NAT to CloudFlare


As we all know, NAT machines are often easily overlooked because many users share one IPv4 address. Therefore, it is usually necessary to use Cloudflare for assistance. However, many beginners are confused about how to use Cloudflare, and even experienced users may not be very familiar with some new features of Cloudflare. Some friends have also found that their NAT service provider's IPv6 address is provided by Hurricane Electric. In the early years, Cloudflare completely banned HE's IPv6 network segment to avoid abuse of the "cf-he" access method, so it lost the possibility of using the first method mentioned below. However, in this case, it is still possible to successfully use Cloudflare, but many people are not aware of it. Therefore, here is a summary of "using Cloudflare".

Using Cloudflare is actually a very colloquial term, which means using Cloudflare as a CDN. When initiating an HTTP(S) request, it is first accepted by Cloudflare and then forwarded to the NAT server. Considering that Cloudflare is a network infrastructure and its impact on being overlooked is too complex, it is difficult to directly address this issue.

Why is it difficult to use Cloudflare with NAT machines? Many people are used to directly accessing Cloudflare with the public IPv4 of a VPS. However, NAT does not have an IPv4 and cannot directly access it. Some service providers offer IPv6-only servers, which means they do not have an IPv4 address and require special treatment. For different situations, there are several alternative strategies.

Using IPv6 Access#

The most common method is to use IPv6 access, which means adding AAAA records. Common NAT vendors (such as gullo/webhorizon/, etc.) provide NAT v4 + independent IPv6 addresses. Therefore, although direct access using the shared IPv4 ports 80/443 is not possible, independent IPv6 access can be used because IPv6 allows the use of all ports. The following image shows a successful connection.


This method of access is the easiest to think of and is also a very stable solution. However, there are several situations where this method cannot be used:

  • If the vendor's IPv6 network is Hurricane Electric, CF prohibits access. For example, in some areas of gullo (such as New York).
  • The vendor does not provide IPv6 addresses, such as the recently popular khanwebhost.

Using Origin Rules#

As we all know, NAT servers are called NAT servers because they share IPv4 addresses, and each person can only use a portion of the ports. So can we use these ports for access? Half a year ago, the answer may have been no because Cloudflare supported very few non-standard ports, and they were all low-numbered ports, while the port numbers of NAT service providers are generally above 10000, making it difficult to use the non-standard ports supported by CF. However, this year Cloudflare has opened up their Origin Rules for free, allowing us to use any port to access the CF network. The configuration is as follows:

Note that the local HTTP server (such as Nginx) on the VPS needs to listen on the corresponding non-standard port.

Using Domain Forwarding by the Service Provider + Cloudflare Access#

Generally speaking, NAT machine service providers provide a service called domain forwarding, which simply means that the host machine listens on the public ports 80/443 and forwards the requests to the corresponding NAT VPS instance's internal network address based on the received domain name (host/SNI).

This idea is good, but the problem is that many of the public addresses used to listen on ports 80/443 have died. Even so, this does not affect our access to Cloudflare using ports 80/443. We can still use Cloudflare to add A records to the IPv4 addresses of these host machines and then add domain forwarding rules in the service provider's panel.

Note that the local HTTP server (such as Nginx) on the VPS needs to listen on the corresponding internal network address.


Using Non-Standard Ports Allowed by Cloudflare#

Cloudflare officially supports a series of non-standard web ports for access. If your IPv4 is being overlooked but you still want to access it, in addition to the two methods mentioned above, you can also use the non-standard ports allowed by Cloudflare. The specific ports that can be used are as follows:
So you may ask, these ports are not open by my NAT machine service provider, what should I do?

In addition to providing domain mapping, NAT service providers also provide port mapping. You can forward the non-standard ports supported by CF to the internal IP, then use CF to add A records for resolution, and finally use the non-standard ports to access your domain to achieve the goal. However, this method seems to be relatively cumbersome and can be considered as a backup plan.

Using Cloudflare Argo Access#

Finally, in some cases, the service provider does not provide public IPv4/IPv6, such as Pikapods' container service. In this case, you can use Cloudflare Argo for access.

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.