Cloudflare tunnels on custom ports

Hi All. I have just setup my first Cloudflare tunnel and if working for standard http to a site with no special ports. However, if I try and connect o a site hosted on my network on 8998, this fails to connect. Can anyone help me?

I have the tunnel up and running, this is working for a standard site on port 80 but nothing else on a custom port.



Hi, I also have a similar issue, I’m able to get websites working from ports 80 and 443 but nothing else. Looking to use 25 and 587 with MS Exchange.

Cloudflare’s Tunnels use Cloudflare’s normal Proxy, which only supports proxying HTTP Traffic.

If you want to use non-http applications over your tunnel, you would have to install and use some client software. For Arbitrary TCP you can use cloudflared. You can use Private Networking with WARP for any TCP/UDP Application.

For your mail server which presumably isn’t just a relay and is supposed to receive mail from the outside, Tunnels won’t work. Cloudflare does have other products such as Spectrum, with Enterprise, which could protect any arbitrary tcp/udp application, including SMTP, as well as Cloudflare Magic Transit. There is no special integration they have with Tunnels though as far as I know, and that would only be possible with Enterprise

(to @andy29)
You are trying to set up a tunnel pointing at a service on your network running on port 8998? As long as it is HTTP, Tunnels can do this without issue.
What specific error do you get when doing it?
Can the machine running on the tunnel reach it? i.e curl service-ip:8998
It might be worth noting that if you configure a Public Hostname (GUI) or an ingress config (CLI) to point at a specific service running on port 8998, you would just use normal port 80/443 to reach it via Cloudflare. That is to say, you can configure your tunnel to proxy an HTTP web server at an arbitrary port, and you would reach it normally via the public hostname you set up for it,, without needing to specify any port.

Ok, so routing mail through the tunnels isn’t possible? Support made this sound possible but couldn’t help point me in the right direction. With WARP isn’t it using a tunnel? So what makes that different? Thank you for your help thus far!

It depends what you are trying to do.

If you want a publicly accessible Mail Server exposed via a Tunnel, that anyone can access without running anything on their machines like cloudflared or WARP, then that wouldn’t be possible.

Software on the client like WARP or cloudflared is required as otherwise Cloudflare would need to assign each Tunnel a unique IP, or have some other protocol-specific way to tell which connection needs to connect to which host, like they do with HTTP. By running WARP or cloudflared on the client, you are providing that missing piece.

(Just to clarify, by “Client” I mean a machine/computer which wants to connect to your service behind a tunnel)

If your mail server is purely a relay, and for example, your use case is just having your Employees connect to WARP, and communicate with the Mail Server over Private Networking, which sends mail out, then that would be fine. But if you wanted your exchange server to be able to receive mail from email servers like gmail, Tunnels alone cannot expose it that way.

Like I said though, If you are Enterprise, Cloudflare Spectrum or Magic Transit should be able to protect & reverse proxy any tcp/udp application. I do not know of any special integration they have with Tunnels though that would allow you to integrate the two.