docs/04-configuration/NPMPLUS_CONNECTIVITY_TEST_RESULTS.md

# NPMplus Connectivity Test Results

**Last Updated:** 2026-01-31  
**Document Version:** 1.0  
**Status:** Active Documentation

---

**Date:** 2025-01-20  
**Container:** 10233 (NPMplus)  
**IP:** 192.168.11.166  

---

## Test Results Summary

### ✅ What's Working
- Container has correct IP: `192.168.11.166/24`
- Gateway (192.168.11.1) is reachable from container
- Container routing table is correct
- Veth interface is on VLAN 11 (`vmbr0v11`)
- Proxmox hosts can reach backend services
- ARP responses from container to gateway work

### ❌ What's Not Working
- Container cannot reach ANY backend services (0/7)
- Container ARP table is empty (no neighbor entries)
- ARP requests from container to other hosts appear to be blocked
- Ping shows "Destination Host Unreachable" immediately

---

## Detailed Test Results

### Test 1: Proxmox Host Connectivity
- **Host:** 192.168.11.11
- **Results:** 4/7 services reachable
- **Failed:** VMIDs 10130, 10150, 10151 (on same host)
- **Working:** VMIDs 5000, 7811 (on 192.168.11.12), 2501, 2502 (on 192.168.11.10)

**Finding:** Proxmox host can reach services on OTHER hosts, but not on itself. This suggests host-local routing issue.

### Test 2: NPMplus Container Connectivity
- **Container:** 10233
- **IP:** 192.168.11.166
- **Results:** 0/7 services reachable
- **Error:** "Destination Host Unreachable" (not "No route to host")

**Finding:** Container can't reach ANY backend services, even though routing table is correct.

### Test 3: Gateway Connectivity
- **Gateway:** 192.168.11.1 (UDM Pro)
- **Status:** ✅ Reachable from container
- **ARP:** ✅ Gateway can ARP container, container responds

**Finding:** Gateway connectivity works, ARP resolution works for gateway.

### Test 4: ARP Analysis
- **Container ARP Table:** Empty (no entries)
- **Gateway ARP:** Works (gateway can resolve container MAC)
- **Backend ARP:** Container never sends ARP requests for backend services

**Finding:** Container ARP requests to backend services are not leaving the container or are being blocked.

### Test 5: Veth Interface Configuration
- **Interface:** `veth10233i0`
- **Master:** `vmbr0v11` (VLAN 11 sub-interface)
- **VLAN:** Configured for VLAN 11 (PVID)
- **Status:** UP, LOWER_UP

**Finding:** Veth interface is correctly configured for VLAN 11.

---

## Root Cause Analysis

### Primary Issue: ARP Resolution Failure

The container cannot resolve MAC addresses for backend services. Evidence:
1. Container ARP table is empty (no neighbor entries)
2. Ping shows "Destination Host Unreachable" immediately (suggests ARP failure, not routing failure)
3. tcpdump shows no ARP requests from container to backend services
4. Gateway ARP works (proves ARP mechanism works for gateway)

### Possible Causes

1. **UDM Pro Firewall Blocking ARP**
   - UDM Pro may be blocking ARP requests from containers
   - Check firewall rules for ARP (protocol type)
   - Check if "Network Isolation" is enabled for VLAN 11

2. **Proxmox Bridge ARP Filtering**
   - Bridge may not be forwarding ARP requests properly
   - Check bridge ARP filtering settings
   - Check if VLAN sub-interface (`vmbr0v11`) has correct ARP forwarding

3. **VLAN Sub-interface Issue**
   - Traffic may not be properly routed through VLAN sub-interface
   - `vmbr0v11` may not be forwarding traffic correctly
   - May need to use bridge VLAN filtering instead of sub-interface

4. **Host-local Routing Issue**
   - Proxmox host can't reach containers on itself
   - Suggests host-local routing configuration issue
   - May need to configure host routing for container networks

