proxmox/docs/04-configuration/RPC_ENDPOINTS_MASTER.md

# RPC Endpoints Master Reference

> Modern note: This remains the current RPC reference, but some sections intentionally preserve migration mappings from the retired `2500`-series RPC layout. Treat those mapping tables as historical lineage only. The live authoritative inventory is the combination of this document, `docs/04-configuration/ALL_VMIDS_ENDPOINTS.md`, `docs/02-architecture/DBIS_NODE_ROLE_MATRIX.md`, and `config/ip-addresses.conf`.

**Last Updated:** 2026-04-06  
**Document Version:** 1.4  
**Status:** Active Documentation

---

**Date**: 2026-01-18  
**Status**: ✅ Active  
**Last Updated**: 2026-04-06  
**Changelog:** Inventory includes VMID **2103** (Thirdweb admin core); **core tier** = **2101–2103**. Live placement: **2101** and **2103** on **r630-01**, **2102** on **r630-03**. Health script probes **15** LAN RPC HTTP endpoints (`check-chain138-rpc-health.sh`).

---

## Quick Reference

This is the **authoritative source** for all RPC endpoint configurations. All other documentation and scripts should reference this document. **Master documentation (source of truth):** [MASTER_DOCUMENTATION_INDEX.md](../00-meta/MASTER_DOCUMENTATION_INDEX.md) lists this doc and [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md) as the Bible for domain → VMID:port; only `explorer.d-bis.org` should point to 192.168.11.140.

**Edge & port forwarding:** UDM Pro (76.53.10.34, replaced ER605). Proxmox hosts: 192.168.11.10 (ml110), 192.168.11.11 (r630-01), 192.168.11.12 (r630-02). NPMplus LXC (VMID 10233) has 192.168.11.166 and 192.168.11.167; **only 192.168.11.167** is used in UDM Pro. Port forward: **76.53.10.36:80** → **192.168.11.167:80**, **76.53.10.36:443** → **192.168.11.167:443**. See [NETWORK_CONFIGURATION_MASTER.md](../11-references/NETWORK_CONFIGURATION_MASTER.md).

### Canonical RPC URLs (use when setting missing .env / scripts)

**Chain ID 138 — two standard env vars:**

| Standard | Env var | Use | Canonical value |
|----------|---------|-----|-----------------|
| **138 Core RPC** | `RPC_URL_138` | Admin, deploy, scripts on LAN | `http://192.168.11.211:8545` (VMID 2101, RPC_CORE_1) |
| **138 Public RPC** | `RPC_URL_138_PUBLIC` | Bridge, monitoring, frontend, **MetaMask, any internet-facing client** | **HTTPS FQDN:** `https://rpc-http-pub.d-bis.org` (VMID 2201 via NPM). On LAN only: `http://192.168.11.221:8545` |

- **Public / wallet rule:** Do not publish or paste **raw public-node IPs** for end users. Use **FQDN** URLs from [Public Domain Mappings](#public-domain-mappings-npmplus) (e.g. `https://rpc-http-pub.d-bis.org`, `https://rpc.d-bis.org`, `https://rpc.defi-oracle.io`, `https://rpc.public-0138.defi-oracle.io`). WebSocket: `wss://rpc-ws-pub.d-bis.org` (or `wss://wss.defi-oracle.io` per mapping table).
- **MetaMask:** Even with correct chain id and HTTPS RPC, MetaMask treats Chain 138 as a **user-added network** until/unless Consensys ships it as a built-in or curated default. Use `wallet_addEthereumChain` (EIP-3085) from your dapp and canonical FQDN `rpcUrls` so users never paste unknown endpoints. See [MetaMask: risks of unknown networks](https://support.metamask.io/stay-safe/safety-in-web3/the-risks-of-connecting-to-an-unknown-network/).
- Set in `config/ip-addresses.conf` or `smom-dbis-138/.env`. In smom `.env`, **`RPC_URL`** is an accepted alias for **Core** and is normalized to `RPC_URL_138`. `CHAIN138_RPC_URL` / `CHAIN138_RPC` are derived from `RPC_URL_138`. `WS_URL_138_PUBLIC` on LAN: `ws://192.168.11.221:8546`; **internet-facing:** `wss://rpc-ws-pub.d-bis.org`.
- **Core RPC (VMID 2101) for deploy:** Use **IP and port**, not FQDN. Set `RPC_URL_138=http://192.168.11.211:8545` in `smom-dbis-138/.env` for contract deployment and gas checks. Do not use `https://rpc-core.d-bis.org` for deployment (avoids DNS/tunnel dependency; direct IP is reliable from LAN). See [TODOS_CONSOLIDATED](../00-meta/TODOS_CONSOLIDATED.md) § First (0b).
- **Thirdweb admin core (VMID 2103) — NPM HTTPS FQDN:** **`https://rpc.tw-core.d-bis.org`** (TLS via NPMplus → `192.168.11.217:8545`). **E2E verified (2026-04-09):** `eth_chainId` `0x8a`, `eth_blockNumber` OK; Foundry `forge script` dry-run against this URL OK. Use for deploy/tooling when DNS and TLS are acceptable; for air-gapped LAN-only automation use `http://192.168.11.217:8545` or set `RPC_THIRDWEB_ADMIN_LAN_ONLY=1` in `thirdweb-core-2103-test/scripts/rpc-url-2103.sh` consumers. WebSocket NPM host: **`wss.tw-core.d-bis.org`** → `wss://wss.tw-core.d-bis.org`.

