https://www.youtube.com/watch?v=BbDnBxlBTdY&t=134s
After watching this video it came rapidly clear to me that this feature touches functionality used by just about every config I have seen/worked on in these forums.
In other words, one should not use the word niche but more aptly mainstream to describe zero trust cloudflare tunnel. What do I mean..........?
Well we are talking about dstnat port forwarding to servers on the local LAN.
The method Normis describes seems relatively painless, to do the one thing that is not really possible on MT devices which is protect the public WANIP. MT devices are not that good at ddos and other edge router type functionalities and YET, I see bloated configs trying to contort the MT device into a magic box of security which amounts to not much.
Normis describes a methodology that surpasses anything the MT can do, besides creating source address lists for incoming users, which does increase security, but very rarely does this help the server admin who is unable or unwilling to take that step or its not possible in their scenario, and which still makes the public IP known.
Due to the sheer volume of users with servers, my contention is that this functionality should not be hidden in dockers/containers, limited to a certain number of devices AND with all its added complexities but should be mainstream on the menu. I would hazard a guess that more people will use this functionality than wireguard which is not hidden in a container/docker package.
Heck make it an optional package if not part of the normal ROS package.
Food for thought.