I watched a video today about setting up cloudflare tunnels to expose the web services we usually use at home (nextcloud, web servers, remote access, etc). So the advantage of this is that there is no need to open ports on the router (80,443, etc).
I have had these ports open at home and few offices for a very long time with letsencrypt certificates in place, using Mikrotik hardware, and regular firmware updates on the routers.
So this means my networks are more “vulnerable” just because the Mikrotik’s firewalls have the ports open and I am relying on the Mikrotik’s firmware to not have exploits?
DDOS attacks are not a concern for my very low profile - no interest networks.
If the exploit was on the running server itself, i do not see how the cloudflare’s tunnel would protect against attacks.
And on the other hand, I do not trust my traffic going through Cloudflare’s NSA and other agencies snooped networks.
What am i missing? Why would i want to switch to using tunnels and closing the ports in my routers?
Thank you for the educational info.
If the service you are “exposing” is meant to be public, like a webserver with port 80,443, then the port must be open. There is nothing for the firewall to protect. You are giving access to a port that should be open. The firewall allows connection only to that service on that specific server, there are no other risks opened with this. If firewall is configured properly, of course.
The idea with tunnels is usually for something that only you want access to, not the whole world. So usually people set up VPN tunnels to connect to first, so that then they can access their private NAS, or maybe the router admin interface. Do you see the difference?
It isn’t about protection from MikroTik vulnerabilities, it is for protection against exploits on the server.
Cloudflare Access (part of Cloudflare Zero Trust) reverse proxies your server through the tunnel. You have to get past the Cloudflare login screen to be able to access the server. Any attacker is not going to be able to leverage vulnerabilities in the running server if they cannot successfully authenticate at the Cloudflare login screen. Also, Cloudflare’s reverse proxy function may also include some kind of IDS/IPS for additional security even if authentication is successful at the Cloudflare login screen or if you choose to allow access to the server without authentication - they don’t really clarify this in their marketing materials.