Unable to access local network using tunnel

Hello,
i have set up cloudflared in docker on synology NAS, tunnel is working fine for the ingress rules and i am able to access my web page running on NAS from the internet.
But i am not able to access my local network.
i have:
warp-routing:
enabled: true
In the log i can see:
Warp-routing is enabled
I have followed this tutorial: https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel
The only unclear thing is:
Make sure HTTP traffic filtering is enabled. This lets Cloudflare proxy your private IP ranges to corresponding Cloudflare Tunnels.
No idea where to enable the HTTP traffic filtering.

1 Like

Hello,

I think the documentation can help you out here: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net#before-you-start

It seems i have done it correctly.


Route is set.
In the split tunnel settings i have deleted all ip ranges.
If i am in the local network, i am able to access my local services with vpn enabled.
cloudflare.com/cdn-cgi/trace:
fl=31f59 h=[www.cloudflare.com](http://www.cloudflare.com/) ip=[{redacted} 2](http://{redacted}/) ts=1644578656.704 visit_scheme=https uag=Mozilla/5.0 (Linux; Android 12; SM-G970F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/{redacted} Mobile Safari/537.36 colo=PRG http=http/2 loc=CZ tls=TLSv1.3 sni=plaintext warp=on gateway=on

I’ve taken a quick look and I can see we’re sending both TCP and UDP down to your cloudflared tunnel.
So from the edge’s perspective, it seems to be working.

Have you checked your cloudflared tunnel logs? Maybe they will evidence the problem.

1 Like

If i disable the ingress rules, there is nothing in the cloudflared log.
When accessing local page via vpn it is saying: Your connection was interrupted. A network change was detected.

