Need help with port forwarding and Cloudflare DNS records

Tywele@lemmy.dbzer0.com to Selfhosted@lemmy.world – 32 points –

Hi,

I wanted to forward the port to my Traefik install on my TrueNAS server. Unfortunately I have now learned that my ISP restricts the range of ports that I can open externally to 12396-12415, so internally I can open port 443 to port 12400 externally. So far so good, but how do I point my Cloudflare DNS record to this port?

My router is a Fritzbox 7530 if that's relevant.

19

DNS doesn't deal with ports, it resolves hostnames to IP addresses and that's it.

What you probably need is some kind of reverse proxy that sits outside of your network, listens on port 443 and then directs it to your home IP address on port 12400.

The first sentence is not really true though.

If you really want to get anal about it, yes I know there things like CNAME, PTR and MX records too but that's outside of the scope of this discussion.

DNS doesn't deal with ports, there's no way to say: homelab.example.com should point to IP address 1.2.3.4 and port 12400.

DNS can deal with ports.

You can use a SRV record to specify the port for applications (not browsers) that support it.

For the discussions regarding OPs web server they want externally accessible, no DNS does not do ports.

For other applications there are SRV records, but that's beyond the scope of the original question. It sounds like u/spacecadet didn't want to confuse OP, and while SRV can assist certain applications with ports, pointing it out here isnt helpful.

Sure, it's not helpful, but just because something is out of scope for the original question doesn't mean you can reiterate objectively false statements.

They probably should have worded it like you did in your first sentence.

That's just a "well, actually..." response.

Saying it doesn't do ports is basically just giving the eli5 help the people who are confused usually need. 9/10 the people asking for help are asking about a records or cname records. They want basic DNS help.

When DNS is tought to laymen it's just translation of a name to an IP, we don't get into the weeds of rfc xxxx also has DNS provide the configuration of the listening service so the application knows how to communicate. Sometimes it's best just to lay out the foundation so they can build on that knowledge later.

OP already got "basic dns help" in the top-level responses.
Please build that foundation you mentioned out of correct information.

I only take issue with short and wrong general statements where there is really no need to double down on them.
I have no intent to reply any further.

I agree, people come here to learn. Don’t gatekeep information.

I'd say Nginx Proxy Manager is the easiest reverse proxy I've used.

Sure, but the point is not so much about which one to use but that the terminating point listening on 443 should sit outside of his network.

So he will either need a cloud service, or accept that he will have to add :12400 to his URLs.

You'd need more than their DNS, as DNS cannot forward ports for you (and before anyone mention SRV records, no, it just tells supported applications which port to use; it does not and cannot externally reassign the port used).

I believe the tool for the job here is the Zero Trust Tunnel; in the Dashboard, on the left, look for Zero Trust, and then on the new dashboard, go Access > Tunnels to setup the tunnel. Documentations are here: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/

Currently I am using Cloudflare Tunnel to access my server remotely. But with this I'm always accessing my server through the tunnel even when I'm at home.

I don't have your specific port issue, but it sounds like the setup I have would get around your ISP port restrictions as use CloudFlare tunnels externally, LAN internally, and no ports open.

https://lemmy.ca/post/2804502

If that is a concern (I don’t see much of an issue, but everyone’s got different requirements, so no judgment here at all), then you’d probably want to setup a recursive DNS server inside your network, configure that DNS server to resolve those internal services to your intranet IP address, when it cannot resolve, it recurses to a public one (ie ISP, CloudFlare, quad 9, Google etc). Then, change your network’s DNS to that internal one, so when you’re on your network, you get internal IP address while off network you get CloudFlare tunnel routing.

I think I got it working now. The last time I tried I couldn't get it to work.

You can create a transform rule (iirc, might be one of the other rules, can’t check right now) that changes the destination port as long as you’re using Cloudflare’s proxy, no need for stuff like srv records.

edit; alternatively you can use cloudflare’s tunnels feature if forwarding doesn’t work

I just went through a lot of confusion setting up caddy. In the end it was user error and I got it all working. It’s still fresh in my memory if you still need help after this.

You need either a reverse proxy running on a vps or something outside your network or a tunnel to your server from something cloudflare that can do the proxy for you without opening any ports.

A reverse proxy will be the public server that relays traffic from the standard ports (80, 443) and then fetches the content from your server on whatever port it has open and then returns it to whatever user requested the page.

Cloudflares tunnel can do the same, but without the need to either open a port nor manage an additional web server. However it needs to be running inside your network to facilitate that connection.

You mentioned already having a cloudflare tunnel that you are using, so I'd stick with that. If you want to not access it over the tunnel and use a fully qualified URL, you will need to host DNS internally with the internal IP address (or use hosts files) while keeping the public DNS entry on cloudflare configured with their tunnel.

Or u-turn nat. You could always do u-turn nat.