Skip to content

Network

How traffic gets from the internet to apps at home. I'm behind CGNAT, so inbound port forwarding does not work. External access is almost entirely Cloudflare Tunnels.

The short version

  1. Someone visits example.saxobroko.com
  2. Cloudflare handles DNS, SSL, and WAF (including block no aus on most homelab hosts)
  3. For home services: Cloudflare Tunnel → cloudflared on TrueNAS → app (often via NPM or direct port) — see cloudflared
  4. For SaxDocs: Cloudflare Pages serves static files from GitHub — no tunnel involved
Internet → Cloudflare edge → Tunnel → TrueNAS / LAN services
Internet → Cloudflare edge → Pages (docs.saxobroko.com only)

LAN devices

Device IP / hostname Role
UniFi Dream Machine SE Gateway (typically .1) Router, firewall, UniFi controller
U7 access points ×2 Wi‑Fi
TrueNAS (Ugreen DXP 8800 Plus) 192.168.2.203 NAS + Docker services
Windows PC 192.168.2.200 Client workstation
LAN subnet 192.168.2.0/24 Everything above

More detail: UniFi

Public URLs

Live subdomains as of the last audit. Most homelab hosts use block no aus (Australia only). SaxDocs requires Cloudflare Access + Authentik login.

Core services

URL Service Hosted on
dash.saxobroko.com Homepage dashboard TrueNAS (Authentik in front)
dsm.saxobroko.com TrueNAS web UI TrueNAS
stream.saxobroko.com Jellyfin TrueNAS
music.saxobroko.com Navidrome TrueNAS
photos.saxobroko.com Photos TrueNAS
docs.saxobroko.com SaxDocs Cloudflare Pages

Media automation (*arr)

Full workflow and root folders: arr-stack

URL Service
sonarr.saxobroko.com Sonarr (TV)
radarr.saxobroko.com Radarr (movies)
prowlarr.saxobroko.com Prowlarr (indexers)
request.saxobroko.com Overseerr (requests)
lidarr.saxobroko.com Lidarr (music automation)

Other homelab

URL Service
auth.saxobroko.com Authentik (SSO)
vault.saxobroko.com Vaultwarden / Bitwarden
plex.saxobroko.com Plex (legacy — see plex-legacy)

Public-facing sites (not homelab apps)

URL Service
saxobroko.com Personal homepage (CF Pages)
alt.saxobroko.com Homepage mirror (GitHub Pages)
alt2.saxobroko.com Homepage mirror (Netlify)
ipfs.saxobroko.com Homepage mirror (IPFS)
links.saxobroko.com Link-in-bio
blog.saxobroko.com Blog
share.saxobroko.com PhotoShare
status.saxobroko.com SaxoStatus uptime
weather.saxobroko.com SaxWeather app marketing

Legacy / special DNS

URL Notes
local.saxobroko.com Direct A record to public IP — legacy pattern, mostly obsolete now that tunnels handle CGNAT

Adding a new public site (tunnel era)

  1. Run the app on TrueNAS (Docker) or LAN
  2. Add a Cloudflare Tunnel public hostname → internal URL/port — cloudflared
  3. Optionally front it with NPM if you want pretty paths or one entry point
  4. Add the hostname to Cloudflare WAF rules if needed:
  5. localnet full strict ssl — SSL settings for tunnel services
  6. block no aus — geo block (skip for intentionally public sites like docs)

Old CNAME → local.saxobroko.com workflow still exists in Cloudflare docs but does not work behind CGNAT without a tunnel.

Security

  • Yubikey for Cloudflare 2FA — Yubikey
  • Authentik at auth.saxobroko.com — SSO for some apps (Homepage, etc.)
  • block no aus on most homelab subdomains
  • SaxDocs — behind Cloudflare Access + Authentik

Retired

  • Storj — stopped after CGNAT made inbound connectivity impossible. See Storj (archived).
  • Windows as service host — Jellyfin, NPM, Homepage, etc. moved to TrueNAS