### Public RPC capability baseline

The public Chain 138 RPC tier is expected to provide the following wallet-grade baseline:

- `eth_chainId`
- `eth_blockNumber`
- `eth_syncing`
- `eth_gasPrice`
- `eth_feeHistory`
- `eth_maxPriorityFeePerGas`
- `eth_estimateGas`
- `eth_getCode`
- `trace_block`
- `trace_replayBlockTransactions`

Use [`scripts/verify/check-chain138-rpc-health.sh`](../../scripts/verify/check-chain138-rpc-health.sh) for the live health and capability probe.

If `eth_maxPriorityFeePerGas` is missing, the first fix path is the public node version on VMID `2201`. Besu `24.7.0+` adds support for that method; use [`upgrade-public-rpc-vmid2201.sh`](../../scripts/besu/upgrade-public-rpc-vmid2201.sh) to perform the targeted public-RPC upgrade.

| Variable / use | Canonical value | Notes |
|----------------|-----------------|--------|
| **RPC_URL_138** (Core) | `http://192.168.11.211:8545` | **Prefer IP:port for admin/deploy.** Off-LAN read-only fallback (operator): `https://rpc-core.d-bis.org` — still not for deploy |
| **RPC_URL_138_PUBLIC** (Public) | **`https://rpc-http-pub.d-bis.org`** (internet); `http://192.168.11.221:8545` (LAN only) | **Published** configs, frontends, `wallet_addEthereumChain`, and Chainlist entries must use **HTTPS FQDN**, not `192.168.11.221`. `VITE_RPC_URL_138` / browser env: FQDN |
| **RPC_URL_138_FIREBLOCKS** (Fireblocks) | `http://192.168.11.232:8545` or `https://rpc-fireblocks.d-bis.org` | Dedicated RPC for Fireblocks Web3 (VMID 2301); `WS_URL_138_FIREBLOCKS`: `wss://ws.rpc-fireblocks.d-bis.org` |
| **Ethereum Mainnet** | `https://eth.llamarpc.com` or Infura/Alchemy | `ETHEREUM_MAINNET_RPC` or `RPC_URL_MAINNET` in .env; CCIP relay uses both. Prefer Infura `https://mainnet.infura.io/v3/<PROJECT_ID>` to avoid 429. |
| **ALL Mainnet (651940)** | `https://mainnet-rpc.alltra.global` | alltra-lifi-settlement, token-lists |
| **WEMIX3.0 mainnet (1111)** | `https://api.wemix.com` | `WEMIX_RPC` or `WEMIX_MAINNET_RPC` in repo `.env`; WebSocket `wss://ws.wemix.com`. Official: [WEMIX public RPC](https://docs.wemix.com/en/quick-start/start-node/use-public-api-server-rpc). On-chain swap to native WEMIX: [wemix.fi/swap](https://wemix.fi/swap). Acquisition from other L1s: [WEMIX_ACQUISITION_TABLED.md](../03-deployment/WEMIX_ACQUISITION_TABLED.md). |

