d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
master
proxmox/reports/VMID_7810_GATEWAY_LAYER23_DIAGNOSTIC.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

4.7 KiB
Raw Permalink Blame History

VMID 7810 Gateway Layer-2/Layer-3 Boundary Diagnostic

Date: 2026-01-05
Issue: Gateway 192.168.11.1 not reachable - suspected Layer-2/Layer-3 boundary problem

Problem Statement

Observation: VLAN 11 switching works (containers can reach each other), but VLAN 11's default gateway (192.168.11.1 on UDM Pro) is not reachable from VLAN 11 devices.

This points to a Layer-2/Layer-3 boundary issue between VLAN 11 devices and the UDM Pro's VLAN 11 SVI, not an "internet" or routing issue.

Diagnostic Tests Performed

Test 1: TCP Connectivity (Bypass ICMP)

Purpose: Determine if ICMP is blocked but TCP routing still works.

Commands:

nc -zv 192.168.11.1 53    # DNS
nc -zv 192.168.11.1 443   # HTTPS

Results: [See test output above]

Test 2: ARP/ARPing Gateway Discovery

Purpose: Check if gateway responds to ARP and verify MAC address.

Commands:

ip neigh flush all
arping -I eth0 192.168.11.1 -c 3
ip neigh show | grep 192.168.11.1

Results: [See test output above]

What to Look For:

  • If arping shows responses from wrong MAC → duplicate gateway/ARP issue
  • If no response → VLAN 11 not reaching UDM / port profile mismatch

Test 3: Proxmox Bridge VLAN Configuration

Purpose: Verify bridge VLAN awareness and tagging.

Commands:

cat /etc/network/interfaces
bridge vlan show

Results: [See test output above]

What to Check:

  • bridge-vlan-aware yes on the bridge
  • VLAN 11 present as expected
  • No mismatch where VMs are tagged but switch port is access/native (or vice versa)

Test 4: HTTP Test to Gateway

Purpose: Additional TCP-based connectivity test.

Command:

curl -m 3 http://192.168.11.1

Results: [See test output above]

Test 5: Gateway MAC Address Check

Purpose: Verify ARP table entries for gateway.

Commands:

ip neigh show 192.168.11.1
ip neigh show | head -10

Results: [See test output above]

Test 6: Multi-Port TCP Test

Purpose: Test multiple TCP ports to see if any are reachable.

Command:

for port in 53 443 80 22; do
    timeout 2 bash -c "echo > /dev/tcp/192.168.11.1/$port"
done

Results: [See test output above]

Recommended Additional Checks (On UDM Pro)

Check 1: Verify UDM Pro VLAN 11 SVI Exists

SSH to UDM Pro and run:

ip addr | grep -E "192.168.11.1|vlan|br"
ip route | head

What to Look For:

  • Interface that has 192.168.11.1/24 bound
  • If not present: MGMT-LAN configured in controller but dataplane not applying it
  • If present: Problem is likely tagging/port profile/ACL

Check 2: Verify VLAN Trunking to UDM Pro

In UniFi Controller:

  1. Check switch port that uplinks from switch to UDM Pro
  2. Check switch ports that uplink to Proxmox hosts
  3. Verify all are trunked ("All" or profile with VLAN 11 tagged)

Common Issue: VLAN 11 exists on downstream switches but not properly trunked to UDM

Check 3: Check LAN LOCAL Firewall Rules

UniFi can block ping to gateway while still routing.

Verify:

  • Check if LAN LOCAL rules block ICMP to gateway
  • If ping fails but TCP 53/443 succeeds → LAN LOCAL blocking ICMP, routing may still work

Decision Tree

  1. Does 192.168.11.1 exist on UDM interface?

    • No → Restart Network app / reboot UDM
    • Yes → Continue

  2. Does nc -zv 192.168.11.1 53 work?

    • Yes → ICMP blocked; routing might still work; check DNS config
    • No → Continue

  3. Does arping 192.168.11.1 return anything?

    • Response from wrong MAC → Duplicate gateway/ARP issue
    • No response → VLAN 11 not reaching UDM / port profile mismatch

  4. Confirm uplink port profiles:

    • Switch↔UDM: trunking VLAN 11?
    • Switch↔Proxmox: trunking VLAN 11?

Most Likely Scenarios

Scenario A: UDM Not Binding VLAN 11 SVI

  • Symptom: ip addr on UDM shows no 192.168.11.1
  • Fix: Restart Network app or reboot UDM Pro

Scenario B: VLAN Tagging Path Issue

  • Symptom: VLAN 11 works locally but not trunked to UDM
  • Fix: Configure trunk ports properly in UniFi

Scenario C: LAN LOCAL Blocking Gateway

  • Symptom: Ping fails but TCP works
  • Fix: Adjust LAN LOCAL firewall rules

Scenario D: Gateway/ARP Conflict

  • Symptom: ARP shows wrong MAC for gateway
  • Fix: Find and remove duplicate 192.168.11.1 device

Next Steps

  1. Run diagnostic tests above (in progress)
  2. Check UDM Pro VLAN 11 SVI (requires UDM SSH access)
  3. Verify VLAN trunking configuration in UniFi
  4. Review LAN LOCAL firewall rules
  5. Check for duplicate gateway IPs

Last Updated: 2026-01-05
Status: Diagnostic tests running

Reference in New Issue View Git Blame Copy Permalink