date stream content
2022-02-11 11:57:01 stdout e[90m2022-02-11T11:57:01Ze[0m e[32mINFe[0m Connection 43f4036f-cb5d-4f3c-9373-3a4fcb31ebcb registered e[36mconnIndex=e[0m3 e[36mlocation=e[0mPRG
2022-02-11 11:57:01 stdout e[90m2022-02-11T11:57:01Ze[0m e[33mDBGe[0m rpcconnect: tx (finish = (questionId = 1, releaseResultCaps = false))
2022-02-11 11:57:01 stdout e[90m2022-02-11T11:57:01Ze[0m e[33mDBGe[0m rpcconnect: rx (return = (answerId = 1, releaseParamCaps = false, results = (content = , capTable = )))
2022-02-11 11:57:00 stdout e[90m2022-02-11T11:57:00Ze[0m e[33mDBGe[0m rpcconnect: tx (finish = (questionId = 0, releaseResultCaps = false))
2022-02-11 11:57:00 stdout e[90m2022-02-11T11:57:00Ze[0m e[33mDBGe[0m rpcconnect: rx (return = (answerId = 0, releaseParamCaps = false, results = (content = , capTable = [(senderHosted = 0)])))
2022-02-11 11:57:00 stdout e[90m2022-02-11T11:57:00Ze[0m e[33mDBGe[0m rpcconnect: tx (call = (questionId = 1, target = (promisedAnswer = (questionId = 0, transform = )), interfaceId = 17804583019846587543, methodId = 0, allowThirdPartyTailCall = false, params = (content = , capTable = ), sendResultsTo = (caller = void)))
2022-02-11 11:57:00 stdout e[90m2022-02-11T11:57:00Ze[0m e[33mDBGe[0m rpcconnect: tx (bootstrap = (questionId = 0, deprecatedObjectId = ))
2022-02-11 11:57:00 stdout e[90m2022-02-11T11:57:00Ze[0m e[33mDBGe[0m Connecting via http2 e[36mconnIndex=e[0m3
2022-02-11 11:57:00 stdout e[90m2022-02-11T11:57:00Ze[0m e[33mDBGe[0m edgediscovery - GetDifferentAddr: Giving connection its new address e[36mconnIndex=e[0m3
2022-02-11 11:57:00 stdout e[90m2022-02-11T11:57:00Ze[0m e[32mINFe[0m Connection 65696e2b-a160-41ad-af09-508726503c7b registered e[36mconnIndex=e[0m2 e[36mlocation=e[0mVIE
2022-02-11 11:57:00 stdout e[90m2022-02-11T11:57:00Ze[0m e[33mDBGe[0m rpcconnect: tx (finish = (questionId = 1, releaseResultCaps = false))
2022-02-11 11:57:00 stdout e[90m2022-02-11T11:57:00Ze[0m e[33mDBGe[0m rpcconnect: rx (return = (answerId = 1, releaseParamCaps = false, results = (content = , capTable = )))
2022-02-11 11:56:59 stdout e[90m2022-02-11T11:56:59Ze[0m e[33mDBGe[0m rpcconnect: tx (finish = (questionId = 0, releaseResultCaps = false))
2022-02-11 11:56:59 stdout e[90m2022-02-11T11:56:59Ze[0m e[33mDBGe[0m rpcconnect: rx (return = (answerId = 0, releaseParamCaps = false, results = (content = , capTable = [(senderHosted = 0)])))
2022-02-11 11:56:59 stdout e[90m2022-02-11T11:56:59Ze[0m e[33mDBGe[0m rpcconnect: tx (call = (questionId = 1, target = (promisedAnswer = (questionId = 0, transform = )), interfaceId = 17804583019846587543, methodId = 0, allowThirdPartyTailCall = false, params = (content = , capTable = ), sendResultsTo = (caller = void)))
2022-02-11 11:56:59 stdout e[90m2022-02-11T11:56:59Ze[0m e[33mDBGe[0m rpcconnect: tx (bootstrap = (questionId = 0, deprecatedObjectId = ))
2022-02-11 11:56:59 stdout e[90m2022-02-11T11:56:59Ze[0m e[33mDBGe[0m Connecting via http2 e[36mconnIndex=e[0m2
2022-02-11 11:56:59 stdout e[90m2022-02-11T11:56:59Ze[0m e[33mDBGe[0m edgediscovery - GetDifferentAddr: Giving connection its new address e[36mconnIndex=e[0m2
2022-02-11 11:56:59 stdout e[90m2022-02-11T11:56:59Ze[0m e[33mDBGe[0m rpcconnect: tx (finish = (questionId = 1, releaseResultCaps = false))
2022-02-11 11:56:59 stdout e[90m2022-02-11T11:56:59Ze[0m e[32mINFe[0m Connection a96ed52d-b89f-4fd7-ae41-741081022018 registered e[36mconnIndex=e[0m1 e[36mlocation=e[0mFRA
2022-02-11 11:56:59 stdout e[90m2022-02-11T11:56:59Ze[0m e[33mDBGe[0m rpcconnect: rx (return = (answerId = 1, releaseParamCaps = false, results = (content = , capTable = )))
2022-02-11 11:56:58 stdout e[90m2022-02-11T11:56:58Ze[0m e[33mDBGe[0m rpcconnect: tx (finish = (questionId = 0, releaseResultCaps = false))
2022-02-11 11:56:58 stdout e[90m2022-02-11T11:56:58Ze[0m e[33mDBGe[0m rpcconnect: rx (return = (answerId = 0, releaseParamCaps = false, results = (content = , capTable = [(senderHosted = 0)])))
2022-02-11 11:56:58 stdout e[90m2022-02-11T11:56:58Ze[0m e[33mDBGe[0m rpcconnect: tx (call = (questionId = 1, target = (promisedAnswer = (questionId = 0, transform = )), interfaceId = 17804583019846587543, methodId = 0, allowThirdPartyTailCall = false, params = (content = , capTable = ), sendResultsTo = (caller = void)))
