You're one of the few channels that has given me a better outlook on my homelab and how to make it all tick. Many content creators only scratch the surface, but you manage to go in depth and explain how this is all set up, why it should be set up, the pros and cons, and specifics like what rules you should be setting up in your firewall. Keep up the great work!!

Very well explained. Thanks

Nice video mate. You explained it well and didn't go too far into the weeds. I'm keen to loop through your other videos. Keep making content!

Very good and important content! Thanks for making this video.

I've been using cloudflare for a while, but I couldn't figure out how to limit it to a few containers. What I really wanted was to find a way to limit docker to only use a single interface on my server, but it has proven impossible. It was possible to use incus to create a vm for docker to run in, and that could be limited. However it feels a little cumbersome. Your video really helped me find the right solution using macvlan. 👍

Thank you for such a clear and succinct explanation. This has been most helpful!

Christian is doing some very good work but so do you James. clear video's also the good stuff i want to learn

Great video! Thanks for reaching me how to secure my self hosted server!

Like the way your explain everything in your videos. Keep up the good work.

Thanks for the demo and info, have a great day

Thanks a lot, this is what I was looking for, you did such a great job explaning things clear and precisely, keep up the good work sir!

Amazing video, thanks for your work.

I had also this concern about the "privacy" of these services when they became available! Mac-Vlans are pretty powerful feature! Thanks for the solution and the fantastic tutorial!

Great video, thank you!

Just wanted to pop in and say awesome series - this has really made all the difference in my homelab journey. Thanks and keep up the good work! Question - does this still have value if you already host all your external accessible apps on a DMZ?

excellent tutorial regarding added security. i’ll be adding mac vlan soon to my setup soon. i might also add 2fa and sso using authelia.

Just implemented this for my cloudflare tunnel. great content. so easy to understand!

my biggest complaint with all the "How to" videos is the fact that no one talks about TLS and the importance of the Origin cert.

Thanks! Nice video a very well explained.

Thank you, exactly what I was looking for! Great info and points here!

By the way, as I said, I don't use docker, but debian. The virtual machine is located in virtualbox, which is installed on windows 10. Because when I used docker, I couldn't figure out how to set up a network connection. Rather, I did not understand why there is no connectivity between the docker, which is installed on the Ubuntu virtual machine and the local network. The virtual machine was also on virtualbox, ubuntu was installed, there was a docker in it. There was connectivity between Ubuntu and the local network, there was a connection between docker and Ubuntu - the network worked. But there is no connection between docker and LAN. I couldn't ping or anything. It was as if Docker was isolated. That's why I used debian, because it's very simple there. Just one team.

Thanks for the video, good content! Now correct me if I'm wrong, but using this technique will allow me to block all traffic that is not using a FQDN (i.e. IP scanners) if I disable normal port forwarding on the my UDM SE firewall and then open ports for the incoming traffic from the Cloudflare tunnel? If so, is there any other way that I could accomplish that without using Cloudflare tunnels? Alt. provider of similar functionality, or with some firewall configuration...? Or is this a unique combination of functionality?

Can you make a guide on adding these firewall rules in OPNsense? They are vastly different and don't seem to correlate with the ones you entered in sophos.

Very interesting video. Now I have to realize how setup this without docker, as I installed CF tunnel for a Jellyfin service hosted in my proxmox server. I wonder if proxmox firewall could also be used for this. 🤔

Great tutorial! However at 02:38 you mentioned not getting the visitor IP through the tunnel, is this not still exposed via the Cf-Connecting-Ip HTTP header similar to when using a standard Cloudflare proxy without the tunnel?

I've used Cloudflare tunnels before and it's too easy to setup. Unaware users don't know what security layers they lost... I'd rather use nginx rproxy over a VPN into a VPS.

Thank you for the video, this is truly amazing. I just have one question. Would it be better if I also run my application docker client from within the macvlan and assign it its own ip? that way their network would be entirely isolated and I wouldn't have to make any rules in the firewall.

Newbie to networking and docker here! For this to work i assume i need to create a Vlan interface in the firewall for vlan 4 to act as a gateway for vlan memebers right? And does the switchport connected to the docker host must be configured as a trunkport to accept vlan 4 (cloudflare tunnel docker) and the watherver vlan the host is part of? Thank you for this video.

mm wouldnt a another option be to limit access to your web domains. I have setup limited access to my sub domains to two locations. Ill never be in AUS or Fiji accessing my sub domains.

Again, great video Jim. My cloudflare container do not get the ip. Running "ip add" it shows no ipv4. Any help?

Watched it like 20 times and still can't recreate it. I just left it unsecure, bought a backup server that I sync once a week and keep it offline. If I get hacked, I just wipe it and bring up my backup server. Simples.