---

## Recommended Next Steps

### Priority 1: Check UDM Pro Firewall Rules
1. Access UDM Pro web UI: `https://192.168.11.1`
2. Check firewall rules blocking:
   - Source: `192.168.11.166` or `192.168.11.0/24`
   - Destination: `192.168.11.0/24`
   - Protocol: ARP or all protocols
3. Check "Network Isolation" setting for VLAN 11
4. Verify inter-VLAN routing is enabled

### Priority 2: Check Proxmox Bridge Configuration
1. Verify bridge ARP forwarding is enabled
2. Check if VLAN sub-interface is configured correctly
3. Consider using bridge VLAN filtering instead of sub-interface

### Priority 3: Test Alternative Network Configuration
1. Try removing VLAN tagging temporarily to test if VLAN is the issue
2. Test with container on untagged bridge
3. Compare behavior with working containers

---

## Test Commands

### Check ARP Resolution
```bash
# From container
ssh root@192.168.11.11 "pct exec 10233 -- ip neigh show"

# Clear ARP cache and retry
ssh root@192.168.11.11 "pct exec 10233 -- ip neigh flush all && pct exec 10233 -- ping -c 1 192.168.11.1 && pct exec 10233 -- ip neigh show"
```

### Monitor ARP Traffic
```bash
# On Proxmox host
ssh root@192.168.11.11 "tcpdump -i veth10233i0 -n arp"

# On VLAN sub-interface
ssh root@192.168.11.11 "tcpdump -i vmbr0v11 -n arp"
```

### Check Bridge Configuration
```bash
# Check veth interface
ssh root@192.168.11.11 "bridge link show veth10233i0"

# Check VLAN configuration
ssh root@192.168.11.11 "bridge vlan show veth10233i0"
```

---

## Status

🔴 **BLOCKED** - ARP resolution failure preventing container from reaching backend services

**Next Action:** Check UDM Pro firewall rules and network isolation settings for VLAN 11
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates - ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-12 15:46:57 -08:00			`# NPMplus Connectivity Test Results`

			`Last Updated: 2026-01-31`
			`Document Version: 1.0`
			`Status: Active Documentation`

			`---`

			`Date: 2025-01-20`
			`Container: 10233 (NPMplus)`
			`IP: 192.168.11.166`

			`---`

			`## Test Results Summary`

			`### ✅ What's Working`
			- Container has correct IP: `192.168.11.166/24`
			`- Gateway (192.168.11.1) is reachable from container`
			`- Container routing table is correct`
			- Veth interface is on VLAN 11 (`vmbr0v11`)
			`- Proxmox hosts can reach backend services`
			`- ARP responses from container to gateway work`

			`### ❌ What's Not Working`
			`- Container cannot reach ANY backend services (0/7)`
			`- Container ARP table is empty (no neighbor entries)`
			`- ARP requests from container to other hosts appear to be blocked`
			`- Ping shows "Destination Host Unreachable" immediately`

			`---`

			`## Detailed Test Results`

			`### Test 1: Proxmox Host Connectivity`
			`- Host: 192.168.11.11`
			`- Results: 4/7 services reachable`
			`- Failed: VMIDs 10130, 10150, 10151 (on same host)`
			`- Working: VMIDs 5000, 7811 (on 192.168.11.12), 2501, 2502 (on 192.168.11.10)`

			`Finding: Proxmox host can reach services on OTHER hosts, but not on itself. This suggests host-local routing issue.`

			`### Test 2: NPMplus Container Connectivity`
			`- Container: 10233`
			`- IP: 192.168.11.166`
			`- Results: 0/7 services reachable`
			`- Error: "Destination Host Unreachable" (not "No route to host")`

			`Finding: Container can't reach ANY backend services, even though routing table is correct.`

			`### Test 3: Gateway Connectivity`
			`- Gateway: 192.168.11.1 (UDM Pro)`
			`- Status: ✅ Reachable from container`
			`- ARP: ✅ Gateway can ARP container, container responds`

			`Finding: Gateway connectivity works, ARP resolution works for gateway.`

			`### Test 4: ARP Analysis`
			`- Container ARP Table: Empty (no entries)`
			`- Gateway ARP: Works (gateway can resolve container MAC)`
			`- Backend ARP: Container never sends ARP requests for backend services`