2022-02-11 11:56:58 stdout e[90m2022-02-11T11:56:58Ze[0m e[33mDBGe[0m rpcconnect: tx (bootstrap = (questionId = 0, deprecatedObjectId = ))
2022-02-11 11:56:58 stdout e[90m2022-02-11T11:56:58Ze[0m e[33mDBGe[0m Connecting via http2 e[36mconnIndex=e[0m1
2022-02-11 11:56:58 stdout e[90m2022-02-11T11:56:58Ze[0m e[33mDBGe[0m edgediscovery - GetDifferentAddr: Giving connection its new address e[36mconnIndex=e[0m1
2022-02-11 11:56:58 stdout e[90m2022-02-11T11:56:58Ze[0m e[32mINFe[0m Connection ddba6fb7-db85-4f1f-bf4a-0449ad42cdaa registered e[36mconnIndex=e[0m0 e[36mlocation=e[0mVIE
2022-02-11 11:56:58 stdout e[90m2022-02-11T11:56:58Ze[0m e[33mDBGe[0m rpcconnect: tx (finish = (questionId = 1, releaseResultCaps = false))
2022-02-11 11:56:58 stdout e[90m2022-02-11T11:56:58Ze[0m e[33mDBGe[0m rpcconnect: rx (return = (answerId = 1, releaseParamCaps = false, results = (content = , capTable = )))
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[33mDBGe[0m rpcconnect: tx (finish = (questionId = 0, releaseResultCaps = false))
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[33mDBGe[0m rpcconnect: rx (return = (answerId = 0, releaseParamCaps = false, results = (content = , capTable = [(senderHosted = 0)])))
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[33mDBGe[0m rpcconnect: tx (call = (questionId = 1, target = (promisedAnswer = (questionId = 0, transform = )), interfaceId = 17804583019846587543, methodId = 0, allowThirdPartyTailCall = false, params = (content = , capTable = ), sendResultsTo = (caller = void)))
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[33mDBGe[0m rpcconnect: tx (bootstrap = (questionId = 0, deprecatedObjectId = ))
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[33mDBGe[0m Connecting via http2 e[36mconnIndex=e[0m0
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[33mDBGe[0m edgediscovery - GetAddr: Giving connection its new address e[36mconnIndex=e[0m0
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[33mDBGe[0m looking up edge SRV record e[36mdomain=e[0m_origintunneld._tcp.argotunnel.com
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[32mINFe[0m Starting metrics server on 127.0.0.1:45756/metrics
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[32mINFe[0m Initial protocol http2
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[32mINFe[0m Warp-routing is enabled
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[32mINFe[0m Generated Connector ID: 94a8f620-7339-4332-b2a0-c0efee0a0c81
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[32mINFe[0m cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/run-as-service
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[32mINFe[0m Settings: map[config:/home/nonroot/.cloudflared/syno.yaml cred-file:/home/nonroot/.cloudflared/b5a8d28d-b588-436e-bf79-68968389a6db.json credentials-file:/home/nonroot/.cloudflared/b5a8d28d-b588-436e-bf79-68968389a6db.json loglevel:trace no-autoupdate:true proto-loglevel:trace transport-loglevel:trace]
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[32mINFe[0m GOOS: linux, GOVersion: go1.17.1, GoArch: amd64
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[32mINFe[0m Version 2022.2.0
2022-02-11 11:56:57 stdout e[90m2022-02-11T11:56:57Ze[0m e[32mINFe[0m Starting tunnel e[36mtunnelID=e[0mb5a8d28d-b588-436e-bf79-68968389a6db

One thing noteworthy is that I saw UDP proxying to private IPs, but for that to work, you must use quic transport in the cloudflared tunnel “protocol” property as noted in https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/private-hostnames-ips#update-cloudflared

If you run with loglevel: debug in your tunnel, you should see it receive TCP and UDP accesses to your private IPs and Ports.

config: protocol: quic
log: INF Initial protocol quic
But there is nothing in the log about private IPs

So now it started working on windows PC.
Android phone still does not work.

I’m having the same problem. As far as I can tell everything is configured correctly but the split tunnel doesn’t work.

I also had trouble finding this setting as it’s labelled differently in the UI. A link to the relevant setting or a screenshot in this note box would be helpful.