### Obtaining RPC URLs (Infura, Etherscan API, public RPCs)

For **Ethereum mainnet and other public chains**, you can use:

| Source | Type | URL pattern / notes |
|--------|------|----------------------|
| **Infura** | JSON-RPC (key required) | `https://mainnet.infura.io/v3/<PROJECT_ID>` — [infura.io](https://infura.io) dashboard; free tier, one key. Other networks: `https://polygon-mainnet.infura.io/v3/<ID>`, `https://base-mainnet.infura.io/v3/<ID>`, etc. |
| **Alchemy** | JSON-RPC (key required) | `https://eth-mainnet.g.alchemy.com/v2/<API_KEY>` — [alchemy.com](https://alchemy.com); free tier. Use for production when you need higher rate limits. |
| **Etherscan** | REST API (explorer, not RPC) | `https://api.etherscan.io/api?...&apikey=<KEY>` — block explorer API (contract verification, tx history). **Not** JSON-RPC; use Infura/Alchemy/public RPC for `eth_*` calls. |
| **Public RPCs (no key)** | JSON-RPC | `https://eth.llamarpc.com`, `https://ethereum.publicnode.com`, `https://cloudflare-eth.com`, `https://eth.drpc.org` — rate limited; fine for dev/fallback. See [chainlist.org](https://chainlist.org) for more. |

**Usage:** Set `ETHEREUM_MAINNET_RPC` (or `RPC_URL_MAINNET`) in `.env` to one of the above. Prefer Infura/Alchemy with your own key for production; use public RPCs in `.env.example` and as code fallbacks. Never commit API keys.

**CCIP Relay:** The relay service (deployed at `/opt/smom-dbis-138/services/relay` on r630-01) uses **Chain 138 Public RPC** (VMID 2201): set `RPC_URL_138_PUBLIC` (or `RPC_URL_138` for backward compat) to `http://192.168.11.221:8545` in `services/relay/.env` or `smom-dbis-138/.env`. For mainnet it uses `RPC_URL_MAINNET` first, then `ETHEREUM_MAINNET_RPC`. Infura mainnet is recommended to avoid public RPC rate limits (429). See [07-ccip/CCIP_RELAY_DEPLOYMENT.md](../07-ccip/CCIP_RELAY_DEPLOYMENT.md).

**Dotenv:** The project `.env` may contain both **Infura** (RPC URLs, `INFURA_GAS_API`) and **Etherscan/Blockscan** (`ETHERSCAN_API_KEY`) API keys. Use placeholders in `.env.example` only; see `smom-dbis-138/.env.example` for the full list.

---

## RPC Inventory (config + live cluster)

**Core RPC tier (VMIDs 2101–2103):** Besu JSON-RPC/WS on **8545/8546**, same chain id **138**. **2101** (`.211`) is the default **`RPC_URL_138` / `RPC_CORE_1`** for deploy and admin. **2102** (`.212`, **`RPC_CORE_2`**) is the second core peer; **Proxmox host: r630-03** (`192.168.11.13`). **2103** (`.217`, **`RPC_THIRDWEB_ADMIN_CORE`**, hostname `besu-rpc-core-thirdweb`) is the Thirdweb admin/core lane; **Proxmox host: r630-01** (`192.168.11.11`) with NPM FQDNs **`rpc.tw-core.d-bis.org`** / **`wss.tw-core.d-bis.org`** (see `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh`). **2101** and **2103** both run on **r630-01**.

