azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session log: Cloudflare tunnel decommission + pfSense audit

Browse Source 
Decommissioned cloudflared tunnel, migrated 9 services to direct CF proxy,
removed ~22 stale pfSense rules and 22 unused aliases.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-04-21 07:27:59 -07:00
parent 597a94a584
commit 50140ac88c
1 changed files with 157 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

157
session-logs/2026-04-21-session.md
View File

@@ -117,3 +117,160 @@ Brian Kahn (briankahn.onmicrosoft.com), cuadro.design, Curtis Plumbing (cparizon
- **Onboarding script:** `D:/claudetools/.claude/skills/remediation-tool/scripts/onboard-tenant.sh`
- **Gotchas:** `D:/claudetools/.claude/skills/remediation-tool/references/gotchas.md`
- **Cascades vault:** `D:/vault/clients/cascades-tucson/m365-admin.sops.yaml`
---
## Update: 07:26 — Cloudflare Tunnel Decommission + pfSense Audit
### Summary
Decommissioned the Cloudflare tunnel (cloudflared Docker container on Jupiter), migrated all 9 tunneled services to direct Cloudflare proxy, and conducted a comprehensive pfSense audit removing ~40 stale config objects (NAT rules, filter rules, outbound NAT, IPsec, and aliases).
---
### Background: Why the Tunnel Was Created
A Cox routing issue caused Cloudflare-proxied services to route inefficiently (Cox → Cloudflare PoP → back to Cox WAN). The cloudflared tunnel was created as a workaround — it establishes an outbound connection from Jupiter to Cloudflare PoPs, so all proxied traffic flows through the tunnel rather than requiring port forwards.
---
### Cloudflared Container — DNS Fix
**Problem:** cloudflared container had no DNS servers configured (`[]`), causing it to use Docker's default resolver which couldn't reach `region1.v2.argotunnel.com`. This produced a `Failed to refresh DNS local resolver` timeout every 5 minutes, causing intermittent slowness.
**Fix:** Recreated container with explicit DNS:
```
--dns=1.1.1.1 --dns=1.0.0.1
```
Container startup confirmed clean after DNS fix.
**Tunnel ID:** `78d3e58f-1979-4f0e-a28b-98d6b3c3d867`
**Config location on Jupiter:** `/mnt/cache/appdata/cloudflared/config.yml`
---
### Cloudflare DNS Migration
**Key discovery:** pfSense has NO NAT rule for port 443 on primary Cox WAN IP (98.181.90.163). All port 443 rules are bound to specific 72.194.62.x IPs. Direct proxy to 98.181.90.163 gave 522 errors because of this.
**Solution:** Use 72.194.62.10 (which has an existing `443 → NPM:18443` NAT rule) as the target for NPM-backed services.
**Services migrated from tunnel CNAME → direct Cloudflare proxy A records:**
| Hostname | Old Target | New Target | Backend |
|---|---|---|---|
| git.azcomputerguru.com | tunnel CNAME | 72.194.62.10 | NPM → Jupiter:18443 |
| rmm.azcomputerguru.com | tunnel CNAME | 72.194.62.10 | NPM → Jupiter:18443 |
| rmm-api.azcomputerguru.com | tunnel CNAME | 72.194.62.10 | NPM → Jupiter:18443 |
| plexrequest.azcomputerguru.com | tunnel CNAME | 72.194.62.10 | NPM → Jupiter:18443 |
| sync.azcomputerguru.com | tunnel CNAME | 72.194.62.10 | NPM → Jupiter:18443 |
| azcomputerguru.com | tunnel CNAME | 72.194.62.5 | IX Web Hosting:443 |
| analytics.azcomputerguru.com | tunnel CNAME | 72.194.62.5 | IX Web Hosting:443 |
| community.azcomputerguru.com | tunnel CNAME | 72.194.62.5 | IX Web Hosting:443 |
| radio.azcomputerguru.com | tunnel CNAME | 72.194.62.5 | IX Web Hosting:443 |
All 9 services tested and confirmed working. Container then stopped and removed.
**Public IP layout (relevant):**
- `72.194.62.5` → IX Web Hosting server (172.16.3.10) via NAT
- `72.194.62.10` → NPM on Jupiter (172.16.3.20:18443) via NAT
- `98.181.90.163/31` — Primary Cox WAN, NO port 443 NAT rule
---
### pfSense SSH Access Fix
pfSense SSH was failing non-interactively with "Too many authentication failures" (SSH client tried multiple keys, hit MaxAuthTries before reaching id_ed25519).
