I have a RPi3B that I’m starting to use for Home Assistant at my remote cabin.
I’m using a TP-Link TL-MR150 4G router, which works very well for ordinary WiFi-to-4G traffic.
I have installed HA on the RPi, and it works very well, locally.
I’m trying to use cloudflared for secure remote access, like I do at home on a fiber connection.
This doesn’t work well.
Cloudflared is installed and seems to work well, with a nice log. The dashboard at ckoudflare.com also looks nice (at least to me, the total amateur)
Two problems/symptoms:
When I try to access https://ha.xxxxx.no, I get a “400 bad request”.
Is there some configuration on the router that I’m missing?
I’m confused about the external ip address. Whatismyip.com on the local network gives me 89.8.xxx.yyy.
The router itself says it has an external ip of 100.96.zzz.ccc (The TP-Link integration in HA also reports this one)
Which one should I use in cloudflare? I’ve tested both, getting the same 400 message.
Is it an alternative to skip cloudflare and go unprotected?
100.96.zzz.ccc looks like CGNAT address.
CGNAT being Carrier Grade NAT, which means your ISP is running a router with NAT over his network and just like you need to use portforwarding to get data through your own router, so does the ISP to get data from the internet to your router.
Very interresting! This explains a bit, but do you know how it can be fixed?
I found one solution Serving Web Services Behind CGNAT with Cloudflare Tunnel
but I’m not able to see how I can apply it
Are there DNS records that I have to add?
What ip should i use? The 100… or the 89…?
Suddenly it started working! Must have been some config mess.
I’m using the 89… address for my A record. Everything else is handled by cloudflare. I’m totally impressed by cloudflare/cloudflared!
Cloudflare is pretty good.
What they do here is make a VPN tunnel to their server and then open up the ports there.
The only other solution you would have is take the request to your ISP.
Sometimes they say no and then you have a fight to get through.
Other times they say yes, but you need to buy a static public IP and sometimes they charge insane prices for those.