| VMID | IP Address | Hostname | HTTP RPC | WebSocket RPC | Status |
|------|------------|----------|----------|---------------|--------|
| 2101 | 192.168.11.211 | besu-rpc-core-1 | `http://192.168.11.211:8545` | `ws://192.168.11.211:8546` | ✅ Running |
| 2102 | 192.168.11.212 | besu-rpc-core-2 | `http://192.168.11.212:8545` | `ws://192.168.11.212:8546` | ✅ Running |
| 2103 | 192.168.11.217 | besu-rpc-core-thirdweb | `http://192.168.11.217:8545` | `ws://192.168.11.217:8546` | ✅ Running |
| **2201** | **192.168.11.221** | besu-rpc-public-1 | `http://192.168.11.221:8545` | `ws://192.168.11.221:8546` | ✅ Running |
| 2301 | 192.168.11.232 | besu-rpc-private-1 | `http://192.168.11.232:8545` | `ws://192.168.11.232:8546` | ✅ Running (Fireblocks lane) |
| 2303 | 192.168.11.233 | besu-rpc-ali-0x8a | `http://192.168.11.233:8545` | `ws://192.168.11.233:8546` | ✅ Running |
| 2304 | 192.168.11.234 | besu-rpc-ali-0x1 | `http://192.168.11.234:8545` | `ws://192.168.11.234:8546` | ✅ Running |
| 2305 | 192.168.11.235 | besu-rpc-luis-0x8a | `http://192.168.11.235:8545` | `ws://192.168.11.235:8546` | ✅ Running |
| 2306 | 192.168.11.236 | besu-rpc-luis-0x1 | `http://192.168.11.236:8545` | `ws://192.168.11.236:8546` | ✅ Running |
| 2307 | 192.168.11.237 | besu-rpc-putu-0x8a | `http://192.168.11.237:8545` | `ws://192.168.11.237:8546` | ✅ Running |
| 2308 | 192.168.11.238 | besu-rpc-putu-0x1 | `http://192.168.11.238:8545` | `ws://192.168.11.238:8546` | ✅ Running |
| 2400 | 192.168.11.240 | thirdweb-rpc-1 | `http://192.168.11.240:8545` | `ws://192.168.11.240:8546` | ✅ Running |
| 2401 | 192.168.11.241 | besu-rpc-thirdweb-0x8a-1 | `http://192.168.11.241:8545` | `ws://192.168.11.241:8546` | ✅ Running |
| 2402 | 192.168.11.242 | besu-rpc-thirdweb-0x8a-2 | `http://192.168.11.242:8545` | `ws://192.168.11.242:8546` | ✅ Running |
| 2403 | 192.168.11.243 | besu-rpc-thirdweb-0x8a-3 | `http://192.168.11.243:8545` | `ws://192.168.11.243:8546` | ✅ Running |

**Health check:** `bash scripts/verify/check-chain138-rpc-health.sh` probes **all 15** LAN HTTP RPC endpoints above (including **2103**; **2103** uses a lower peer threshold than the rest—see script `RPC_ROWS`). Expect head spread within **`RPC_MAX_HEAD_SPREAD`** (default 12) and public capability checks against **`CHAIN138_PUBLIC_RPC_URL`** (default `https://rpc-http-pub.d-bis.org`).

**Fixed Permanent:** VMID 2201 = 192.168.11.221 (besu-rpc-public-1). Do not change. Source: `config/ip-addresses.conf`.

---

## Public Domain Mappings (NPMplus)

### RPC Domains (d-bis.org)

| Domain | Protocol | Target VMID | Target IP | Target Port | WebSocket | Notes |
|--------|----------|-------------|-----------|-------------|-----------|-------|
| `rpc-http-pub.d-bis.org` | HTTPS | 2201 | 192.168.11.221 | 8545 | ✅ Yes | Public HTTP RPC |
| `rpc-ws-pub.d-bis.org` | WSS | 2201 | 192.168.11.221 | 8546 | ✅ Yes | Public WebSocket RPC |
| `rpc.d-bis.org` | HTTPS | 2201 | 192.168.11.221 | 8545 | ✅ Yes | Primary RPC (same as rpc-http-pub) |
| `rpc2.d-bis.org` | HTTPS | 2201 | 192.168.11.221 | 8545 | ✅ Yes | Secondary RPC (same as rpc-http-pub) |
| `ws.rpc.d-bis.org` | WSS | 2201 | 192.168.11.221 | 8546 | ✅ Yes | Primary WebSocket (same as rpc-ws-pub) |
| `ws.rpc2.d-bis.org` | WSS | 2201 | 192.168.11.221 | 8546 | ✅ Yes | Secondary WebSocket (same as rpc-ws-pub) |
| `rpc-http-prv.d-bis.org` | HTTPS | 2101 | 192.168.11.211 | 8545 | ✅ Yes | Private HTTP RPC |
| `rpc-core.d-bis.org` | HTTPS | 2101 | 192.168.11.211 | 8545 | ✅ Yes | Core RPC alias (same backend as rpc-http-prv); deploy still prefers IP:8545 |
| `rpc-ws-prv.d-bis.org` | WSS | 2101 | 192.168.11.211 | 8546 | ✅ Yes | Private WebSocket RPC |
| `rpc-fireblocks.d-bis.org` | HTTPS | 2301 | 192.168.11.232 | 8545 | ✅ Yes | **Fireblocks-dedicated** HTTP RPC |
| `ws.rpc-fireblocks.d-bis.org` | WSS | 2301 | 192.168.11.232 | 8546 | ✅ Yes | **Fireblocks-dedicated** WebSocket RPC |

