This is the **authoritative source** for all RPC endpoint configurations. All other documentation and scripts should reference this document. **Master documentation (source of truth):** [MASTER_DOCUMENTATION_INDEX.md](../00-meta/MASTER_DOCUMENTATION_INDEX.md) lists this doc and [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md) as the Bible for domain → VMID:port; only `explorer.d-bis.org` should point to 192.168.11.140.
**Edge & port forwarding:** UDM Pro (76.53.10.34, replaced ER605). Proxmox hosts: 192.168.11.10 (ml110), 192.168.11.11 (r630-01), 192.168.11.12 (r630-02). NPMplus LXC (VMID 10233) has 192.168.11.166 and 192.168.11.167; **only 192.168.11.167** is used in UDM Pro. Port forward: **76.53.10.36:80** → **192.168.11.167:80**, **76.53.10.36:443** → **192.168.11.167:443**. See [NETWORK_CONFIGURATION_MASTER.md](../11-references/NETWORK_CONFIGURATION_MASTER.md).
| **138 Core RPC** | `RPC_URL_138` | Admin, deploy, scripts on LAN | `http://192.168.11.211:8545` (VMID 2101, RPC_CORE_1) |
| **138 Public RPC** | `RPC_URL_138_PUBLIC` | Bridge, monitoring, frontend, browser | `http://192.168.11.221:8545` (VMID 2201); public URL: `https://rpc-http-pub.d-bis.org` |
- Set in `config/ip-addresses.conf` or `smom-dbis-138/.env`. In smom `.env`, **`RPC_URL`** is an accepted alias for **Core** and is normalized to `RPC_URL_138`. `CHAIN138_RPC_URL` / `CHAIN138_RPC` are derived from `RPC_URL_138`. `WS_URL_138_PUBLIC` is the WebSocket for Public (e.g. `ws://192.168.11.221:8546`).
- **Core RPC (VMID 2101) for deploy:** Use **IP and port**, not FQDN. Set `RPC_URL_138=http://192.168.11.211:8545` in `smom-dbis-138/.env` for contract deployment and gas checks. Do not use `https://rpc-core.d-bis.org` for deployment (avoids DNS/tunnel dependency; direct IP is reliable from LAN). See [TODOS_CONSOLIDATED](../00-meta/TODOS_CONSOLIDATED.md) § First (0b).
The public Chain 138 RPC tier is expected to provide the following wallet-grade baseline:
-`eth_chainId`
-`eth_blockNumber`
-`eth_syncing`
-`eth_gasPrice`
-`eth_feeHistory`
-`eth_maxPriorityFeePerGas`
-`eth_estimateGas`
-`eth_getCode`
-`trace_block`
-`trace_replayBlockTransactions`
Use [scripts/verify/check-chain138-rpc-health.sh](/home/intlc/projects/proxmox/scripts/verify/check-chain138-rpc-health.sh) for the live health and capability probe.
If `eth_maxPriorityFeePerGas` is missing, the first fix path is the public node version on VMID `2201`. Besu `24.7.0+` adds support for that method; use [upgrade-public-rpc-vmid2201.sh](/home/intlc/projects/proxmox/scripts/besu/upgrade-public-rpc-vmid2201.sh) to perform the targeted public-RPC upgrade.
| **RPC_URL_138_PUBLIC** (Public) | `http://192.168.11.221:8545` or `https://rpc-http-pub.d-bis.org` | Single standard for Chain 138 public; VITE_RPC_URL_138 in frontend |
| **RPC_URL_138_FIREBLOCKS** (Fireblocks) | `http://192.168.11.232:8545` or `https://rpc-fireblocks.d-bis.org` | Dedicated RPC for Fireblocks Web3 (VMID 2301); `WS_URL_138_FIREBLOCKS`: `wss://ws.rpc-fireblocks.d-bis.org` |
### Obtaining RPC URLs (Infura, Etherscan API, public RPCs)
For **Ethereum mainnet and other public chains**, you can use:
| Source | Type | URL pattern / notes |
|--------|------|----------------------|
| **Infura** | JSON-RPC (key required) | `https://mainnet.infura.io/v3/<PROJECT_ID>` — [infura.io](https://infura.io) dashboard; free tier, one key. Other networks: `https://polygon-mainnet.infura.io/v3/<ID>`, `https://base-mainnet.infura.io/v3/<ID>`, etc. |
| **Alchemy** | JSON-RPC (key required) | `https://eth-mainnet.g.alchemy.com/v2/<API_KEY>` — [alchemy.com](https://alchemy.com); free tier. Use for production when you need higher rate limits. |
| **Etherscan** | REST API (explorer, not RPC) | `https://api.etherscan.io/api?...&apikey=<KEY>` — block explorer API (contract verification, tx history). **Not** JSON-RPC; use Infura/Alchemy/public RPC for `eth_*` calls. |
| **Public RPCs (no key)** | JSON-RPC | `https://eth.llamarpc.com`, `https://ethereum.publicnode.com`, `https://cloudflare-eth.com`, `https://eth.drpc.org` — rate limited; fine for dev/fallback. See [chainlist.org](https://chainlist.org) for more. |
**Usage:** Set `ETHEREUM_MAINNET_RPC` (or `RPC_URL_MAINNET`) in `.env` to one of the above. Prefer Infura/Alchemy with your own key for production; use public RPCs in `.env.example` and as code fallbacks. Never commit API keys.
