d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
3f76bc950779f8c1a4403abddb952cdbce5fa420
proxmox/docs/05-network/EXPLORER_PUBLIC_URL_UNREACHABLE_FIX.md
defiQUG e4c9dda0fd
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
chore: update submodule references and documentation 
- Marked submodules ai-mcp-pmm-controller, explorer-monorepo, and smom-dbis-138 as dirty to reflect recent changes.
- Updated documentation to clarify operator script usage, including dotenv loading and task execution instructions.
- Enhanced the README and various index files to provide clearer navigation and task completion guidance.

Made-with: Cursor
2026-03-04 02:03:08 -08:00

5.3 KiB
Raw Blame History

Explorer public URL unreachable — DNS and connectivity fix

Issue: https://explorer.d-bis.org/ returns timeout (000) from some hosts.
Diagnosis (2026-03-02): DNS is correct; failure is connectivity to the WAN IP or NPMplus from the client.

1. What we know

Check Result
DNS explorer.d-bis.org76.53.10.36 ✓ (dig, getent)
Backend 192.168.11.140:443 with Host: explorer.d-bis.org200
Curl to 76.53.10.36:443 Timeout (from LAN host 192.168.11.23)
Curl to 192.168.11.167:443 (NPMplus) 000 / timeout (from same LAN host)

So the problem is not DNS and not the explorer backend. It is reaching either the UDM Pro WAN IP (76.53.10.36) or NPMplus (192.168.11.167) on port 443 from the client.

2. Likely causes

A. NAT hairpin (LAN client → WAN IP)

If the client is on the same LAN (e.g. 192.168.11.x):

  • Traffic to 76.53.10.36 goes to the UDM Pro (gateway).
  • Port forward is: 76.53.10.36:80/443192.168.11.167:80/443 (NPMplus).
  • Many routers do not support NAT hairpin (NAT loopback): traffic from LAN → WAN IP is not translated back to the forwarded host. Result: timeout or no route.

Fix options:

  1. Enable NAT hairpin / loopback on UDM Pro if available:
    Settings → Firewall & Security (or Routing) → enable “NAT loopback” / “Hairpin NAT” so that traffic from LAN to 76.53.10.36 is forwarded to 192.168.11.167.
  2. Use direct backend for LAN testing:
    curl -sk -H "Host: explorer.d-bis.org" https://192.168.11.140:443/ (or use a hosts entry; see below).
  3. Hosts file (LAN only): On machines that need to use the domain from LAN, point the domain at NPMplus or the backend so you dont go through the WAN IP:
    • 192.168.11.167 explorer.d-bis.org (hit NPMplus directly), or
    • 192.168.11.140 explorer.d-bis.org (hit explorer backend directly; only if youre okay bypassing NPMplus).

B. UDM Pro port forward

  • Confirm 76.53.10.36 is the correct WAN IP (or the IP used in DNS for explorer.d-bis.org).
  • Confirm two port-forward rules:
    • 76.53.10.36:80192.168.11.167:80 (TCP)
    • 76.53.10.36:443192.168.11.167:443 (TCP)
  • If NPMplus runs on 192.168.11.166 and .167 is a VIP, ensure the forward points to the IP where NPMplus actually listens (often .167 as the floating VIP).

C. NPMplus / firewall

  • From a host that can reach 192.168.11.0/24 (e.g. Proxmox or another VM):
    • curl -sk -H "Host: explorer.d-bis.org" https://192.168.11.167:443/
    • curl -sk -H "Host: explorer.d-bis.org" https://192.168.11.166:443/
  • If these fail, check:
    • NPMplus (and any reverse proxy) is listening on 0.0.0.0:443 (not only 127.0.0.1).
    • Firewall on the NPMplus host (and Proxmox host) allows inbound 443 from the LAN (and from the UDM Pro for WAN-originated traffic).

D. Cloudflare Tunnel (if used)

  • If explorer.d-bis.org is not using “DNS only” and instead uses a Cloudflare Tunnel (CNAME to *.cfargotunnel.com), then:
    • DNS would resolve to Cloudflare IPs, not 76.53.10.36.
    • Failure would be tunnel/origin, not UDM Pro port forward.
  • Current design in docs: A record 76.53.10.36, DNS only (no proxy). So if dig shows 76.53.10.36, tunnel is not in the path; if dig shows Cloudflare IPs, follow the tunnel runbook and check tunnel status and origin URL (e.g. https://192.168.11.167:443 or https://192.168.11.140:443).

3. Quick fix for LAN clients (hosts file)

On machines that must use the domain name from the LAN (and where hairpin is not available or not desired):

# Option A: point domain at NPMplus (recommended if NPMplus is reachable on LAN)
192.168.11.167 explorer.d-bis.org

# Option B: point domain at explorer backend (bypasses NPMplus)
192.168.11.140 explorer.d-bis.org
  • Linux: echo '192.168.11.167 explorer.d-bis.org' | sudo tee -a /etc/hosts
  • Windows: Add line to C:\Windows\System32\drivers\etc\hosts (as Admin).

Then curl -sk https://explorer.d-bis.org/ will use the IP in hosts and no longer depend on 76.53.10.36 or hairpin.

4. Verify from external network

To confirm the public path (DNS + UDM Pro + NPMplus) without LAN/hairpin:

  • From a device off the LAN (e.g. phone on cellular, or another network):
    curl -sI https://explorer.d-bis.org/
  • If that returns 200/301/302, the issue is only when calling from inside the LAN (hairpin or firewall). If it also fails, the problem is port forward, NPMplus, or firewall for WAN-originated traffic.

5. Summary

Item Status
DNS OK (explorer.d-bis.org → 76.53.10.36)
Explorer backend OK (192.168.11.140:443 with Host header)
Public URL from LAN Fails: timeout to 76.53.10.36 or NPMplus
Likely cause NAT hairpin and/or firewall; possibly NPMplus not reachable on .167/.166:443 from this LAN segment
Fix Enable hairpin on UDM Pro and/or use hosts file for LAN; verify port forward and NPMplus listen/firewall; test from external network

Related: INGRESS_VERIFICATION_RUNBOOK.md, DNS_NPMPLUS_VM_COMPREHENSIVE_ARCHITECTURE.md.

Reference in New Issue View Git Blame Copy Permalink