# ALI RPC Port Forwarding Configuration **Date**: 2026-01-04 **Rule Name**: ALI RPC **Target Service**: VMID 2501 (Permissioned RPC Node) **Status**: Configuration Guide --- ## 📋 Port Forwarding Rule Specification ### Rule Configuration | Parameter | Value | Notes | |-----------|-------|-------| | **Rule Name** | ALI RPC | Descriptive name for the rule | | **Enabled** | ✅ Yes | Enable to activate the rule | | **Source IP** | 0.0.0.0/0 | All source IPs (consider restricting for security) | | **Interface** | WAN1 | Primary WAN interface (76.53.10.34) | | **WAN IP** | 76.53.10.34 | Router's WAN IP (or use specific IP from Block #1 if needed) | | **DMZ** | -- | Not used | | **Source Port** | * (Any) | All source ports accepted | | **Destination IP** | 192.168.11.251 | VMID 2501 (Permissioned RPC Node) | | **Destination Port** | 8545 | Besu HTTP RPC port | | **Protocol** | TCP | RPC uses TCP protocol | --- ## 🎯 Target Service Details ### VMID 2501 - Permissioned RPC Node - **IP Address**: 192.168.11.251 - **Service**: Besu HTTP RPC - **Port**: 8545 - **Type**: Permissioned RPC (requires JWT authentication) - **Current Public Access**: Via Cloudflare Tunnel (`https://rpc-http-prv.d-bis.org`) --- ## ⚠️ Security Considerations ### Current Architecture (Recommended) The current architecture uses **Cloudflare Tunnel** for public access, which provides: - ✅ **DDoS Protection**: Cloudflare provides DDoS mitigation - ✅ **SSL/TLS Termination**: Automatic HTTPS encryption - ✅ **No Direct Exposure**: Services are not directly exposed to the internet - ✅ **IP Hiding**: Internal IPs are not exposed - ✅ **Access Control**: Cloudflare Access can be configured **Public Endpoint**: `https://rpc-http-prv.d-bis.org` ### Direct Port Forwarding (This Configuration) If you configure direct port forwarding, consider: - ⚠️ **Security Risk**: Service is directly exposed to the internet - ⚠️ **No DDoS Protection**: Router may be overwhelmed by attacks - ⚠️ **No SSL/TLS**: HTTP traffic is unencrypted (unless Nginx handles it) - ⚠️ **IP Exposure**: Internal IP (192.168.11.251) is exposed - ⚠️ **Authentication**: JWT authentication must be configured on Besu **Recommended**: Use direct port forwarding only if: 1. Cloudflare Tunnel is not available 2. You need direct IP access for specific use cases 3. You have additional security measures in place (firewall rules, IP allowlisting) --- ## 🔧 Recommended Configuration ### Option 1: Restrict Source IP (More Secure) If you must use direct port forwarding, restrict source IP addresses: | Parameter | Value | Notes | |-----------|-------|-------| | **Source IP** | [Specific IPs or CIDR] | Restrict to known client IPs | | **Example** | 203.0.113.0/24 | Allow only specific network | ### Option 2: Use Different WAN IP (Isolation) Use a different IP from Block #1 instead of the router's primary WAN IP: | Parameter | Value | Notes | |-----------|-------|-------| | **WAN IP** | 76.53.10.35 | Use secondary IP from Block #1 | | **Purpose** | Isolation from router's primary IP | **Available IPs in Block #1 (76.53.10.32/28)**: - 76.53.10.33 - Gateway (reserved) - 76.53.10.34 - Router WAN IP (current) - 76.53.10.35-46 - Available for use --- ## 📝 Complete Rule Configuration ### For ER605 Router GUI ``` Rule Name: ALI RPC Enabled: ✅ Yes Interface: WAN1 External IP: 76.53.10.34 (or 76.53.10.35 for isolation) External Port: 8545 Internal IP: 192.168.11.251 Internal Port: 8545 Protocol: TCP Source IP: 0.0.0.0/0 (or restrict to specific IPs for