**CCIP Relay:** The relay service (deployed at `/opt/smom-dbis-138/services/relay` on r630-01) uses **Chain 138 Public RPC** (VMID 2201): set `RPC_URL_138_PUBLIC` (or `RPC_URL_138` for backward compat) to `http://192.168.11.221:8545` in `services/relay/.env` or `smom-dbis-138/.env`. For mainnet it uses `RPC_URL_MAINNET` first, then `ETHEREUM_MAINNET_RPC`. Infura mainnet is recommended to avoid public RPC rate limits (429). See [07-ccip/CCIP_RELAY_DEPLOYMENT.md](../07-ccip/CCIP_RELAY_DEPLOYMENT.md).
**Dotenv:** The project `.env` may contain both **Infura** (RPC URLs, `INFURA_GAS_API`) and **Etherscan/Blockscan** (`ETHERSCAN_API_KEY`) API keys. Use placeholders in `.env.example` only; see `smom-dbis-138/.env.example` for the full list.
---
## Active RPC Nodes (12/13 Running)
| VMID | IP Address | Hostname | HTTP RPC | WebSocket RPC | Status |
**Important**: Any scripts or configurations referencing the old IPs (192.168.11.250-254, 192.168.11.201-204) must be updated.
Containers 2506, 2507, 2508 were **destroyed 2026-02-08** on all Proxmox hosts. RPC range in use: 2500–2505. IPs .202, .203, .204 freed.
---
## DNS Configuration
**When Option B (RPC via Cloudflare Tunnel) is used:** The 6 RPC HTTP hostnames (rpc-http-pub, rpc, rpc2, rpc-http-prv, rpc.public-0138.defi-oracle.io, rpc.defi-oracle.io) use **CNAME** to <tunnel-id>.cfargotunnel.com (Proxied); they do not use A 76.53.10.36. See [05-network/OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md](../05-network/OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md).
**Web/api and RPC WS (direct/Fastly):** All other domains resolve to the public IP `76.53.10.36` (or Fastly CNAME). NPMplus handles SSL termination and routing to internal services.
**Issue**: NPMplus container needed to reach both the UDM Pro gateway (for port forwarding) and the RPC nodes (for backend proxying), but tagged VLAN 11 traffic couldn't reach untagged hosts.
**Root Cause**: UDM Pro treats tagged VLAN 11 and untagged traffic as separate networks.
**Solution**: Dual-NIC configuration with one tagged and one untagged interface.
**NPMplus Container Config** (VMID 10233 on r630-01; NPMplus has .166 and .167; only **.167** is used in UDM Pro port forwarding):
```bash
# eth0: Tagged VLAN 11 - for gateway/external access
| `explorer.d-bis.org` | A | 76.53.10.36 | ✅ Proxied |
| `dbis-admin.d-bis.org` | A | 76.53.10.36 | ✅ Proxied |
| `dbis-api.d-bis.org` | A | 76.53.10.36 | ✅ Proxied |
| `dbis-api-2.d-bis.org` | A | 76.53.10.36 | ✅ Proxied |
| `secure.d-bis.org` | A | 76.53.10.36 | ✅ Proxied |
| `rpc.public-0138.defi-oracle.io` | A or CNAME | 76.53.10.36 or tunnel | ✅ Proxied |
| `rpc.defi-oracle.io` | A or CNAME | 76.53.10.36 or tunnel | ✅ Proxied |
| `wss.defi-oracle.io` | A | 76.53.10.36 | ✅ Proxied |
---
## Verification Commands
### Test All RPC Nodes (Internal)
```bash
for ip in 192.168.11.211 192.168.11.221 192.168.11.233 192.168.11.234 192.168.11.235 192.168.11.236 192.168.11.237 192.168.11.238 192.168.11.240 192.168.11.241 192.168.11.242 192.168.11.243; do
curl -s -X POST -H "Content-Type: application/json" \
for domain in rpc-http-pub.d-bis.org rpc-ws-pub.d-bis.org rpc-http-prv.d-bis.org rpc-ws-prv.d-bis.org rpc.public-0138.defi-oracle.io rpc.defi-oracle.io wss.defi-oracle.io; do
echo -n "$domain: "
dig +short $domain
done
```
---
## Related Documentation
- [PUBLIC_RPC_CHAIN138_LEDGER.md](./PUBLIC_RPC_CHAIN138_LEDGER.md) - Public RPCs for ChainID 138, NPMplus→VM mapping, Ledger App-Ethereum
