proxmox/docs/11-references/76.53.10.34_CONNECTION_EXPLANATION.md

# 76.53.10.34:8545 Connection Refused - Explanation

**Last Updated:** 2026-01-31  
**Document Version:** 1.0  
**Status:** Active Documentation

---

**Date**: 2026-01-04  
**Issue**: Connection to `76.53.10.34:8545` is being refused  
**Status**: ✅ **EXPECTED BEHAVIOR** (This is not an error)

**Note:** ER605 was replaced by the UDM Pro; UDM Pro edge IP is 76.53.10.34. Port forwarding: 76.53.10.36:80/443 → 192.168.11.167:80/443 (NPMplus). NPMplus LXC has 192.168.11.166 and .167; only .167 is used in UDM Pro.

---

## 🔍 Why Connection is Refused

### IP Address Identity

**`76.53.10.34`** is the **ER605 router's WAN IP address**, not an RPC service endpoint.

- **Device**: TP-Link ER605 v2.20 (er605-1)
- **Role**: Primary Edge Router (WAN interface)
- **Network**: Public WAN IP (Block #1: 76.53.10.32/28)
- **Gateway**: 76.53.10.33

### Why Port 8545 is Not Available

1. **Router Functionality**: Routers forward traffic, they don't host services on port 8545
2. **No RPC Service**: The ER605 router does not run a blockchain RPC service
3. **Port Not Forwarded**: Even if an RPC service existed internally, port 8545 is not forwarded from the router's WAN interface to any internal service

---

## ✅ Correct RPC Endpoints

### Internal Network RPC Endpoints

These are accessible from within the internal network (192.168.11.0/24):

| VMID | IP Address | Port | Service | Purpose |
|------|------------|------|---------|---------|
| 2500 | 192.168.11.250 | 8545 | Besu HTTP RPC | Primary RPC node |
| 2500 | 192.168.11.250 | 8546 | Besu WebSocket RPC | Primary RPC node (WS) |
| 2501 | 192.168.11.251 | 8545 | Besu HTTP RPC | Permissioned RPC node |
| 2502 | 192.168.11.252 | 8545 | Besu HTTP RPC | Public RPC node |

**Example Internal Access**:
```bash
# From internal network
curl -X POST http://192.168.11.250:8545 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```

### Public RPC Endpoints

These are accessible from the public internet via Cloudflare:

| Domain | Type | Authentication | Routing |
|--------|------|----------------|---------|
| `https://rpc-http-pub.d-bis.org` | HTTP RPC | ❌ No Auth | Cloudflare → Tunnel → VMID 2502 |
| `https://rpc-ws-pub.d-bis.org` | WebSocket RPC | ❌ No Auth | Cloudflare → Tunnel → VMID 2502 |
| `https://rpc-http-prv.d-bis.org` | HTTP RPC | ✅ JWT Required | Cloudflare → Tunnel → VMID 2501 |
| `https://rpc-ws-prv.d-bis.org` | WebSocket RPC | ✅ JWT Required | Cloudflare → Tunnel → VMID 2501 |

**Example Public Access**:
```bash
# Public endpoint (no authentication)
curl -X POST https://rpc-http-pub.d-bis.org \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```

---

## 🌐 Network Architecture

### Request Flow for Public RPC Access

```
Internet Client
    ↓
Cloudflare DNS (rpc-http-pub.d-bis.org)
    ↓
Cloudflare Edge (SSL Termination, DDoS Protection)
    ↓
Cloudflared Tunnel (VMID 102: 192.168.11.9)
    ↓
Nginx Proxy (VMID 2502: 192.168.11.252:443)
    ↓
Besu RPC Service (VMID 2502: 192.168.11.252:8545)
```

**Important**: Traffic does NOT go through the router's WAN IP (`76.53.10.34`) for RPC services. It goes through Cloudflare Tunnel, which bypasses the router's WAN interface.

### Why Router WAN IP is Not Used

1. **Cloudflare Tunnel**: Public services use Cloudflare Tunnel (VMID 102) which creates an encrypted connection directly from Cloudflare to internal services
2. **No Port Forwarding Needed**: Tunnel bypasses the need for port forwarding on the router
3. **Security**: Tunnel provides better security than exposing ports directly on the router's WAN interface
4. **DDoS Protection**: Cloudflare provides DDoS protection before traffic reaches internal network

---

## 🔧 If You Need to Access RPC from External Network

### Option 1: Use Public Endpoints (Recommended)

Use the public domain names that route through Cloudflare:

```bash
# Public RPC (no authentication)
curl -X POST https://rpc-http-pub.d-bis.org \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```

**Response**:
```json
{
  "jsonrpc": "2.0",
  "id": 1,
  "result": "0x8a"
}
```

### Option 2: Connect to Internal Network First

If you're on the internal network (192.168.11.0/24), use internal IPs:

```bash
curl -X POST http://192.168.11.250:8545 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```

### Option 3: VPN Access (If Available)

If VPN access is configured, connect to VPN first, then use internal IPs.

---

## 📋 Summary

| Item | Value |
|------|-------|
| **76.53.10.34** | ER605 Router WAN IP (not an RPC service) |
| **Connection Refused** | ✅ Expected (router doesn't host RPC service) |
| **Internal RPC** | `192.168.11.250:8545` (and other RPC nodes) |
| **Public RPC** | `https://rpc-http-pub.d-bis.org` (via Cloudflare) |
| **Router Role** | Network routing only, not service hosting |

---

## ✅ Conclusion

**The connection refusal is expected and correct behavior.**

- `76.53.10.34` is a router, not an RPC service
- Use internal IPs for internal access: `192.168.11.250:8545`
- Use public domains for external access: `https://rpc-http-pub.d-bis.org`
- Router WAN IP is not used for RPC service routing

---

**Last Updated**: 2026-01-04  
**Status**: ✅ **EXPECTED BEHAVIOR - NOT AN ERROR**