fbda1b4beb
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
7.7 KiB
Internet Connectivity Analysis - Complete Review
Date: 2026-01-20
Status: 🔍 ANALYSIS COMPLETE - Root Cause Identified
✅ Test Results Summary
| Test Type | Result | Details |
|---|---|---|
| Container Status | ✅ PASS | All 4 containers running |
| IP Configuration | ✅ PASS | All IPs correctly assigned (192.168.11.50-53) |
| Network Interfaces | ✅ PASS | All interfaces UP and configured |
| Routing Tables | ✅ PASS | Default routes configured correctly |
| Inter-Container Communication | ✅ PASS | Containers can reach each other |
| Gateway Connectivity | ❌ FAIL | Containers cannot reach 192.168.11.1 |
| Host Connectivity | ❌ FAIL | Containers cannot reach 192.168.11.11 |
| Internet Connectivity | ❌ FAIL | Containers cannot reach internet |
| DNS Resolution | ❌ FAIL | DNS fails (gateway unreachable) |
| HTTP/HTTPS | ❌ FAIL | Cannot access web services |
| Package Repositories | ❌ FAIL | Cannot update packages |
🔍 Key Findings
✅ What Works
-
Inter-Container Communication:
- ✅ Container 7803 can reach 7800, 7801, 7802
- ✅ All containers can communicate with each other
- ✅ Bridge (vmbr0v11) is forwarding traffic between containers
-
Container Configuration:
- ✅ All containers have correct IP addresses
- ✅ All containers have correct routing tables
- ✅ All network interfaces are UP
- ✅ DNS is configured (though not working due to gateway issue)
-
Bridge Configuration:
- ✅ vmbr0v11 bridge is UP
- ✅ All container veth interfaces are connected to bridge
- ✅ Bridge has VLAN 11 interface (nic0.11) connected
❌ What Doesn't Work
-
Gateway Communication:
- ❌ Containers cannot reach 192.168.11.1
- ❌ ARP shows "FAILED" for gateway
- ❌ Host CAN reach gateway (so gateway is working)
-
Host Communication:
- ❌ Containers cannot reach 192.168.11.11 (Proxmox host)
- ❌ Host cannot reach containers
- ❌ ARP shows "FAILED" for host IP
-
Internet Access:
- ❌ All internet connectivity fails
- ❌ Cannot reach 8.8.8.8 (Google DNS)
- ❌ Cannot access HTTP/HTTPS services
🔍 Root Cause Analysis
Primary Issue: VLAN 11 Gateway/Router Configuration
Evidence:
- Containers can communicate with each other (bridge works)
- Host can reach gateway (gateway is working)
- Containers cannot reach gateway (routing/firewall issue)
- ARP fails for gateway from containers
- tcpdump shows no packets reaching bridge when pinging gateway
Conclusion: The issue is NOT with the containers or bridge configuration. The issue is that:
- vmbr0v11 is a VLAN 11 interface (nic0.11)
- Gateway/router may not be configured to accept VLAN 11 traffic
- Or firewall/ACL rules are blocking VLAN 11 traffic
Technical Details
Bridge Configuration:
vmbr0v11:
- Connected to: nic0.11 (VLAN 11 tagged interface)
- Contains: veth7800i0, veth7801i0, veth7802i0, veth7803i0
- Status: UP and operational
ARP Table (from container 7803):
192.168.11.52 dev eth0 lladdr bc:24:11:7a:3d:15 REACHABLE ✅ (other container)
192.168.11.50 dev eth0 lladdr bc:24:11:74:cc:07 REACHABLE ✅ (other container)
192.168.11.51 dev eth0 lladdr bc:24:11:dd:a1:ba REACHABLE ✅ (other container)
192.168.11.1 dev eth0 FAILED ❌ (gateway)
192.168.11.11 dev eth0 FAILED ❌ (host)
Network Flow:
Container (192.168.11.53)
→ veth7803i0
→ vmbr0v11 (bridge)
→ nic0.11 (VLAN 11 tagged)
→ Router/Gateway (192.168.11.1) ❌ FAILS HERE
💡 Solutions
Solution 1: Configure Router for VLAN 11 (Recommended)
Action: Configure router/gateway to accept VLAN 11 traffic
Steps:
- Access router configuration (UDM Pro or ER605)
