d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
cb47cce074da46f3ce5910b752d435c4a3ee87d0
proxmox/docs/04-configuration/ALI_RPC_PORT_FORWARDING_CONFIG.md
defiQUG cb47cce074 Complete markdown files cleanup and organization 
- Organized 252 files across project
- Root directory: 187 → 2 files (98.9% reduction)
- Moved configuration guides to docs/04-configuration/
- Moved troubleshooting guides to docs/09-troubleshooting/
- Moved quick start guides to docs/01-getting-started/
- Moved reports to reports/ directory
- Archived temporary files
- Generated comprehensive reports and documentation
- Created maintenance scripts and guides

All files organized according to established standards.
2026-01-06 01:46:25 -08:00

251 lines
7.2 KiB
Markdown
Raw Blame History

# ALI RPC Port Forwarding Configuration
**Date**: 2026-01-04
**Rule Name**: ALI RPC
**Target Service**: VMID 2501 (Permissioned RPC Node)
**Status**: Configuration Guide
---
## 📋 Port Forwarding Rule Specification
### Rule Configuration
| Parameter | Value | Notes |
|-----------|-------|-------|
| **Rule Name** | ALI RPC | Descriptive name for the rule |
| **Enabled** | ✅ Yes | Enable to activate the rule |
| **Source IP** | 0.0.0.0/0 | All source IPs (consider restricting for security) |
| **Interface** | WAN1 | Primary WAN interface (76.53.10.34) |
| **WAN IP** | 76.53.10.34 | Router's WAN IP (or use specific IP from Block #1 if needed) |
| **DMZ** | -- | Not used |
| **Source Port** | * (Any) | All source ports accepted |
| **Destination IP** | 192.168.11.251 | VMID 2501 (Permissioned RPC Node) |
| **Destination Port** | 8545 | Besu HTTP RPC port |
| **Protocol** | TCP | RPC uses TCP protocol |
---
## 🎯 Target Service Details
### VMID 2501 - Permissioned RPC Node
- **IP Address**: 192.168.11.251
- **Service**: Besu HTTP RPC
- **Port**: 8545
- **Type**: Permissioned RPC (requires JWT authentication)
- **Current Public Access**: Via Cloudflare Tunnel (`https://rpc-http-prv.d-bis.org`)
---
## ⚠️ Security Considerations
### Current Architecture (Recommended)
The current architecture uses **Cloudflare Tunnel** for public access, which provides:
-**DDoS Protection**: Cloudflare provides DDoS mitigation
-**SSL/TLS Termination**: Automatic HTTPS encryption
-**No Direct Exposure**: Services are not directly exposed to the internet
-**IP Hiding**: Internal IPs are not exposed
-**Access Control**: Cloudflare Access can be configured
**Public Endpoint**: `https://rpc-http-prv.d-bis.org`
### Direct Port Forwarding (This Configuration)
If you configure direct port forwarding, consider:
- ⚠️ **Security Risk**: Service is directly exposed to the internet
- ⚠️ **No DDoS Protection**: Router may be overwhelmed by attacks
- ⚠️ **No SSL/TLS**: HTTP traffic is unencrypted (unless Nginx handles it)
- ⚠️ **IP Exposure**: Internal IP (192.168.11.251) is exposed
- ⚠️ **Authentication**: JWT authentication must be configured on Besu
**Recommended**: Use direct port forwarding only if:
1. Cloudflare Tunnel is not available
2. You need direct IP access for specific use cases
3. You have additional security measures in place (firewall rules, IP allowlisting)
---
## 🔧 Recommended Configuration
### Option 1: Restrict Source IP (More Secure)
If you must use direct port forwarding, restrict source IP addresses:
| Parameter | Value | Notes |
|-----------|-------|-------|
| **Source IP** | [Specific IPs or CIDR] | Restrict to known client IPs |
| **Example** | 203.0.113.0/24 | Allow only specific network |
### Option 2: Use Different WAN IP (Isolation)
Use a different IP from Block #1 instead of the router's primary WAN IP:
| Parameter | Value | Notes |
|-----------|-------|-------|
| **WAN IP** | 76.53.10.35 | Use secondary IP from Block #1 |
| **Purpose** | Isolation from router's primary IP |
**Available IPs in Block #1 (76.53.10.32/28)**:
- 76.53.10.33 - Gateway (reserved)
- 76.53.10.34 - Router WAN IP (current)
