This is the **authoritative reference** for public edge routing. **Web/api:****Fastly** (Option A) or **DNS direct to 76.53.10.36** (Option C) → UDM Pro → NPMplus. **RPC (6 hostnames):****Option B** — Cloudflare Tunnel (cloudflared) → NPMplus https://192.168.11.167:443; DNS for those 6 is CNAME to tunnel. See [OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md](OPTION_B_RPC_VIA_TUNNEL_RUNBOOK.md) and [../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md](../04-configuration/cloudflare/TUNNEL_SFVALLEY01_INSTALL.md). Cloudflare Tunnel is deprecated for **primary web** ingress (502 issues when used for all traffic); Option B uses tunnel for RPC only. Cloudflare DNS retained for all public hostnames.
**Current edge:** UDM Pro (76.53.10.34). Origin for public traffic: **76.53.10.36**. Port forward: 76.53.10.36:80/443 → NPMplus (192.168.11.167:80/443). Proxmox hosts: 192.168.11.10–12. See [NETWORK_CONFIGURATION_MASTER.md](../11-references/NETWORK_CONFIGURATION_MASTER.md).
**Pre-requisite:** Verify 76.53.10.36:80 and :443 are open from the internet before using Fastly or direct; see [EDGE_PORT_VERIFICATION_RUNBOOK.md](EDGE_PORT_VERIFICATION_RUNBOOK.md).
**ISP port filtering (e.g. Spectrum Business):** If your ISP filters common ports (21, 22, 80, 443), Fastly **does not offer tunnels**. Use an **outbound-only tunnel** (e.g. Tailscale Funnel, ngrok, or self-hosted boringproxy/Frp); **Cloudflare Tunnel often causes 502 errors** in this project, so prefer the alternatives. See [ISP port filtering (Spectrum and tunnels)](#isp-port-filtering-spectrum-and-tunnels) below.
- **Fastly (Option A):** CNAME from each public hostname to Fastly; Fastly backend = 76.53.10.36. Forward original Host so NPMplus can route by hostname; enable WebSocket for RPC/WS.
- **Direct (Option C):** A records to 76.53.10.36; Cloudflare proxy on or off. No CDN; single point of failure at edge.
- **NPMplus** (VMID 10233 at 192.168.11.167) is the single proxy/director; all domain routing and WebSocket handling are configured there.
Using Cloudflare Tunnel for **all** public hostnames (web + RPC) caused 502 errors. Tunnel is now used only for RPC (Option B). Legacy tunnel docs: [CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md), [CENTRAL_NGINX_ROUTING_SETUP.md](CENTRAL_NGINX_ROUTING_SETUP.md).
All public hostnames are routed by **NPMplus** (192.168.11.167) by hostname. Key mappings (see [RPC_ENDPOINTS_MASTER.md](../04-configuration/RPC_ENDPOINTS_MASTER.md) for full list):
- **Fastly** is a pull CDN: it connects **to** your origin on ports 80/443. It does **not** provide an outbound-only tunnel (no product like Cloudflare Tunnel).
- **Fastly Origin Connect** is a physical cross-connect (fiber/BGP in a datacenter), not a software tunnel; it does not solve residential/small-business ISP port filtering.
- If 80/443 are filtered (inbound or outbound), Fastly cannot reach 76.53.10.36, so Fastly is not usable as the edge for your origin.
When the ISP blocks 80/443, you need an **outbound-only tunnel**. **Cloudflare Tunnel** is often problematic here (502 errors in this project), so prefer one of the alternatives below. **Fastly has no tunnel product.**
| **Tailscale Funnel** | Run `tailscale funnel <port>` on the host; outbound to Tailscale, no inbound 80/443. Public URL like `https://<device>.ts.net`. | Simple, automatic HTTPS, no port forward. Requires Tailscale account and MagicDNS; good if you already use Tailscale. |
| **ngrok** | Run ngrok agent; outbound tunnel to ngrok edge. Public URL (or custom domain on paid). | Mature, widely used; free tier has limits and ngrok-branded URLs. Paid for custom domains and higher limits. |
| **Self-hosted (boringproxy, Frp, Rathole)** | Run tunnel **server** on a VPS (where ports are not filtered); run **client** at origin; origin only makes outbound connections to the VPS. | Full control, your domain, no Cloudflare. Requires a small VPS (or other unfiltered host) to run the tunnel server. |
| **Cloudflare Tunnel** (cloudflared) | Origin runs `cloudflared`; outbound to Cloudflare. | No inbound ports; this repo has config. **Often causes 502 errors** here—deprecated for that reason. See [CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md) if you want to retry and debug. |
1.**First try:****Tailscale Funnel** (if you use Tailscale) or **ngrok** (quick to try).
2.**For production / custom domains:****Self-hosted tunnel** (e.g. boringproxy or Frp on a VPS); origin runs the client, only outbound to the VPS; no dependency on Cloudflare or Fastly tunnels.
3.**Cloudflare Tunnel** only if you are willing to debug the 502s (ingress rules, timeouts, backend health); doc: [CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md](CLOUDFLARE_TUNNEL_ROUTING_ARCHITECTURE.md).
**Summary:** Fastly has no tunnel. When ports are filtered, use **Tailscale Funnel**, **ngrok**, or a **self-hosted tunnel** (boringproxy/Frp on a VPS) rather than relying on Cloudflare Tunnel, which often causes 502 errors in this setup.
