this post was submitted on 13 Aug 2023
32 points (97.1% liked)

Selfhosted

39964 readers
265 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hi,

I wanted to forward the port to my Traefik install on my TrueNAS server. Unfortunately I have now learned that my ISP restricts the range of ports that I can open externally to 12396-12415, so internally I can open port 443 to port 12400 externally. So far so good, but how do I point my Cloudflare DNS record to this port?

My router is a Fritzbox 7530 if that's relevant.

top 19 comments
sorted by: hot top controversial new old
[–] SpaceCadet@sopuli.xyz 11 points 1 year ago* (last edited 1 year ago) (2 children)

DNS doesn't deal with ports, it resolves hostnames to IP addresses and that's it.

What you probably need is some kind of reverse proxy that sits outside of your network, listens on port 443 and then directs it to your home IP address on port 12400.

[–] preciouspupp@sopuli.xyz 2 points 1 year ago (1 children)

The first sentence is not really true though.

[–] SpaceCadet@sopuli.xyz 5 points 1 year ago* (last edited 1 year ago) (1 children)

If you really want to get anal about it, yes I know there things like CNAME, PTR and MX records too but that's outside of the scope of this discussion.

DNS doesn't deal with ports, there's no way to say: homelab.example.com should point to IP address 1.2.3.4 and port 12400.

[–] equinox@lemmy.blahaj.zone 2 points 1 year ago (1 children)

DNS can deal with ports.

You can use a SRV record to specify the port for applications (not browsers) that support it.

[–] brygphilomena@lemmy.world 10 points 1 year ago (1 children)

For the discussions regarding OPs web server they want externally accessible, no DNS does not do ports.

For other applications there are SRV records, but that's beyond the scope of the original question. It sounds like u/spacecadet didn't want to confuse OP, and while SRV can assist certain applications with ports, pointing it out here isnt helpful.

[–] equinox@lemmy.blahaj.zone -3 points 1 year ago (1 children)

Sure, it's not helpful, but just because something is out of scope for the original question doesn't mean you can reiterate objectively false statements.

They probably should have worded it like you did in your first sentence.

[–] brygphilomena@lemmy.world 5 points 1 year ago (1 children)

That's just a "well, actually..." response.

Saying it doesn't do ports is basically just giving the eli5 help the people who are confused usually need. 9/10 the people asking for help are asking about a records or cname records. They want basic DNS help.

When DNS is tought to laymen it's just translation of a name to an IP, we don't get into the weeds of rfc xxxx also has DNS provide the configuration of the listening service so the application knows how to communicate. Sometimes it's best just to lay out the foundation so they can build on that knowledge later.

[–] equinox@lemmy.blahaj.zone 3 points 1 year ago (1 children)

OP already got "basic dns help" in the top-level responses.
Please build that foundation you mentioned out of correct information.

I only take issue with short and wrong general statements where there is really no need to double down on them.
I have no intent to reply any further.

[–] preciouspupp@sopuli.xyz 2 points 1 year ago

I agree, people come here to learn. Don’t gatekeep information.

[–] Demigodrick@lemmy.zip 1 points 1 year ago (1 children)

I'd say Nginx Proxy Manager is the easiest reverse proxy I've used.

[–] SpaceCadet@sopuli.xyz 3 points 1 year ago

Sure, but the point is not so much about which one to use but that the terminating point listening on 443 should sit outside of his network.

So he will either need a cloud service, or accept that he will have to add :12400 to his URLs.

[–] chiisana@lemmy.chiisana.net 5 points 1 year ago (1 children)

You'd need more than their DNS, as DNS cannot forward ports for you (and before anyone mention SRV records, no, it just tells supported applications which port to use; it does not and cannot externally reassign the port used).

I believe the tool for the job here is the Zero Trust Tunnel; in the Dashboard, on the left, look for Zero Trust, and then on the new dashboard, go Access > Tunnels to setup the tunnel. Documentations are here: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/

[–] Tywele@lemmy.dbzer0.com 1 points 1 year ago (2 children)

Currently I am using Cloudflare Tunnel to access my server remotely. But with this I'm always accessing my server through the tunnel even when I'm at home.

[–] chiisana@lemmy.chiisana.net 1 points 1 year ago (1 children)

If that is a concern (I don’t see much of an issue, but everyone’s got different requirements, so no judgment here at all), then you’d probably want to setup a recursive DNS server inside your network, configure that DNS server to resolve those internal services to your intranet IP address, when it cannot resolve, it recurses to a public one (ie ISP, CloudFlare, quad 9, Google etc). Then, change your network’s DNS to that internal one, so when you’re on your network, you get internal IP address while off network you get CloudFlare tunnel routing.

[–] Tywele@lemmy.dbzer0.com 1 points 1 year ago

I think I got it working now. The last time I tried I couldn't get it to work.

[–] uninvitedguest@lemmy.ca 1 points 1 year ago

I don't have your specific port issue, but it sounds like the setup I have would get around your ISP port restrictions as use CloudFlare tunnels externally, LAN internally, and no ports open.

https://lemmy.ca/post/2804502

[–] Noah@lemmy.federated.club 4 points 1 year ago* (last edited 1 year ago)

You can create a transform rule (iirc, might be one of the other rules, can’t check right now) that changes the destination port as long as you’re using Cloudflare’s proxy, no need for stuff like srv records.

edit; alternatively you can use cloudflare’s tunnels feature if forwarding doesn’t work

[–] brygphilomena@lemmy.world 2 points 1 year ago* (last edited 1 year ago)

You need either a reverse proxy running on a vps or something outside your network or a tunnel to your server from something cloudflare that can do the proxy for you without opening any ports.

A reverse proxy will be the public server that relays traffic from the standard ports (80, 443) and then fetches the content from your server on whatever port it has open and then returns it to whatever user requested the page.

Cloudflares tunnel can do the same, but without the need to either open a port nor manage an additional web server. However it needs to be running inside your network to facilitate that connection.

You mentioned already having a cloudflare tunnel that you are using, so I'd stick with that. If you want to not access it over the tunnel and use a fully qualified URL, you will need to host DNS internally with the internal IP address (or use hosts files) while keeping the public DNS entry on cloudflare configured with their tunnel.

Or u-turn nat. You could always do u-turn nat.

[–] fraydabson@sopuli.xyz 2 points 1 year ago

I just went through a lot of confusion setting up caddy. In the end it was user error and I got it all working. It’s still fresh in my memory if you still need help after this.