Web UI 5. Verify via SSH again --- **Next Step**: SSH to UDM Pro and run the diagnosis commands above