			`Finding: Container ARP requests to backend services are not leaving the container or are being blocked.`

			`### Test 5: Veth Interface Configuration`
			- Interface: `veth10233i0`
			- Master: `vmbr0v11` (VLAN 11 sub-interface)
			`- VLAN: Configured for VLAN 11 (PVID)`
			`- Status: UP, LOWER_UP`

			`Finding: Veth interface is correctly configured for VLAN 11.`

			`---`

			`## Root Cause Analysis`

			`### Primary Issue: ARP Resolution Failure`

			`The container cannot resolve MAC addresses for backend services. Evidence:`
			`1. Container ARP table is empty (no neighbor entries)`
			`2. Ping shows "Destination Host Unreachable" immediately (suggests ARP failure, not routing failure)`
			`3. tcpdump shows no ARP requests from container to backend services`
			`4. Gateway ARP works (proves ARP mechanism works for gateway)`

			`### Possible Causes`

			`1. UDM Pro Firewall Blocking ARP`
			`- UDM Pro may be blocking ARP requests from containers`
			`- Check firewall rules for ARP (protocol type)`
			`- Check if "Network Isolation" is enabled for VLAN 11`

			`2. Proxmox Bridge ARP Filtering`
			`- Bridge may not be forwarding ARP requests properly`
			`- Check bridge ARP filtering settings`
			- Check if VLAN sub-interface (`vmbr0v11`) has correct ARP forwarding

			`3. VLAN Sub-interface Issue`
			`- Traffic may not be properly routed through VLAN sub-interface`
			- `vmbr0v11` may not be forwarding traffic correctly
			`- May need to use bridge VLAN filtering instead of sub-interface`

			`4. Host-local Routing Issue`
			`- Proxmox host can't reach containers on itself`
			`- Suggests host-local routing configuration issue`
			`- May need to configure host routing for container networks`

			`---`

			`## Recommended Next Steps`

			`### Priority 1: Check UDM Pro Firewall Rules`
			1. Access UDM Pro web UI: `https://192.168.11.1`
			`2. Check firewall rules blocking:`
			- Source: `192.168.11.166` or `192.168.11.0/24`
			- Destination: `192.168.11.0/24`
			`- Protocol: ARP or all protocols`
			`3. Check "Network Isolation" setting for VLAN 11`
			`4. Verify inter-VLAN routing is enabled`

			`### Priority 2: Check Proxmox Bridge Configuration`
			`1. Verify bridge ARP forwarding is enabled`
			`2. Check if VLAN sub-interface is configured correctly`
			`3. Consider using bridge VLAN filtering instead of sub-interface`

			`### Priority 3: Test Alternative Network Configuration`
			`1. Try removing VLAN tagging temporarily to test if VLAN is the issue`
			`2. Test with container on untagged bridge`
			`3. Compare behavior with working containers`

			`---`

			`## Test Commands`

			`### Check ARP Resolution`
			```bash
			`# From container`
			`ssh root@192.168.11.11 "pct exec 10233 -- ip neigh show"`

			`# Clear ARP cache and retry`
			`ssh root@192.168.11.11 "pct exec 10233 -- ip neigh flush all && pct exec 10233 -- ping -c 1 192.168.11.1 && pct exec 10233 -- ip neigh show"`
			```

			`### Monitor ARP Traffic`
			```bash
			`# On Proxmox host`
			`ssh root@192.168.11.11 "tcpdump -i veth10233i0 -n arp"`

			`# On VLAN sub-interface`
			`ssh root@192.168.11.11 "tcpdump -i vmbr0v11 -n arp"`
			```

			`### Check Bridge Configuration`
			```bash
			`# Check veth interface`
			`ssh root@192.168.11.11 "bridge link show veth10233i0"`

			`# Check VLAN configuration`
			`ssh root@192.168.11.11 "bridge vlan show veth10233i0"`
			```

			`---`

			`## Status`

			`🔴 BLOCKED - ARP resolution failure preventing container from reaching backend services`

			`Next Action: Check UDM Pro firewall rules and network isolation settings for VLAN 11`