Skip to main content
Current versions of Beacon Kit and Bera-Reth are listed here.

Peering

If you are running in a containerized environment, ensure your services are properly advertising their real network address, and that traffic is being directed into the container, both for Beacon Kit and your execution client. Both the CL and EL should have no static or persistent peers set up, unless they are for your internal network or business partners you want permanent connections to. Review the following sections for specific peering advice for Beacon-Kit and Bera-Reth.

Beacon Kit (beacond)

The diagnosis script inspects beacond only. It does not check Bera-Reth, JWT paths, or EL peering. 
/path/to/node-diagnostic.sh -d /var/beacond/ -p /opt/bin/beacond
Use your Beacon Kit home (the directory with config/ and data/ inside it) and your beacond binary. Attach the full output when asking for support.

Consensus-layer peering

TopicAction
FirewallOpen TCP 26656 to the internet (or publish correctly through your load balancer / host networking).
p2p.external_addressSet in config.toml to the routable IP and port peers should dial. Required behind NAT or in containers; without it beacond advertises an internal address.
Bootnodesbeacond uses the seed list in config.toml. Confirm you are on a current release with the recommended list.
Peer limits40 inbound + 10 outbound is recommended to cap memory use.
max_num_inbound_peers = 40
max_num_outbound_peers = 10

Bera-Reth

Execution-layer peering

The execution layer needs excellent peering so transactions reach your validator for block sealing. Open TCP and UDP on the devp2p port (default 30303).
TopicAction
--bootnodesBuild from one current mainnet el-bootnodes.txt or Bepolia. Do not merge legacy files or paste third-party enode:// lines. Prefer an env var (BOOTNODES) and --bootnodes "$BOOTNODES".
--nat extip:Required on cloud or NAT hosts without UPnP (example: --nat extip:203.0.113.50). Value must be the IPv4 peers dial.
--trusted-peersOmit unless you need a private mesh. Never duplicate public bootnodes here.

Reth flags you need

Minimal example — only flags you really should set. Relies on secure and reasonable Bera-Reth defaults (see table below). Set PUBLIC_IPV4 to your node’s external address. 
bera-reth node \
  --chain /srv/bera/reth/genesis.json \
  --datadir /srv/bera/reth/data \
  --full \
  --authrpc.jwtsecret /srv/bera/beacond/config/jwt.hex \
  --log.file.directory /var/log/bera-reth \
  --metrics 127.0.0.1:9090 \
  --nat extip:PUBLIC_IPv4 \
  --engine.persistence-threshold 0
Full example — every flag stated explicitly, useful when you need non-default ports or want a self-documenting unit file. \ 
bera-reth node \
  --chain /srv/bera/reth/genesis.json \
  --datadir /srv/bera/reth/data \
  --full \
  --port 30303 \
  --discovery.port 30303 \
  --http \
  --http.addr 127.0.0.1 \
  --http.port 8545 \
  --ipcpath /tmp/reth.ipc \
  --authrpc.addr 127.0.0.1 \
  --authrpc.port 8551 \
  --authrpc.jwtsecret /srv/bera/beacond/config/jwt.hex \
  --log.file.directory /var/log/bera-reth \
  --metrics 127.0.0.1:9090 \
  --nat extip:PUBLIC_IPv4
If a flag’s default already matches your deployment, omit it. Shorter unit files are easier to audit and less likely to drift from upstream changes:
Flag(s)DefaultVerify
--chainmainnetMust point at the EL genesis JSON for this network. Always set explicitly.
--datadirOS data dirMust point at the datadir you initialized. Always set explicitly.
--fulloff (archive)Set for pruned / non-archive validators. Omit only for a deliberate full-archive EL.
--port30303Omit if 30303 is fine. Open TCP+UDP at the firewall.
--discovery.portsame as --portOmit unless you split discovery to a different UDP port.
--httpoffSet to enable HTTP JSON-RPC.
--http.addr127.0.0.1Default is safe. Only change if providing RPC service internally or externally.
--http.port8545Omit if 8545 is fine.
--ipcpath/tmp/reth.ipcChange when running multiple Reth instances.
--authrpc.addr127.0.0.1Default is safe. Do not change unless you are splitting beacon and reth machines.
--authrpc.port8551Must match Beacon Kit rpc-dial-url. Omit if 8551 matches.
--authrpc.jwtsecretnoneAlways set. Must be the same JWT file beacond uses.
--log.file.directoryOS cache dirSet to a path you manage with logrotate (or equivalent). Default buries logs in a platform cache directory.
--metricsoffSet to an interface and port that Prometheus can scrape. Do not expose publicly. See Monitoring.
--natany (UPnP)Set extip: on cloud/NAT hosts where UPnP does not work. Value must be the routable IPv4.
--engine.persistence-threshold2Set 0 for Beacon Kit alignment.
--engine.memory-block-buffer-target0Already correct. Omit or set explicitly for clarity.

Reth flags you may not need

Optional flagWhen to add
--bootnodesBera-Reth bakes in our recommended defaults.
--trusted-peersOmit unless you have a private mesh among multiple nodes you operate.
--wsOmit unless a local consumer needs WebSocket RPC.
--http.corsdomain '*'Only when you accept browser callers from any domain.
--http.apiDefault is secure and reasonable. Only override if you need to. Never put admin or debug on a publicly-reachable RPC.

Set your validator name and logo on the Hub

Validators should identify themselves so ops can reach you. Send a PR to Validator Metadata, then ping #node-support on Discord so we can let you into dedicated validator support channels.

Operational hygiene

See Monitoring for full Prometheus and Grafana setup.