### ThirdWeb RPC (defi-oracle.io)

| Domain | Protocol | Target VMID | Target IP | Target Port | WebSocket | Notes |
|--------|----------|-------------|-----------|-------------|-----------|-------|
| `rpc.public-0138.defi-oracle.io` | HTTPS | 2400 | 192.168.11.240 | 443 | ✅ Yes | ThirdWeb RPC (via Nginx) |
| `rpc.defi-oracle.io` | HTTPS | 2201 | 192.168.11.221 | 8545 | ✅ Yes | Defi Oracle HTTP RPC (same as rpc-http-pub) |
| `wss.defi-oracle.io` | WSS | 2201 | 192.168.11.221 | 8546 | ✅ Yes | Defi Oracle WebSocket RPC (same as rpc-ws-pub) |

### Explorer (d-bis.org)

| Domain | Protocol | Target VMID | Target IP | Target Port | WebSocket | Notes |
|--------|----------|-------------|-----------|-------------|-----------|-------|
| `explorer.d-bis.org` | HTTP | 5000 | 192.168.11.140 | 80, 4000 | ❌ No | Blockscout Explorer (web:80, API:4000) |

### DBIS Services (d-bis.org)

| Domain | Protocol | Target VMID | Target IP | Target Port | WebSocket | Notes |
|--------|----------|-------------|-----------|-------------|-----------|-------|
| `dbis-admin.d-bis.org` | HTTP | 10130 | 192.168.11.130 | 80 | ❌ No | DBIS Admin Frontend |
| `dbis-api.d-bis.org` | HTTP | 10150 | 192.168.11.155 | 3000 | ❌ No | DBIS API Primary (includes `/api/v1/crypto-com-otc`) |
| `dbis-api-2.d-bis.org` | HTTP | 10151 | 192.168.11.156 | 3000 | ❌ No | DBIS API Secondary |
| `secure.d-bis.org` | HTTP | 10130 | 192.168.11.130 | 80 | ❌ No | DBIS Secure Portal |

**Crypto.com OTC:** `/api/v1/crypto-com-otc` - Institutional OTC trading (RFQ, deals, settle-later).  
**Exchange Registry:** `/api/v1/exchange` - Multi-exchange price (Binance, Kraken, Oanda, FXCM).  
See [DBIS_CORE_API_REFERENCE.md](../11-references/DBIS_CORE_API_REFERENCE.md).

### MIM4U Services (mim4u.org)

| Domain | Protocol | Target VMID | Target IP | Target Port | WebSocket | Notes |
|--------|----------|-------------|-----------|-------------|-----------|-------|
| `mim4u.org` | HTTP | 7810 | 192.168.11.37 | 80 | ❌ No | MIM4U Main Site (web frontend) |
| `www.mim4u.org` | Redirect | - | - | - | ❌ No | Redirects to mim4u.org |
| `secure.mim4u.org` | HTTP | 7810 | 192.168.11.37 | 80 | ❌ No | MIM4U Secure Portal |
| `training.mim4u.org` | HTTP | 7810 | 192.168.11.37 | 80 | ❌ No | MIM4U Training Portal |

### Sankofa Services (sankofa.nexus)

**NPMplus backends:** See [ALL_VMIDS_ENDPOINTS.md](ALL_VMIDS_ENDPOINTS.md). The Order uses **10210** (HAProxy) in front of the portal.

