# NPMplus Connection Refused - Diagnosis & Fix

**Date**: 2026-01-21  
**Issue**: 192.168.11.166 refused to connect (ERR_CONNECTION_REFUSED)

---

## Current Status

### ✅ What's Working
- NPMplus container (VMID 10233) is running
- Docker container `npmplus` is running and healthy
- Nginx is running inside Docker container
- NPMplus is listening on 0.0.0.0:80 and 0.0.0.0:443 (inside container)
- Container can access localhost:80 (HTTP 200)
- Container has correct IP: 192.168.11.166/24
- Ping works to 192.168.11.166

### ❌ What's Not Working
- **Connection refused** from external hosts to 192.168.11.166:80/443
- Connection refused even from Proxmox host (r630-01)
- No connection attempts reaching NPMplus logs

---

## Root Cause Analysis

### Key Findings

1. **Docker Network Mode**: `host` (container uses host network directly)
2. **Container Network**: Two interfaces configured:
   - `eth0`: 192.168.11.166/24 (net0)
   - `eth1`: 192.168.11.167/24 (net1)
3. **NPMplus Listening**: 0.0.0.0:80/443 (should accept all interfaces)
4. **Connection Refused**: Even from same host

### Possible Causes

1. **Docker host network mode in LXC container**
   - Docker `host` network mode may not work correctly in LXC containers
   - LXC container network namespace may conflict with Docker host network

2. **NPMplus binding to wrong interface**
   - May be binding to localhost only despite showing 0.0.0.0
   - May need to explicitly bind to container IP

3. **Firewall rules blocking**
   - Container firewall may be blocking
   - Proxmox host firewall may be blocking
   - UDM Pro firewall may be blocking

4. **Network namespace issue**
   - Docker host network in LXC may create namespace conflicts
   - Ports may not be properly exposed to container network

---

## Diagnostic Commands

### Check Container Network
```bash
ssh root@r630-01
pct exec 10233 -- ip addr show
pct exec 10233 -- ss -tlnp | grep -E ":80 |:443 "
```

### Test from Container
```bash
pct exec 10233 -- curl -I http://localhost:80
pct exec 10233 -- curl -I http://192.168.11.166:80
```

### Test from Host
```bash
curl -v http://192.168.11.166:80
curl -v http://192.168.11.167:80
```

### Check Docker Network
```bash
pct exec 10233 -- docker inspect npmplus --format "{{.HostConfig.NetworkMode}}"
pct exec 10233 -- docker network inspect host
```

---

## Recommended Fixes

### Fix 1: Change Docker Network Mode (Recommended)

**Problem**: Docker `host` network mode may not work correctly in LXC containers.

**Solution**: Change to bridge network mode and publish ports:

```bash
ssh root@r630-01

# Stop NPMplus container
pct exec 10233 -- docker stop npmplus

# Remove old container (keep data volume)
pct exec 10233 -- docker rm npmplus

# Recreate with bridge network and port mapping
pct exec 10233 -- docker run -d \
  --name npmplus \
  --restart unless-stopped \
  -p 80:80 \
  -p 443:443 \
  -p 81:81 \
  -v /data/npmplus:/data \
  -v /data/letsencrypt:/etc/letsencrypt \
  zoeyvid/npmplus:latest

# Verify
pct exec 10233 -- docker ps | grep npmplus
pct exec 10233 -- ss -tlnp | grep -E ":80 |:443 "
```

**Test**:
```bash
curl -I http://192.168.11.166:80
```

### Fix 2: Check and Fix Firewall Rules

**Check container firewall**:
```bash
pct exec 10233 -- iptables -L -n -v
```

**If blocking, add allow rules**:
```bash
pct exec 10233 -- iptables -I INPUT -p tcp --dport 80 -j ACCEPT
pct exec 10233 -- iptables -I INPUT -p tcp --dport 443 -j ACCEPT
```

### Fix 3: Verify NPMplus Nginx Configuration

**Check NPMplus nginx config**:
```bash
pct exec 10233 -- docker exec npmplus cat /etc/nginx/nginx.conf | grep listen
```

**If binding to localhost, fix**:
```bash
# Access NPMplus dashboard
# https://192.168.11.166:81
# Check nginx configuration
# Ensure it's binding to 0.0.0.0, not 127.0.0.1
```

### Fix 4: Check Proxmox Host Firewall

**Check host firewall**:
```bash
ssh root@r630-01
iptables -L -n -v | grep 192.168.11.166
```

**If blocking, add allow rules**:
```bash
iptables -I FORWARD -d 192.168.11.166 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -d 192.168.11.166 -p tcp --dport 443 -j ACCEPT
```

---

## Quick Test After Fix

```bash
# From any host on network
curl -I http://192.168.11.166:80
curl -I https://192.168.11.166:443 -k

# Should return HTTP 200 or 301/302
```

---

## Most Likely Solution

**Docker host network mode in LXC containers is problematic.**

**Recommended**: Change NPMplus Docker container to use bridge network mode with port mapping (`-p 80:80 -p 443:443`).

This will properly expose ports to the LXC container's network interface, making them accessible from outside the container.

---

## Status

**Current**: Connection refused - NPMplus not accessible  
**Action**: Change Docker network mode from `host` to `bridge` with port mapping  
**Priority**: **HIGH** - Blocks all external access to explorer