I hope 5 Months on you progressed a little towards a "Makro KZbin Career" 😇🤪

Dear Jim, looking at your network topology, after ISP modem, what firewall are you using? Hardware or software ?

Great video and lovely of you to give Christian a shout-out. Have you thought about collabing with him or any of the other homelab tech youtubers (TechnoTim, LawrenceSystems, LearnLinuxTV etc.)?

Interesting! What are your thoughts on a CF Application in front of a CF Tunnel? I that putting too many eggs in one basket?

Thank you! ❤🍕

Would you recommend using this set up or a DDNS with a reverse proxy for a homelab?

why is the parent interface enp6s18.4...what's the .4 part? It looks like you're naming it macvlan4, but you're not assigning it a vlan ID. How's this a vlan?

I appreciate your videos! You have been a lot of help on my journey. However, this isn't working for me. In my Sophos log, I see the my rule being used, and the traffic gets routed to the correct IP. However, it seems to end there. My Traefik access logs don't show any entries. So the traffic is being dropped somewhere between my firewall and the Traefik container. Any troubleshooting advice? I feel like somehow I am losing the name resolution, so Traefik ignores it. But I don't know how to check for that.

Are you running this along side the pihole/cloudflare you showed in an earlier video? Tried this but kept getting errors on the 2nd cloudflare container

How would you set something similar on a cloud where you don't have the possibility to filter the traffic between devices (like hetzner)? Any way to achieve something similar with subnets?

Can you please elaborate on why we needed to do this? The cloudlfare tunnel only communicates to your portainer instance at 192.168.200.X anyway no?

Can I ask something? if I run the docker-compose with maclan configuration, the cloudflare tunnel will be down. is that right?

Really interesting video! Seems like Cloudflare tunnel is not the solution I was hoping for. I just need the option to grant different specific external people access to very specific devices of my home network (with 2FA/passkey etc.) . Do you know of a solution that is halfway user friendly (as near to plug and play as possible)? Thanks a lot!

What do you think about Cloudflare authentication for the tunnel versus this option?

Any chance you know how to add the macvlan when docker is running rootless?

http_status, bastion -what is it? By the way, CF has the ability to install rdp on windows, and in the tunnel settings, choose an rdp tunnel, do you have a video or instructions on how to do this and how to secure such a tunnel?

Dude aewesome video. Iknow it’s lots of work but could you make a tutorial of implementing this on a casaos environment? I have one server with all my apps and I want to set another one to run firewall tunnels and monitoring. As I’m not a security professional I need more details on it lol.if you can point ,e to a tutorial or create one would be amazing

But the problem here is, what to do, where to start? I was also looking into Cloudflare, and thought it was safe. But now you put an extra layer on top of it. And you’re even having Traefik (I think it was?) also?? I’m confused. What to do? Where to start? And end?!

What is unix/unix+tls? I don't understand the logic of the work, why is it necessary?

Would adding a user defined bridge network be just as secure? I have my cloudflare docker on a bridge network that only communicates with Traefik. All of my docker services have their own user defined bridge network that communicates with Traefik. The goal is that none of my services can be aware of the others and that all traffic must go through Traefik with crowdsec monitoring. Is there a flaw in my understanding of these bridge networks?

i html-only website, should i be fine without securing the tunnel?

I too use an XG firewall, i have CF tunnel working with Nginx. Unfortunately when i put the tunnel on it own vlan the tunnel now report error TLS handshake timeout, cannot reach origin server. I have the firewall rule setup to allow traffic from the tunnel vlan to NPM vlan just like the video. I can ping my Nginx proxy from the tunnel vlan. Not sure why its not working when they are on separate vlan.

What is smb? I know that this is a protocol for a local network to share files. But how does it work through the tunnel? As far as I know, smb is very critical of delays. At least it works very slowly through the VPN, even though the VPN channel is quite high-speed.

I love the video, but I can't seem to match up your process with my pfSense fw.

Good video,but I really hate, very much any background music, why in the world would anyone need this?

When you say you're punchunig a hole in your home security, do you understand that no one has any security rather than anything standard included. And I don't even know if anything is included in macos by default

I have an internal reverse proxy (traefik) that routes all of my internal hosts by name i.e: proxmox.local.home.lan docker.local.home.lan portainer.local.home.lan Which is great as I don't have to put in port numbers or anything and everything all the time is https even inside my network. Is it more secure to point my cloudflare tunnel at one of those? In other words I would like to set this up exactly as you have outlined here (great job by the way) but not go to the actual server just go to my interal proxy. Is this better? Does cloudflare still see my traffic this way?

Really excellent job explaining. You can’t explain everything in one video and everyone is on a different part of the learning journey. You approach that challenge intentionally by adding brief explanations for each component and referencing other content for further explanation. Well done, sir.