| Domain | Protocol | Target VMID | Target IP | Target Port | WebSocket | Notes |
|--------|----------|-------------|-----------|-------------|-----------|-------|
| `sankofa.nexus` | HTTP | 7801 | 192.168.11.51 | 3000 | ❌ No | Sankofa Portal |
| `www.sankofa.nexus` | Redirect | - | - | - | ❌ No | Redirects to sankofa.nexus |
| `phoenix.sankofa.nexus` | HTTP | 7800 | 192.168.11.50 | 4000 | ❌ No | Phoenix API |
| `www.phoenix.sankofa.nexus` | Redirect | - | - | - | ❌ No | Redirects to phoenix.sankofa.nexus |
| `the-order.sankofa.nexus` | HTTP | 10210 | 192.168.11.39 | 80 | ❌ No | HAProxy → portal 7801 (192.168.11.51:3000); provision: `scripts/deployment/provision-order-haproxy-10210.sh` |
| `www.the-order.sankofa.nexus` | Redirect | - | - | - | ❌ No | 301 → `https://the-order.sankofa.nexus` (NPM advanced_config) |

---

## NPMplus Configuration Summary

### Proxy Hosts with WebSocket Support

These domains require WebSocket support enabled in NPMplus:

```
rpc-http-pub.d-bis.org     → http://192.168.11.221:8545  (WebSocket: Yes)
rpc-ws-pub.d-bis.org       → ws://192.168.11.221:8546   (WebSocket: Yes)
rpc.d-bis.org              → http://192.168.11.221:8545 (WebSocket: Yes)
rpc2.d-bis.org             → http://192.168.11.221:8545 (WebSocket: Yes)
ws.rpc.d-bis.org           → http://192.168.11.221:8546 (WebSocket: Yes)
ws.rpc2.d-bis.org          → http://192.168.11.221:8546 (WebSocket: Yes)
rpc-http-prv.d-bis.org     → http://192.168.11.211:8545  (WebSocket: Yes)
rpc-core.d-bis.org         → http://192.168.11.211:8545  (WebSocket: Yes)
rpc-ws-prv.d-bis.org       → ws://192.168.11.211:8546   (WebSocket: Yes)
rpc-fireblocks.d-bis.org   → http://192.168.11.232:8545 (WebSocket: Yes) — Fireblocks-dedicated
ws.rpc-fireblocks.d-bis.org → http://192.168.11.232:8546 (WebSocket: Yes) — Fireblocks-dedicated
rpc.public-0138.defi-oracle.io → https://192.168.11.240:443 (WebSocket: Yes)
rpc.defi-oracle.io         → http://192.168.11.221:8545 (WebSocket: Yes)
wss.defi-oracle.io         → http://192.168.11.221:8546 (WebSocket: Yes)
```

### Proxy Hosts without WebSocket

```
explorer.d-bis.org         → http://192.168.11.140:80    (Blockscout web; API: :4000)
Forge Verification Proxy  → http://192.168.11.140:3080   (run locally or on host; for forge verify-contract)
dbis-admin.d-bis.org       → http://192.168.11.130:80
dbis-api.d-bis.org         → http://192.168.11.155:3000
dbis-api-2.d-bis.org       → http://192.168.11.156:3000
secure.d-bis.org           → http://192.168.11.130:80
mim4u.org                  → http://192.168.11.37:80
secure.mim4u.org           → http://192.168.11.37:80
training.mim4u.org         → http://192.168.11.37:80
sankofa.nexus              → http://192.168.11.51:3000
phoenix.sankofa.nexus      → http://192.168.11.50:4000
the-order.sankofa.nexus    → http://192.168.11.39:80 (10210 HAProxy → 192.168.11.51:3000)
www.the-order.sankofa.nexus → 301 apex (NPM)
```

### Redirect Hosts

```
www.mim4u.org              → mim4u.org
www.sankofa.nexus          → sankofa.nexus
www.phoenix.sankofa.nexus  → phoenix.sankofa.nexus
www.the-order.sankofa.nexus → the-order.sankofa.nexus
```

---

## VMID Migration Reference (2026-01-18)

The following old VMIDs have been **destroyed** and replaced:

| Old VMID | Old IP | New VMID | New IP | Purpose |
|----------|--------|----------|--------|---------|
| 2500 | 192.168.11.250 | 2101 | 192.168.11.211 | Core RPC |
| 2501 | 192.168.11.251 | 2201 | 192.168.11.221 | Public RPC |
| 2502 | 192.168.11.252 | 2301 | 192.168.11.232 | Private RPC |
| 2503 | 192.168.11.253 | 2303 | 192.168.11.233 | Ali 0x8a |
| 2504 | 192.168.11.254 | 2304 | 192.168.11.234 | Ali 0x1 |
| 2505 | 192.168.11.201 | 2305 | 192.168.11.235 | Luis 0x8a |
| 2506 | 192.168.11.202 | 2306 | 192.168.11.236 | Luis 0x1 |
| 2507 | 192.168.11.203 | 2307 | 192.168.11.237 | Putu 0x8a |
| 2508 | 192.168.11.204 | 2308 | 192.168.11.238 | Putu 0x1 |

**Important**: Any scripts or configurations referencing the old IPs (192.168.11.250-254, 192.168.11.201-204) must be updated.