- 76.53.10.35-46 - Available for use
---
## 📝 Complete Rule Configuration
### For ER605 Router GUI
```
Rule Name: ALI RPC
Enabled: ✅ Yes
Interface: WAN1
External IP: 76.53.10.34 (or 76.53.10.35 for isolation)
External Port: 8545
Internal IP: 192.168.11.251
Internal Port: 8545
Protocol: TCP
Source IP: 0.0.0.0/0 (or restrict to specific IPs for security)
```
### Alternative: Use Secondary WAN IP (Recommended for Isolation)
```
Rule Name: ALI RPC
Enabled: ✅ Yes
Interface: WAN1
External IP: 76.53.10.35 (secondary IP from Block #1)
External Port: 8545
Internal IP: 192.168.11.251
Internal Port: 8545
Protocol: TCP
Source IP: [Restrict to known IPs if possible]
```
---
## 🔍 Verification
### Test from External Network
After enabling the rule, test from an external network:
```bash
curl -X POST http://76.53.10.34:8545 \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```
**Expected Response** (if JWT auth is not configured):
```json
{
"jsonrpc": "2.0",
"id": 1,
"result": "0x8a"
}
```
**If JWT Authentication is Required**:
You'll need to include the JWT token in the request. See [RPC_JWT_AUTHENTICATION.md](../docs/04-configuration/RPC_JWT_AUTHENTICATION.md) for details.
### Test from Internal Network
```bash
curl -X POST http://192.168.11.251:8545 \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}'
```
---
## 🔐 Security Recommendations
### 1. Enable IP Allowlisting (If Possible)
Restrict source IP addresses to known clients:
- Configure source IP restrictions in the router rule
- Or use firewall rules to restrict access
- Consider using Cloudflare Access for IP-based access control
### 2. Use HTTPS/TLS
If exposing directly, ensure HTTPS is used:
- VMID 2501 should have Nginx with SSL certificates
- Forward to port 443 instead of 8545
- Or use a reverse proxy with SSL termination
### 3. Monitor and Log
- Enable firewall logging for the port forward rule
- Monitor connection attempts
- Set up alerts for suspicious activity
### 4. Consider Cloudflare Tunnel (Preferred)
Instead of direct port forwarding, use Cloudflare Tunnel:
- Current endpoint: `https://rpc-http-prv.d-bis.org`
- Provides DDoS protection, SSL, and access control
- No router configuration needed
---
## 📊 Comparison: Direct Port Forward vs Cloudflare Tunnel
| Feature | Direct Port Forward | Cloudflare Tunnel |
|---------|-------------------|-------------------|
| **DDoS Protection** | ❌ No | ✅ Yes |
| **SSL/TLS** | ⚠️ Manual (Nginx) | ✅ Automatic |
| **IP Hiding** | ❌ Internal IP exposed | ✅ IP hidden |
| **Access Control** | ⚠️ Router/firewall rules | ✅ Cloudflare Access |
| **Configuration** | Router port forward rule | Cloudflare Tunnel config |
| **Monitoring** | Router logs only | Cloudflare analytics |
| **Cost** | Free (router feature) | Free tier available |
---
## 🎯 Current Architecture Recommendation
**Recommended Approach**: Continue using Cloudflare Tunnel
- ✅ Already configured and working: `https://rpc-http-prv.d-bis.org`
- ✅ Provides better security and DDoS protection
- ✅ No router configuration needed
- ✅ SSL/TLS handled automatically
**Direct Port Forwarding Use Cases**:
- Emergency access if Cloudflare Tunnel is down
- Specific applications that require direct IP access
- Testing and development
- Backup access method
---
## 📋 Summary
### Rule Configuration
- **Name**: ALI RPC
- **Destination**: 192.168.11.251:8545 (VMID 2501)
- **External Port**: 8545
- **Protocol**: TCP
- **Security**: ⚠️ Consider restricting source IPs and using secondary WAN IP
### Recommendation
-**Current**: Use Cloudflare Tunnel (`https://rpc-http-prv.d-bis.org`)
- ⚠️ **Direct Port Forward**: Use only if necessary, with security restrictions
- 🔐 **Security**: Enable IP allowlisting, use secondary WAN IP, monitor access
---
**Last Updated**: 2026-01-04
**Status**: Configuration Guide
**Current Access Method**: Cloudflare Tunnel (Recommended)
Reference in New Issue View Git Blame Copy Permalink