security) ``` ### Alternative: Use Secondary WAN IP (Recommended for Isolation) ``` Rule Name: ALI RPC Enabled: ✅ Yes Interface: WAN1 External IP: 76.53.10.35 (secondary IP from Block #1) External Port: 8545 Internal IP: 192.168.11.251 Internal Port: 8545 Protocol: TCP Source IP: [Restrict to known IPs if possible] ``` --- ## 🔍 Verification ### Test from External Network After enabling the rule, test from an external network: ```bash curl -X POST http://76.53.10.34:8545 \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' ``` **Expected Response** (if JWT auth is not configured): ```json { "jsonrpc": "2.0", "id": 1, "result": "0x8a" } ``` **If JWT Authentication is Required**: You'll need to include the JWT token in the request. See [RPC_JWT_AUTHENTICATION.md](../docs/04-configuration/RPC_JWT_AUTHENTICATION.md) for details. ### Test from Internal Network ```bash curl -X POST http://192.168.11.251:8545 \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' ``` --- ## 🔐 Security Recommendations ### 1. Enable IP Allowlisting (If Possible) Restrict source IP addresses to known clients: - Configure source IP restrictions in the router rule - Or use firewall rules to restrict access - Consider using Cloudflare Access for IP-based access control ### 2. Use HTTPS/TLS If exposing directly, ensure HTTPS is used: - VMID 2501 should have Nginx with SSL certificates - Forward to port 443 instead of 8545 - Or use a reverse proxy with SSL termination ### 3. Monitor and Log - Enable firewall logging for the port forward rule - Monitor connection attempts - Set up alerts for suspicious activity ### 4. Consider Cloudflare Tunnel (Preferred) Instead of direct port forwarding, use Cloudflare Tunnel: - Current endpoint: `https://rpc-http-prv.d-bis.org` - Provides DDoS protection, SSL, and access control - No router configuration needed --- ## 📊 Comparison: Direct Port Forward vs Cloudflare Tunnel | Feature | Direct Port Forward | Cloudflare Tunnel | |---------|-------------------|-------------------| | **DDoS Protection** | ❌ No | ✅ Yes | | **SSL/TLS** | ⚠️ Manual (Nginx) | ✅ Automatic | | **IP Hiding** | ❌ Internal IP exposed | ✅ IP hidden | | **Access Control** | ⚠️ Router/firewall rules | ✅ Cloudflare Access | | **Configuration** | Router port forward rule | Cloudflare Tunnel config | | **Monitoring** | Router logs only | Cloudflare analytics | | **Cost** | Free (router feature) | Free tier available | --- ## 🎯 Current Architecture Recommendation **Recommended Approach**: Continue using Cloudflare Tunnel - ✅ Already configured and working: `https://rpc-http-prv.d-bis.org` - ✅ Provides better security and DDoS protection - ✅ No router configuration needed - ✅ SSL/TLS handled automatically **Direct Port Forwarding Use Cases**: - Emergency access if Cloudflare Tunnel is down - Specific applications that require direct IP access - Testing and development - Backup access method --- ## 📋 Summary ### Rule Configuration - **Name**: ALI RPC - **Destination**: 192.168.11.251:8545 (VMID 2501) - **External Port**: 8545 - **Protocol**: TCP - **Security**: ⚠️ Consider restricting source IPs and using secondary WAN IP ### Recommendation - ✅ **Current**: Use Cloudflare Tunnel (`https://rpc-http-prv.d-bis.org`) - ⚠️ **Direct Port Forward**: Use only if necessary, with security restrictions - 🔐 **Security**: Enable IP allowlisting, use secondary WAN IP, monitor access --- **Last Updated**: 2026-01-04 **Status**: Configuration Guide **Current Access Method**: Cloudflare Tunnel (Recommended)