Hi,

I wanted to forward the port to my Traefik install on my TrueNAS server. Unfortunately I have now learned that my ISP restricts the range of ports that I can open externally to 12396-12415, so internally I can open port 443 to port 12400 externally. So far so good, but how do I point my Cloudflare DNS record to this port?

My router is a Fritzbox 7530 if that’s relevant.

  • SpaceCadet@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    1 year ago

    DNS doesn’t deal with ports, it resolves hostnames to IP addresses and that’s it.

    What you probably need is some kind of reverse proxy that sits outside of your network, listens on port 443 and then directs it to your home IP address on port 12400.

      • SpaceCadet@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        1 year ago

        If you really want to get anal about it, yes I know there things like CNAME, PTR and MX records too but that’s outside of the scope of this discussion.

        DNS doesn’t deal with ports, there’s no way to say: homelab.example.com should point to IP address 1.2.3.4 and port 12400.

        • Equinox
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          DNS can deal with ports.

          You can use a SRV record to specify the port for applications (not browsers) that support it.

          • brygphilomena@lemmy.world
            link
            fedilink
            English
            arrow-up
            10
            ·
            1 year ago

            For the discussions regarding OPs web server they want externally accessible, no DNS does not do ports.

            For other applications there are SRV records, but that’s beyond the scope of the original question. It sounds like u/spacecadet didn’t want to confuse OP, and while SRV can assist certain applications with ports, pointing it out here isnt helpful.

            • Equinox
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Sure, it’s not helpful, but just because something is out of scope for the original question doesn’t mean you can reiterate objectively false statements.

              They probably should have worded it like you did in your first sentence.

              • brygphilomena@lemmy.world
                link
                fedilink
                English
                arrow-up
                5
                ·
                1 year ago

                That’s just a “well, actually…” response.

                Saying it doesn’t do ports is basically just giving the eli5 help the people who are confused usually need. 9/10 the people asking for help are asking about a records or cname records. They want basic DNS help.

                When DNS is tought to laymen it’s just translation of a name to an IP, we don’t get into the weeds of rfc xxxx also has DNS provide the configuration of the listening service so the application knows how to communicate. Sometimes it’s best just to lay out the foundation so they can build on that knowledge later.

                • Equinox
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  1 year ago

                  OP already got “basic dns help” in the top-level responses.
                  Please build that foundation you mentioned out of correct information.

                  I only take issue with short and wrong general statements where there is really no need to double down on them.
                  I have no intent to reply any further.

      • SpaceCadet@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Sure, but the point is not so much about which one to use but that the terminating point listening on 443 should sit outside of his network.

        So he will either need a cloud service, or accept that he will have to add :12400 to his URLs.

  • chiisana@lemmy.chiisana.net
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    You’d need more than their DNS, as DNS cannot forward ports for you (and before anyone mention SRV records, no, it just tells supported applications which port to use; it does not and cannot externally reassign the port used).

    I believe the tool for the job here is the Zero Trust Tunnel; in the Dashboard, on the left, look for Zero Trust, and then on the new dashboard, go Access > Tunnels to setup the tunnel. Documentations are here: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/

    • Tywèle [she|her]@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Currently I am using Cloudflare Tunnel to access my server remotely. But with this I’m always accessing my server through the tunnel even when I’m at home.

      • chiisana@lemmy.chiisana.net
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        If that is a concern (I don’t see much of an issue, but everyone’s got different requirements, so no judgment here at all), then you’d probably want to setup a recursive DNS server inside your network, configure that DNS server to resolve those internal services to your intranet IP address, when it cannot resolve, it recurses to a public one (ie ISP, CloudFlare, quad 9, Google etc). Then, change your network’s DNS to that internal one, so when you’re on your network, you get internal IP address while off network you get CloudFlare tunnel routing.

      • MangoPenguin
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        The solution is split horizon DNS, when at home your local DNS server should be set up to return the local IP of the server instead.

  • Noah@lemmy.federated.club
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    1 year ago

    You can create a transform rule (iirc, might be one of the other rules, can’t check right now) that changes the destination port as long as you’re using Cloudflare’s proxy, no need for stuff like srv records.

    edit; alternatively you can use cloudflare’s tunnels feature if forwarding doesn’t work

  • brygphilomena@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    You need either a reverse proxy running on a vps or something outside your network or a tunnel to your server from something cloudflare that can do the proxy for you without opening any ports.

    A reverse proxy will be the public server that relays traffic from the standard ports (80, 443) and then fetches the content from your server on whatever port it has open and then returns it to whatever user requested the page.

    Cloudflares tunnel can do the same, but without the need to either open a port nor manage an additional web server. However it needs to be running inside your network to facilitate that connection.

    You mentioned already having a cloudflare tunnel that you are using, so I’d stick with that. If you want to not access it over the tunnel and use a fully qualified URL, you will need to host DNS internally with the internal IP address (or use hosts files) while keeping the public DNS entry on cloudflare configured with their tunnel.

    Or u-turn nat. You could always do u-turn nat.

  • fraydabson@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I just went through a lot of confusion setting up caddy. In the end it was user error and I got it all working. It’s still fresh in my memory if you still need help after this.