proxmox/docs/archive/deployment-reports/INTERNET_CONNECTIVITY_ANALYSIS.md

# Internet Connectivity Analysis - Complete Review

**Date:** 2026-01-20  
**Status:** 🔍 **ANALYSIS COMPLETE** - Root Cause Identified

---

## ✅ Test Results Summary

| Test Type | Result | Details |
|-----------|--------|---------|
| Container Status | ✅ PASS | All 4 containers running |
| IP Configuration | ✅ PASS | All IPs correctly assigned (192.168.11.50-53) |
| Network Interfaces | ✅ PASS | All interfaces UP and configured |
| Routing Tables | ✅ PASS | Default routes configured correctly |
| Inter-Container Communication | ✅ PASS | Containers can reach each other |
| Gateway Connectivity | ❌ FAIL | Containers cannot reach 192.168.11.1 |
| Host Connectivity | ❌ FAIL | Containers cannot reach 192.168.11.11 |
| Internet Connectivity | ❌ FAIL | Containers cannot reach internet |
| DNS Resolution | ❌ FAIL | DNS fails (gateway unreachable) |
| HTTP/HTTPS | ❌ FAIL | Cannot access web services |
| Package Repositories | ❌ FAIL | Cannot update packages |

---

## 🔍 Key Findings

### ✅ What Works

1. **Inter-Container Communication:**
   - ✅ Container 7803 can reach 7800, 7801, 7802
   - ✅ All containers can communicate with each other
   - ✅ Bridge (vmbr0v11) is forwarding traffic between containers

2. **Container Configuration:**
   - ✅ All containers have correct IP addresses
   - ✅ All containers have correct routing tables
   - ✅ All network interfaces are UP
   - ✅ DNS is configured (though not working due to gateway issue)

3. **Bridge Configuration:**
   - ✅ vmbr0v11 bridge is UP
   - ✅ All container veth interfaces are connected to bridge
   - ✅ Bridge has VLAN 11 interface (nic0.11) connected

### ❌ What Doesn't Work

1. **Gateway Communication:**
   - ❌ Containers cannot reach 192.168.11.1
   - ❌ ARP shows "FAILED" for gateway
   - ❌ Host CAN reach gateway (so gateway is working)

2. **Host Communication:**
   - ❌ Containers cannot reach 192.168.11.11 (Proxmox host)
   - ❌ Host cannot reach containers
   - ❌ ARP shows "FAILED" for host IP

3. **Internet Access:**
   - ❌ All internet connectivity fails
   - ❌ Cannot reach 8.8.8.8 (Google DNS)
   - ❌ Cannot access HTTP/HTTPS services

---

## 🔍 Root Cause Analysis

### Primary Issue: VLAN 11 Gateway/Router Configuration

**Evidence:**
1. Containers can communicate with each other (bridge works)
2. Host can reach gateway (gateway is working)
3. Containers cannot reach gateway (routing/firewall issue)
4. ARP fails for gateway from containers
5. tcpdump shows no packets reaching bridge when pinging gateway

**Conclusion:**
The issue is **NOT** with the containers or bridge configuration. The issue is that:
- **vmbr0v11 is a VLAN 11 interface** (nic0.11)
- **Gateway/router may not be configured to accept VLAN 11 traffic**
- **Or firewall/ACL rules are blocking VLAN 11 traffic**

### Technical Details

**Bridge Configuration:**
```
vmbr0v11:
  - Connected to: nic0.11 (VLAN 11 tagged interface)
  - Contains: veth7800i0, veth7801i0, veth7802i0, veth7803i0
  - Status: UP and operational
```

**ARP Table (from container 7803):**
```
192.168.11.52 dev eth0 lladdr bc:24:11:7a:3d:15 REACHABLE  ✅ (other container)
192.168.11.50 dev eth0 lladdr bc:24:11:74:cc:07 REACHABLE  ✅ (other container)
192.168.11.51 dev eth0 lladdr bc:24:11:dd:a1:ba REACHABLE  ✅ (other container)
192.168.11.1 dev eth0  FAILED                              ❌ (gateway)
192.168.11.11 dev eth0  FAILED                              ❌ (host)
```

**Network Flow:**
```
Container (192.168.11.53) 
  → veth7803i0 
  → vmbr0v11 (bridge)
  → nic0.11 (VLAN 11 tagged)
  → Router/Gateway (192.168.11.1) ❌ FAILS HERE
```

---

## 💡 Solutions

### Solution 1: Configure Router for VLAN 11 (Recommended)

**Action:** Configure router/gateway to accept VLAN 11 traffic

**Steps:**
1. Access router configuration (UDM Pro or ER605)
2. Verify VLAN 11 interface exists
3. Configure VLAN 11 interface with IP 192.168.11.1
4. Enable inter-VLAN routing
5. Configure firewall rules to allow VLAN 11 traffic

