6.6 KiB
External Access Timeout - Diagnosis & Fix
Date: 2026-01-21
Issue: ERR_CONNECTION_TIMED_OUT when accessing explorer.d-bis.org
Status: ⚠️ Port Forwarding Configured but Firewall Blocking
Problem Summary
Symptoms:
- ✅ DNS resolves correctly:
explorer.d-bis.org→76.53.10.36 - ✅ Port forwarding rules exist in UDM Pro
- ✅ NPMplus is running and listening on ports 80/443
- ✅ Internal path works (HTTP 200)
- ❌ External access times out (ERR_CONNECTION_TIMED_OUT)
Root Cause: UDM Pro firewall is likely blocking WAN → LAN traffic, even though port forwarding rules exist.
Current Status
✅ Working Components
- DNS: ✅ Resolves to 76.53.10.36
- NPMplus: ✅ Running, listening on 0.0.0.0:80 and 0.0.0.0:443
- NPMplus Config: ✅ Proxy host configured correctly
- VMID 5000: ✅ Operational, serving HTTP 200
- Port Forwarding Rules: ✅ Exist in UDM Pro:
76.53.10.36:80→192.168.11.166:8076.53.10.36:443→192.168.11.166:443
❌ Issue
Ports 80 and 443 are NOT reachable from external:
- Connection to
76.53.10.36:80→ Timeout - Connection to
76.53.10.36:443→ Timeout
Root Cause Analysis
Port forwarding rules exist, but traffic is being blocked. This is typically due to:
- UDM Pro Firewall Rules blocking WAN → LAN traffic
- Port forwarding rules not enabled (though they appear in the UI)
- Zone-based firewall blocking External → Internal traffic
- WAN interface not selected in port forwarding rules
Solution: Check UDM Pro Firewall Rules
Step 1: Verify Port Forwarding Rules Are Enabled
In UDM Pro web interface:
- Navigate to: Settings → Firewall & Security → Port Forwarding
- Verify the rules show as "Enabled" or have a checkmark
- If disabled, enable them:
- Click on each rule
- Toggle "Enabled" to ON
- Save
Step 2: Check Firewall Rules (WAN → LAN)
UDM Pro may have firewall rules that block incoming WAN traffic. Check:
-
Navigate to: Settings → Firewall & Security → Firewall Rules
-
Look for rules with:
- Source: WAN / External / Internet
- Destination: LAN / Internal / 192.168.11.0/24
- Action: Block / Deny
-
If blocking rules exist, you need to either:
-
Option A: Add an allow rule BEFORE the block rule:
- Source: Any (or WAN)
- Destination: 192.168.11.166
- Port: 80, 443
- Action: Allow
- Place it ABOVE any block rules
-
Option B: Modify the block rule to exclude port forwarding:
- Add exception for destination IP: 192.168.11.166
- Add exception for ports: 80, 443
-
Step 3: Check Zone-Based Firewall (If Enabled)
If UDM Pro uses zone-based firewall:
-
Navigate to: Settings → Firewall & Security → Zones
-
Check External → Internal policy:
- Should be "Allow" or "Allow Return"
- If "Block", change to "Allow" or add exception
-
Or create specific rule:
- Source Zone: External
- Destination Zone: Internal
- Destination IP: 192.168.11.166
- Ports: 80, 443
- Action: Allow
Step 4: Verify WAN Interface in Port Forwarding
Ensure port forwarding rules specify the correct WAN interface:
- Edit each port forwarding rule
- Check "Interface" or "WAN Interface":
- Should be set to your primary WAN interface
- Or "Any" / "All" if option exists
- Save changes
Quick Fix Checklist
- Verify port forwarding rules are ENABLED
- Check firewall rules for WAN → LAN blocking
- Add allow rule for 192.168.11.166:80,443 if blocked
- Check zone-based firewall External → Internal policy
- Verify WAN interface in port forwarding rules
- Test external access after each change
Testing After Fix
Test 1: Port Reachability
# From external location
curl -v --connect-timeout 10 https://explorer.d-bis.org
curl -v --connect-timeout 10 http://explorer.d-bis.org
Test 2: Direct IP Test
# Test direct IP (bypasses DNS)
curl -v --connect-timeout 10 https://76.53.10.36
curl -v --connect-timeout 10 http://76.53.10.36
Test 3: Port Check
# Check if ports are open
nmap -p 80,443 76.53.10.36
Expected Behavior After Fix
Once firewall rules are corrected:
- External request →
76.53.10.36:443 - UDM Pro → Port forwarding rule matches
- Firewall → Allows traffic (no block rule)
- NPMplus → Receives request on 192.168.11.166:443
- NPMplus → Proxies to 192.168.11.140:80
- VMID 5000 → Serves frontend
- Response → HTTP 200 OK
Common UDM Pro Firewall Issues
Issue 1: Default Deny Policy
Problem: UDM Pro may have default "deny all WAN → LAN" policy
Solution: Add explicit allow rule for port forwarding destination
Issue 2: Rule Order
Problem: Block rules may be evaluated before port forwarding
Solution: Ensure allow rules are placed before block rules
Issue 3: Zone-Based Firewall
Problem: External → Internal zone policy may be blocking
Solution: Change policy to "Allow" or add exception
Issue 4: Interface Selection
Problem: Port forwarding rule may not specify correct WAN interface
Solution: Verify interface selection in port forwarding rule
Manual Verification Steps
-
Access UDM Pro Web UI
- Navigate to your UDM Pro IP (typically 192.168.1.1 or 192.168.11.1)
-
Check Port Forwarding Status
- Settings → Firewall & Security → Port Forwarding
- Verify rules are enabled (green checkmark or "Enabled" status)
-
Check Firewall Rules
- Settings → Firewall & Security → Firewall Rules
- Look for any rules blocking WAN → LAN
- Check rule order (allow rules should be before block rules)
-
Check Zone Policies (if zone-based firewall enabled)
- Settings → Firewall & Security → Zones
- Check External → Internal policy
- Should be "Allow" or "Allow Return"
-
Test After Changes
- Make one change at a time
- Test external access after each change
- Document what works
Summary
All internal components are working correctly. The issue is UDM Pro firewall blocking external traffic, even though port forwarding rules are configured.
Action Required:
- Verify port forwarding rules are enabled
- Check and fix UDM Pro firewall rules blocking WAN → LAN
- Test external access
Once firewall rules are corrected, external access should work immediately.
Status: ⚠️ Firewall Configuration Needed