- Verify VLAN 11 interface exists
- Configure VLAN 11 interface with IP 192.168.11.1
- Enable inter-VLAN routing
- Configure firewall rules to allow VLAN 11 traffic
Expected Result: Containers can reach gateway and internet
Solution 2: Use vmbr0 (Native VLAN 11)
Action: Change containers to use vmbr0 instead of vmbr0v11
Assumption: vmbr0 is on native VLAN 11 (untagged)
Steps:
# Update all containers to use vmbr0
for vmid in 7800 7801 7802 7803; do
ip=$(pct config $vmid | grep "ip=" | cut -d'=' -f2 | cut -d'/' -f1)
pct set $vmid -net0 bridge=vmbr0,name=eth0,ip=$ip/24,gw=192.168.11.1,type=veth
done
# Restart containers
for vmid in 7800 7801 7802 7803; do
pct stop $vmid
pct start $vmid
done
Expected Result: Containers can reach gateway if vmbr0 is on VLAN 11
Solution 3: Configure Host Routing/NAT
Action: Use Proxmox host as gateway for containers
Steps:
# Enable IP forwarding on host
echo 1 > /proc/sys/net/ipv4/ip_forward
# Configure NAT for containers
iptables -t nat -A POSTROUTING -s 192.168.11.0/24 -o vmbr0 -j MASQUERADE
# Add route for containers
ip route add 192.168.11.0/24 dev vmbr0v11
# Configure containers to use host as gateway
# Change gateway from 192.168.11.1 to host IP on vmbr0v11
Expected Result: Containers route through host to internet
Solution 4: Check Firewall/ACL Rules
Action: Verify firewall rules allow VLAN 11 traffic
Steps:
- Check UDM Pro firewall rules
- Verify VLAN 11 is not isolated
- Check ACL rules for VLAN 11
- Verify inter-VLAN routing is enabled
Expected Result: Firewall allows VLAN 11 traffic
📊 Current Network Topology
[Router/Gateway 192.168.11.1]
|
| (VLAN 11)
|
[Switch/Router VLAN 11 Interface]
|
| (VLAN 11 tagged)
|
[Proxmox Host: nic0.11]
|
|
[vmbr0v11 Bridge]
|
+----+----+----+----+
| | | | |
[veth] [veth] [veth] [veth]
| | | | |
[7800] [7801] [7802] [7803]
192.168.11.50-53
Issue: Traffic from containers cannot reach router through VLAN 11 interface
🎯 Recommended Next Steps
Priority 1: Router Configuration
-
Check Router VLAN 11 Configuration:
- Verify VLAN 11 interface exists
- Check if VLAN 11 has IP 192.168.11.1
- Verify inter-VLAN routing is enabled
-
Check Firewall Rules:
- Verify VLAN 11 traffic is allowed
- Check if VLAN 11 is isolated
- Verify ACL rules
Priority 2: Test Alternative Configuration
- Test with vmbr0:
- Try changing containers to vmbr0
- Test if connectivity improves
- Document results
Priority 3: Host Routing (If Router Config Not Possible)
- Configure Host as Gateway:
- Enable IP forwarding
- Configure NAT
- Update container gateways
📝 Test Commands
Verify Inter-Container Communication
ssh root@192.168.11.11 "pct exec 7803 -- ping -c 1 192.168.11.50"
Check ARP Table
ssh root@192.168.11.11 "pct exec 7803 -- ip neigh show"
Test Gateway from Host
ssh root@192.168.11.11 "ping -c 1 192.168.11.1"
Check Bridge Status
ssh root@192.168.11.11 "brctl show vmbr0v11"
Monitor Bridge Traffic
ssh root@192.168.11.11 "tcpdump -i vmbr0v11 -c 10"
✅ Summary
Status: Containers are correctly configured but cannot reach gateway/internet
Root Cause: Router/gateway not configured to accept VLAN 11 traffic OR firewall blocking VLAN 11
Working: Inter-container communication, container configuration, bridge setup
Not Working: Gateway connectivity, internet access, DNS resolution
Next Action: Configure router for VLAN 11 or use alternative network configuration
Analysis Complete: 2026-01-20
Priority: 🔴 High - Blocks service deployment
Resolution: Requires router/firewall configuration