**Expected Result:** Containers can reach gateway and internet

---

### Solution 2: Use vmbr0 (Native VLAN 11)

**Action:** Change containers to use vmbr0 instead of vmbr0v11

**Assumption:** vmbr0 is on native VLAN 11 (untagged)

**Steps:**
```bash
# Update all containers to use vmbr0
for vmid in 7800 7801 7802 7803; do
  ip=$(pct config $vmid | grep "ip=" | cut -d'=' -f2 | cut -d'/' -f1)
  pct set $vmid -net0 bridge=vmbr0,name=eth0,ip=$ip/24,gw=192.168.11.1,type=veth
done

# Restart containers
for vmid in 7800 7801 7802 7803; do
  pct stop $vmid
  pct start $vmid
done
```

**Expected Result:** Containers can reach gateway if vmbr0 is on VLAN 11

---

### Solution 3: Configure Host Routing/NAT

**Action:** Use Proxmox host as gateway for containers

**Steps:**
```bash
# Enable IP forwarding on host
echo 1 > /proc/sys/net/ipv4/ip_forward

# Configure NAT for containers
iptables -t nat -A POSTROUTING -s 192.168.11.0/24 -o vmbr0 -j MASQUERADE

# Add route for containers
ip route add 192.168.11.0/24 dev vmbr0v11

# Configure containers to use host as gateway
# Change gateway from 192.168.11.1 to host IP on vmbr0v11
```

**Expected Result:** Containers route through host to internet

---

### Solution 4: Check Firewall/ACL Rules

**Action:** Verify firewall rules allow VLAN 11 traffic

**Steps:**
1. Check UDM Pro firewall rules
2. Verify VLAN 11 is not isolated
3. Check ACL rules for VLAN 11
4. Verify inter-VLAN routing is enabled

**Expected Result:** Firewall allows VLAN 11 traffic

---

## 📊 Current Network Topology

```
[Router/Gateway 192.168.11.1]
         |
         | (VLAN 11)
         |
[Switch/Router VLAN 11 Interface]
         |
         | (VLAN 11 tagged)
         |
[Proxmox Host: nic0.11]
         |
         |
[vmbr0v11 Bridge]
         |
    +----+----+----+----+
    |    |    |    |    |
[veth] [veth] [veth] [veth]
    |    |    |    |    |
[7800] [7801] [7802] [7803]
192.168.11.50-53
```

**Issue:** Traffic from containers cannot reach router through VLAN 11 interface

---

## 🎯 Recommended Next Steps

### Priority 1: Router Configuration
1. **Check Router VLAN 11 Configuration:**
   - Verify VLAN 11 interface exists
   - Check if VLAN 11 has IP 192.168.11.1
   - Verify inter-VLAN routing is enabled

2. **Check Firewall Rules:**
   - Verify VLAN 11 traffic is allowed
   - Check if VLAN 11 is isolated
   - Verify ACL rules

### Priority 2: Test Alternative Configuration
1. **Test with vmbr0:**
   - Try changing containers to vmbr0
   - Test if connectivity improves
   - Document results

### Priority 3: Host Routing (If Router Config Not Possible)
1. **Configure Host as Gateway:**
   - Enable IP forwarding
   - Configure NAT
   - Update container gateways

---

## 📝 Test Commands

### Verify Inter-Container Communication
```bash
ssh root@192.168.11.11 "pct exec 7803 -- ping -c 1 192.168.11.50"
```

### Check ARP Table
```bash
ssh root@192.168.11.11 "pct exec 7803 -- ip neigh show"
```

### Test Gateway from Host
```bash
ssh root@192.168.11.11 "ping -c 1 192.168.11.1"
```

### Check Bridge Status
```bash
ssh root@192.168.11.11 "brctl show vmbr0v11"
```

### Monitor Bridge Traffic
```bash
ssh root@192.168.11.11 "tcpdump -i vmbr0v11 -c 10"
```

---

## ✅ Summary

**Status:** Containers are correctly configured but cannot reach gateway/internet

**Root Cause:** Router/gateway not configured to accept VLAN 11 traffic OR firewall blocking VLAN 11

**Working:** Inter-container communication, container configuration, bridge setup

**Not Working:** Gateway connectivity, internet access, DNS resolution

**Next Action:** Configure router for VLAN 11 or use alternative network configuration

---

**Analysis Complete:** 2026-01-20  
**Priority:** 🔴 High - Blocks service deployment  
**Resolution:** Requires router/firewall configuration