d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
3f76bc950779f8c1a4403abddb952cdbce5fa420
proxmox/docs/04-configuration/ALI_RPC_PORT_FORWARDING_CONFIG.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

7.2 KiB
Raw Blame History

ALI RPC Port Forwarding Configuration

Last Updated: 2026-01-31
Document Version: 1.0
Status: Active Documentation

Date: 2026-01-04
Rule Name: ALI RPC
Target Service: VMID 2501 (Permissioned RPC Node)
Status: Configuration Guide

📋 Port Forwarding Rule Specification

Rule Configuration

Parameter Value Notes
Rule Name ALI RPC Descriptive name for the rule
Enabled Yes Enable to activate the rule
Source IP 0.0.0.0/0 All source IPs (consider restricting for security)
Interface WAN1 Primary WAN interface (76.53.10.34)
WAN IP 76.53.10.34 Router's WAN IP (or use specific IP from Block #1 if needed)
DMZ -- Not used
Source Port * (Any) All source ports accepted
Destination IP 192.168.11.251 VMID 2501 (Permissioned RPC Node)
Destination Port 8545 Besu HTTP RPC port
Protocol TCP RPC uses TCP protocol

🎯 Target Service Details

VMID 2501 - Permissioned RPC Node

  • IP Address: 192.168.11.251
  • Service: Besu HTTP RPC
  • Port: 8545
  • Type: Permissioned RPC (requires JWT authentication)
  • Current Public Access: Via Cloudflare Tunnel (https://rpc-http-prv.d-bis.org)

⚠️ Security Considerations

Current Architecture (Recommended)

The current architecture uses Cloudflare Tunnel for public access, which provides:

  • DDoS Protection: Cloudflare provides DDoS mitigation
  • SSL/TLS Termination: Automatic HTTPS encryption
  • No Direct Exposure: Services are not directly exposed to the internet
  • IP Hiding: Internal IPs are not exposed
  • Access Control: Cloudflare Access can be configured

Public Endpoint: https://rpc-http-prv.d-bis.org

Direct Port Forwarding (This Configuration)

If you configure direct port forwarding, consider:

  • ⚠️ Security Risk: Service is directly exposed to the internet
  • ⚠️ No DDoS Protection: Router may be overwhelmed by attacks
  • ⚠️ No SSL/TLS: HTTP traffic is unencrypted (unless Nginx handles it)
  • ⚠️ IP Exposure: Internal IP (192.168.11.251) is exposed
  • ⚠️ Authentication: JWT authentication must be configured on Besu

Recommended: Use direct port forwarding only if:

  1. Cloudflare Tunnel is not available
  2. You need direct IP access for specific use cases
  3. You have additional security measures in place (firewall rules, IP allowlisting)

🔧 Recommended Configuration

Option 1: Restrict Source IP (More Secure)

If you must use direct port forwarding, restrict source IP addresses:

Parameter Value Notes
Source IP [Specific IPs or CIDR] Restrict to known client IPs
Example 203.0.113.0/24 Allow only specific network

Option 2: Use Different WAN IP (Isolation)

Use a different IP from Block #1 instead of the router's primary WAN IP:

Parameter Value Notes
WAN IP 76.53.10.35 Use secondary IP from Block #1
Purpose Isolation from router's primary IP

Available IPs in Block #1 (76.53.10.32/28):

  • 76.53.10.33 - Gateway (reserved)
  • 76.53.10.34 - Router WAN IP (current)
  • 76.53.10.35-46 - Available for use

📝 Complete Rule Configuration

For ER605 Router GUI

Rule Name: ALI RPC
Enabled: ✅ Yes
Interface: WAN1
External IP: 76.53.10.34 (or 76.53.10.35 for isolation)
External Port: 8545
Internal IP: 192.168.11.251
Internal Port: 8545
Protocol: TCP
Source IP: 0.0.0.0/0 (or restrict to specific IPs for security)

Alternative: Use Secondary WAN IP (Recommended for Isolation)

Rule Name: ALI RPC
Enabled: ✅ Yes
Interface: WAN1
External IP: 76.53.10.35 (secondary IP from Block #1)
External Port: 8545
Internal IP: 192.168.11.251
Internal Port: 8545
Protocol: TCP
Source IP: [Restrict to known IPs if possible]

🔍 Verification

Test from External Network

After enabling the rule, test from an external network:

curl -X POST http://76.53.10.34:8545 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'

Expected Response (if JWT auth is not configured):

{
  "jsonrpc": "2.0",
  "id": 1,
  "result": "0x8a"
}

If JWT Authentication is Required: You'll need to include the JWT token in the request. See RPC_JWT_AUTHENTICATION.md for details.

Test from Internal Network

curl -X POST http://192.168.11.251:8545 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'

🔐 Security Recommendations

1. Enable IP Allowlisting (If Possible)

Restrict source IP addresses to known clients:

  • Configure source IP restrictions in the router rule
  • Or use firewall rules to restrict access
  • Consider using Cloudflare Access for IP-based access control

2. Use HTTPS/TLS

If exposing directly, ensure HTTPS is used:

  • VMID 2501 should have Nginx with SSL certificates
  • Forward to port 443 instead of 8545
  • Or use a reverse proxy with SSL termination

3. Monitor and Log

  • Enable firewall logging for the port forward rule
  • Monitor connection attempts
  • Set up alerts for suspicious activity

4. Consider Cloudflare Tunnel (Preferred)

Instead of direct port forwarding, use Cloudflare Tunnel:

  • Current endpoint: https://rpc-http-prv.d-bis.org
  • Provides DDoS protection, SSL, and access control
  • No router configuration needed

📊 Comparison: Direct Port Forward vs Cloudflare Tunnel

Feature Direct Port Forward Cloudflare Tunnel
DDoS Protection No Yes
SSL/TLS ⚠️ Manual (Nginx) Automatic
IP Hiding Internal IP exposed IP hidden
Access Control ⚠️ Router/firewall rules Cloudflare Access
Configuration Router port forward rule Cloudflare Tunnel config
Monitoring Router logs only Cloudflare analytics
Cost Free (router feature) Free tier available

🎯 Current Architecture Recommendation

Recommended Approach: Continue using Cloudflare Tunnel

  • Already configured and working: https://rpc-http-prv.d-bis.org
  • Provides better security and DDoS protection
  • No router configuration needed
  • SSL/TLS handled automatically

Direct Port Forwarding Use Cases:

  • Emergency access if Cloudflare Tunnel is down
  • Specific applications that require direct IP access
  • Testing and development
  • Backup access method

📋 Summary

Rule Configuration

  • Name: ALI RPC
  • Destination: 192.168.11.251:8545 (VMID 2501)
  • External Port: 8545
  • Protocol: TCP
  • Security: ⚠️ Consider restricting source IPs and using secondary WAN IP

Recommendation

  • Current: Use Cloudflare Tunnel (https://rpc-http-prv.d-bis.org)
  • ⚠️ Direct Port Forward: Use only if necessary, with security restrictions
  • 🔐 Security: Enable IP allowlisting, use secondary WAN IP, monitor access

Last Updated: 2026-01-04
Status: Configuration Guide
Current Access Method: Cloudflare Tunnel (Recommended)

Reference in New Issue View Git Blame Copy Permalink