**Fix:** Added `id_ed25519` public key to pfSense admin user via web GUI (port 4433). Had to include `webguicss=pfSense.css` and `dashboardcolumns=2` fields in the form POST to avoid theme validation errors.
**SSH command:** `ssh -o StrictHostKeyChecking=no -i C:/Users/guru/.ssh/id_ed25519 -p 2248 admin@172.16.0.1`
**Vault updated:** `D:/vault/infrastructure/pfsense-firewall.sops.yaml` — added `web_port`, `ssh_key`, `ssh_cmd` fields.
---
### pfSense Audit — Rules Removed
All removals were done by uploading PHP scripts via SCP, executing on pfSense, then reloading filter with `pfSsh.php playback svc restart filter`.
Config backup pattern: `/cf/conf/config.xml.bak-<description>-<timestamp>`
**Round 1 — TSM Network (dead server):**
- NAT: TSM Network HTTP forward (72.194.62.x → TSM)
- NAT: TSM Network HTTPS forward
- NAT: LDAP to DC16
- FILTER: Associated pass rules
**Round 2 — Neptune, IPsec, Gitea SSH, orphans:**
- NAT: Neptune Exchange HTTP/HTTPS forwards
- NAT: 172.16.3.25 wildcard forward
- NAT: 172.16.3.25 HTTP/HTTPS forwards
- NAT: Gitea SSH forward (72.194.62.x:22 → Jupiter) — superseded by Cloudflare proxy
- FILTER: All associated pass rules
- FILTER: Orphaned LDAP filter rule
- FILTER: Neptune pass rules
- IPSEC: Phase 1 + Phase 2 for 184.182.208.116 (Mike's house — no longer needed)
**Round 3 — Seafile:**
- NAT: 72.194.62.9 Seafile/Sync forward — Seafile desktop client uses sync.azcomputerguru.com (now via NPM on .10), not a dedicated IP; .9 rule was orphaned
- FILTER: Associated pass rule
**Round 4 — Neptune outbound NAT:**
- OUTBOUND NAT: NEPTUNE_Internal → 72.194.62.7 masquerade rule
**Round 5 — Neptune Exchange filter (missed in Round 2):**
- FILTER: Rule with destination NEPTUNE_Internal:Exchange_Ports (was a filter rule, not NAT — earlier script only checked NAT)
**Total rules removed: ~22 NAT/filter/IPsec rules**
---
### pfSense Audit — Aliases Removed (22)
```
All_Ports, EX1_Internal, Emby_Ports, Exchange_Ports, Exchange_VIP,
MailProtector_LDAP, NEPTUNE_Internal, Nextcloud_Local, NPM_Ports,
OwnCloud_Ports, RNAT_Webhost, RustDesk_Server, RustDesk_Server_Internal,
SpamIssue, Syslog, UNMS, Unifi_SSL, Unraid_Jupiter, Unraid_Sync,
VIP_NO_AUTODISCOVER, VPN_Ports, Webhost_Internal
```
**Remaining aliases (all active/valid):**
`Cloudflare`, `FiberGW`, `HTTP_HTTPS`, `ICE_Users`, `NPM_Server`, `Unifi_Server`, `Unifi_TCP`, `Unifi_UDP`, `Webhost_TCP`, `Webhost_UDP`, `Tailscale`, `TFTP Server`, `WireGuard`
---
### pfSense Items Investigated — Left Alone
| Item | Decision |
|---|---|
| Golden Corral (72.194.62.6 → 172.16.1.6, HTTP_HTTPS) | Leave as-is — live client, working, no RDP exposed (80/443 only) |
| 72.194.62.7 VIP ("MAIL/NEPTUNE") | Unused IP — no rules reference it; could remove VIP or reassign |
| `Cloudflare` alias | Unused — could apply to restrict WAN access to CF IPs only |
| Broad `pass tcp/udp any→any` WAN rule | Noted, not yet addressed |
| 72.194.62.4 → NPM:18443 ("Emby on Fiber") | Verified pointing to NPM, labeled correctly |
| OwnCloud VM (172.16.3.22) | NAT rule still valid — cloud.acghosting.com lives there |
---
### Infrastructure Reference
| Asset | Detail |
|---|---|
| pfSense | 172.16.0.1, SSH port 2248, HTTPS port 4433, admin user |
| pfSense config | `/cf/conf/config.xml` |
| Jupiter (Unraid) | 172.16.3.20 |
| NPM (Nginx Proxy Manager) | Jupiter:18443 (HTTPS), Jupiter:1880 (HTTP) |
| cloudflared | Stopped/removed — tunnel decommissioned |
| Primary Cox WAN | 98.181.90.163/31 — no port 443 NAT |
| Additional public IPs | 72.194.62.210, 70.175.28.5157 |
---
### Pending / Next Steps (Infrastructure)
1. **72.194.62.7 VIP** — decide: remove (Neptune gone) or repurpose
2. **Cloudflare alias** — consider applying to WAN rules to restrict to CF IPs only (security hardening)
3. **Broad WAN pass rule** — review and tighten if possible
4. **22 M365 tenants** — still need initial Tenant Admin consent (unchanged from earlier session)