Containers 2506, 2507, 2508 were **destroyed 2026-02-08** on all Proxmox hosts. RPC range in use: 2500–2505. IPs .202, .203, .204 freed.

---

## DNS Configuration

**When Option B (RPC via Cloudflare Tunnel) is used:** The 6 RPC HTTP hostnames (rpc-http-pub, rpc, rpc2, rpc-http-prv, rpc.public-0138.defi-oracle.io, rpc.defi-oracle.io) use **CNAME** to &lt;tunnel-id&gt;.cfargotunnel.com (Proxied); they do not use A 76.53.10.36. See [05-network/OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md](../05-network/OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md).

**Web/api and RPC WS (direct/Fastly):** All other domains resolve to the public IP `76.53.10.36` (or Fastly CNAME). NPMplus handles SSL termination and routing to internal services.

---

## Network Configuration

### NPMplus Dual-NIC Setup - RESOLVED (2026-01-18)

**Issue**: NPMplus container needed to reach both the UDM Pro gateway (for port forwarding) and the RPC nodes (for backend proxying), but tagged VLAN 11 traffic couldn't reach untagged hosts.

**Root Cause**: UDM Pro treats tagged VLAN 11 and untagged traffic as separate networks.

**Solution**: Dual-NIC configuration with one tagged and one untagged interface.

**NPMplus Container Config** (VMID 10233 on r630-01; NPMplus has .166 and .167; only **.167** is used in UDM Pro port forwarding):
```bash
# eth0: Tagged VLAN 11 - for gateway/external access
net0: name=eth0,bridge=vmbr0,gw=192.168.11.1,hwaddr=BC:24:11:18:1C:5D,ip=192.168.11.166/24,tag=11,type=veth

# eth1: Untagged - for backend RPC access
net1: name=eth1,bridge=vmbr0,hwaddr=BC:24:11:5B:50:D9,ip=192.168.11.167/24,type=veth
```

**Routing Table** (inside container):
```
default via 192.168.11.1 dev eth0 proto static    # External traffic via gateway
192.168.11.0/24 dev eth1 proto kernel scope link  # Local traffic via untagged
192.168.11.0/24 dev eth0 proto kernel scope link  # Backup route
```

**Status**: ✅ **RESOLVED** - All public RPC endpoints working

### Test Commands

```bash
# Test external access
curl -s -X POST https://rpc-http-pub.d-bis.org \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'

# Test all endpoints
curl -s https://rpc-http-pub.d-bis.org -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
curl -s https://rpc-http-prv.d-bis.org -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
curl -s https://rpc.public-0138.defi-oracle.io -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'
# Fireblocks-dedicated RPC
curl -s -X POST https://rpc-fireblocks.d-bis.org -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```

### Cloudflare DNS Records

*(When Option B is used, the 6 RPC HTTP domains below use CNAME to tunnel; otherwise A 76.53.10.36.)*

| Domain | Type | Value | Proxy |
|--------|------|-------|-------|
| `rpc-http-pub.d-bis.org` | A or CNAME | 76.53.10.36 or tunnel | ✅ Proxied |
| `rpc.d-bis.org` | A or CNAME | 76.53.10.36 or tunnel | ✅ Proxied |
| `rpc2.d-bis.org` | A or CNAME | 76.53.10.36 or tunnel | ✅ Proxied |
| `rpc-ws-pub.d-bis.org` | A | 76.53.10.36 | ✅ Proxied |
| `rpc-http-prv.d-bis.org` | A or CNAME | 76.53.10.36 or tunnel | ✅ Proxied |
| `rpc-ws-prv.d-bis.org` | A | 76.53.10.36 | ✅ Proxied |
| `rpc-fireblocks.d-bis.org` | A or CNAME | 76.53.10.36 or tunnel | ✅ Proxied |
| `ws.rpc-fireblocks.d-bis.org` | A | 76.53.10.36 | ✅ Proxied |
| `explorer.d-bis.org` | A | 76.53.10.36 | ✅ Proxied |
| `dbis-admin.d-bis.org` | A | 76.53.10.36 | ✅ Proxied |
| `dbis-api.d-bis.org` | A | 76.53.10.36 | ✅ Proxied |
| `dbis-api-2.d-bis.org` | A | 76.53.10.36 | ✅ Proxied |
| `secure.d-bis.org` | A | 76.53.10.36 | ✅ Proxied |
| `rpc.public-0138.defi-oracle.io` | A or CNAME | 76.53.10.36 or tunnel | ✅ Proxied |
| `rpc.defi-oracle.io` | A or CNAME | 76.53.10.36 or tunnel | ✅ Proxied |
| `wss.defi-oracle.io` | A | 76.53.10.36 | ✅ Proxied |

---

## Verification Commands

### Test All RPC Nodes (Internal)

