proxmox/reports/VMID2400_PROXMOX_NETWORK_CHECK.md

Proxmox Network Configuration Check for VMID 2400

Date: 2026-01-02
Purpose: Check for ACLs, firewall rules, or network configuration issues affecting 192.168.11.240

---

Summary

✅ NO NETWORK-LEVEL RESTRICTIONS FOUND

No ACLs, firewall rules, or network configuration issues were found that would prevent VMID 2400 (192.168.11.240) from connecting to validators 100 and 101.

---

Detailed Findings

1. Proxmox Firewall Status

Status: disabled/running

• Proxmox firewall is disabled
• No firewall rules are active

2. iptables Rules

Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)  
Chain OUTPUT (policy ACCEPT)

• No rules blocking any IP addresses
• All chains have ACCEPT policy
• No rules specific to 192.168.11.240, 192.168.11.100, 192.168.11.101, or 192.168.11.250

3. VM-Specific Firewall Configs

• No firewall configs found for:
  • VMID 2400 (/etc/pve/firewall/2400.fw)
  • VMID 2500 (/etc/pve/firewall/2500.fw)
  • VMID 1000 (/etc/pve/firewall/1000.fw)
  • VMID 1001 (/etc/pve/firewall/1001.fw)

4. Cluster/Host Firewall Configs

• No cluster firewall config (/etc/pve/firewall/cluster.fw)
• No host firewall config (/etc/pve/nodes/<hostname>/host.fw)

5. Network Configuration

Bridge Configuration

• All VMs are on the same bridge: vmbr0
• All veth interfaces are properly connected:
  • veth2400i0 - VMID 2400 (192.168.11.240) ✅
  • veth2500i0 - VMID 2500 (192.168.11.250) ✅
  • veth1000i0 - VMID 1000 (192.168.11.100) ✅
  • veth1001i0 - VMID 1001 (192.168.11.101) ✅

VM Network Configurations

All VMs have identical network configuration:

net0: name=eth0,bridge=vmbr0,gw=192.168.11.1,hwaddr=...,ip=192.168.11.X/24,type=veth

IP Address Assignments

• ✅ VMID 2400: 192.168.11.240/24 - Correctly assigned
• ✅ VMID 2500: 192.168.11.250/24 - Correctly assigned
• ✅ VMID 1000: 192.168.11.100/24 - Correctly assigned
• ✅ VMID 1001: 192.168.11.101/24 - Correctly assigned

Network Routing

default via 192.168.11.1 dev vmbr0 proto kernel onlink 
192.168.11.0/24 dev vmbr0 proto kernel scope link src 192.168.11.10

• Standard routing configuration
• No route restrictions

6. nftables

• No nftables rules found blocking any IPs

---

Conclusion

There are NO network-level restrictions (ACLs, firewall rules, or network configuration issues) preventing VMID 2400 from connecting to validators 100 and 101.

All network configurations are:

• ✅ Identical across all VMs
• ✅ Properly configured
• ✅ No firewall rules blocking traffic
• ✅ All VMs on the same bridge (vmbr0)
• ✅ IP addresses correctly assigned

---

Implications

Since there are no network-level restrictions, the connectivity issue between VMID 2400 and validators 100/101 must be caused by:

1. Besu application-level issue - The validators may be rejecting connections at the Besu level (not network level)
2. Besu internal state - Validators may have cached connection rejections or internal state issues
3. Timing/Initialization - Validators may not be fully ready to accept connections
4. Besu configuration difference - There may be a subtle configuration difference between validators 100/101 and 102/103/104

Next Steps:

• Focus on Besu-level debugging rather than network-level
• Compare Besu configurations between working and non-working validators
• Check Besu logs for connection rejection reasons
• Consider restarting validators 100/101 to clear any internal state

---

Verification Commands Used

# Firewall status
pve-firewall status

# iptables rules
iptables -L -n -v
iptables -L INPUT -n -v --line-numbers
iptables -L FORWARD -n -v --line-numbers

# Firewall configs
ls -la /etc/pve/firewall/
cat /etc/pve/firewall/2400.fw
cat /etc/pve/firewall/cluster.fw

# Network configs
pct config 2400 | grep net
brctl show
ip link show

# IP addresses
pct exec 2400 -- ip addr show

---

Status: ✅ Network configuration verified - No issues found