CD
Cloudflare Developers•4mo ago
markllama

Tunnel endpoint IP is excluded from tunnel?

TL;DR: One IP address that should be included in a tunnel is instead routed to local default route. All others are tunneled as expected. This behavior started suddenly 3 days ago after working as expected for almost a month. MacOS warp client ------- I have a tunnel set up with a pair of hosts running cloudflared for redundency. I am running warp ZT on MacoOS for the client side. It's all working as expected with one exception: 3 days ago direct ssh to one of the tunnel (tunnel2) hosts stopped connecting. The other (tunnel1) is still accessible and I can reach and examine tunnel2 by logging into tunnel1 and then across to tunnel2. What I see if I traceroute to it is that the IP is excluded from the tunnel despite no exclude rule for the host or IP address: 
traceroute 10.193.130.52
traceroute to 10.193.130.52 (10.193.130.52), 64 hops max, 40 byte packets
 1  192.168.2.1 (192.168.2.1)  1.772 ms  0.415 ms  0.299 ms
 2  192.168.1.1 (192.168.1.1)  0.751 ms  0.930 ms  0.830 ms
 3  lo0-100.bstnma-vfttp-339.verizon-gni.net (71.174.61.1)  2.045 ms  1.831 ms  1.688 ms
traceroute 10.193.130.52
traceroute to 10.193.130.52 (10.193.130.52), 64 hops max, 40 byte packets
 1  192.168.2.1 (192.168.2.1)  1.772 ms  0.415 ms  0.299 ms
 2  192.168.1.1 (192.168.1.1)  0.751 ms  0.930 ms  0.830 ms
 3  lo0-100.bstnma-vfttp-339.verizon-gni.net (71.174.61.1)  2.045 ms  1.831 ms  1.688 ms
While the other tunnel host gets on traceroute response (because the tunnel doesn't pass ICMP) 
 traceroute 10.193.130.50
traceroute to 10.193.130.50 (10.193.130.50), 64 hops max, 40 byte packets
 1  162.158.10.107 (162.158.10.107)  5.845 ms  4.189 ms  5.011 ms
 traceroute 10.193.130.50
traceroute to 10.193.130.50 (10.193.130.50), 64 hops max, 40 byte packets
 1  162.158.10.107 (162.158.10.107)  5.845 ms  4.189 ms  5.011 ms
As far as I can tell the tunnel daemons are working fine and the tunnel service and the network profile are fine and al the users are happy. When I try to ping tunnel2 I get a different response than tunnel1. (tunnel1 gets a response from
2 Replies
markllama
markllama•4mo ago
SIGH. I figured it out I think. The excluded destination address is the IP I configured for a known network beacon host. If that was accessible from my home network it would look like I was at that destination so it's blocked. I need to create another IP on the destination network for the beacon so they don't conflict.
Jan Koch
Jan Koch•3mo ago
Do you have a starting point for me on configuring the IP address a tunnel publicly uses? Sounds like you've figured that out, I'm still trying to understand how that works 🙂
Want results from more Discord servers?
Add your server
More Posts
Wrangler authentication/login continues to failI created a Workers project that uses pnpm as the package manager, and ran the command `pnpm wrangleGuys i need helpsomeone please delete this domain https://aad-securityexperts.cloudflareaccess.com/ I have lost accThis is what we get at the end of our discussion with abusereply@cloudflare.com``` Hello, Please create a customer support ticket from within your account dashboard for assistanSubscription API is returning 503Hi guys, I'm having trouble on changing my Zero Trust Application config. The api: `https://dash.cloDo I must know the accountTag or zoneTag to query Cloudflare GraphQL API ?I have received the Cloudflare GraphQL token from our partner, which is essential for executing querNot able to Integrate sentry with my workerHi, i am trying sentry + cloudlfare worker but i am not able to move ahead any help here, I stuck o