```bash
for ip in 192.168.11.211 192.168.11.221 192.168.11.233 192.168.11.234 192.168.11.235 192.168.11.236 192.168.11.237 192.168.11.238 192.168.11.240 192.168.11.241 192.168.11.242 192.168.11.243; do
  curl -s -X POST -H "Content-Type: application/json" \
    --data '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' \
    http://$ip:8545 | grep -q "result" && echo "✓ $ip" || echo "✗ $ip"
done
```

### Test Public RPC Domains

```bash
# HTTP RPC
curl -s -X POST https://rpc-http-pub.d-bis.org \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'

# WebSocket RPC (requires wscat)
wscat -c wss://rpc-ws-pub.d-bis.org

# ThirdWeb RPC
curl -s -X POST https://rpc.public-0138.defi-oracle.io \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```

### Test DNS Resolution

```bash
for domain in rpc-http-pub.d-bis.org rpc-ws-pub.d-bis.org rpc-http-prv.d-bis.org rpc-ws-prv.d-bis.org rpc.public-0138.defi-oracle.io rpc.defi-oracle.io wss.defi-oracle.io; do
  echo -n "$domain: "
  dig +short $domain
done
```

---

## Related Documentation

- [PUBLIC_RPC_CHAIN138_LEDGER.md](./PUBLIC_RPC_CHAIN138_LEDGER.md) - Public RPCs for ChainID 138, NPMplus→VM mapping, Ledger App-Ethereum
- [ALL_VMIDS_ENDPOINTS.md](./ALL_VMIDS_ENDPOINTS.md) - Complete VMID reference
- [NPMPLUS_COMPLETE_SETUP_SUMMARY.md](./NPMPLUS_COMPLETE_SETUP_SUMMARY.md) - NPMplus setup
- [NPMPLUS_CORRECT_CONFIGURATION.md](./NPMPLUS_CORRECT_CONFIGURATION.md) - NPMplus domain config
- [NGINX_CONFIGURATIONS_VMIDS_2400-2508.md](./NGINX_CONFIGURATIONS_VMIDS_2400-2508.md) - Nginx configs
- [../05-network/RPC_NODE_TYPES_ARCHITECTURE.md](../05-network/RPC_NODE_TYPES_ARCHITECTURE.md) - Architecture

---

---

## Change Log

### 2026-01-18
- Created master RPC endpoints document
- Updated NPMplus proxy hosts with new IP addresses:
  - `rpc-http-pub.d-bis.org` → 192.168.11.221:8545 (was 192.168.11.252:443)
  - `rpc-ws-pub.d-bis.org` → 192.168.11.221:8546 (was 192.168.11.252:443)
  - `rpc-http-prv.d-bis.org` → 192.168.11.211:8545 (was 192.168.11.251:443)
  - `rpc-ws-prv.d-bis.org` → 192.168.11.211:8546 (was 192.168.11.251:443)
  - `rpc.public-0138.defi-oracle.io` → 192.168.11.240:443 (was 192.168.11.252:443)
- Fixed NPMplus network connectivity by removing VLAN tag
- Updated `configure-npmplus-domains.js` with new IP addresses

---

**Last Updated**: 2026-01-18  
**Maintained By**: Infrastructure Team