And a DDOS hits your friend? Strange, but if he’s okay with it. …
Seems to me that you then can’t fully test it on your home network, because once the non-local relay is at the other location, it can’t reach the BP by local IP anymore and vice versa.
At the very minimum, your BP and the relay next to it need different ports and they have to be forwarded by the router, so that the non-local relay can reach the BP.
Up to now, your IP is on the pool cert, isn’t it? So, it will remain publicly visible on the blockchain forever, even if you change the newest pool cert to point at your friend. I don’t know how many DDOS attacks there are and if they also try IPs from old certs, but you should at least know that.
The old working setup is: Your router forwards port 6000 to port 6000 on your relay and your relay connects to your BP on port 6000 on its local IP?
If you have a non-local relay, it has to connect to the BP over non-local Internet. So, your BP will have to have a port open on your router that is forwarded to it. You probably, won’t want 6000, there, so it’s not so easily found and your relay can keep its already established connections. So, forward 6042 or something like that to the 6000 on the BP. If your router permits it, you can restrict to only accept connections from the non-local relay on that port.
So, the local relay will keep local IP of the BP, port 6000, as connection to the BP, while the non-local relay will use public IP, port 6042. While you setup the non-local relay locally, it might make sense to give it port 6001 on the router and forward that to its local 6000. Once, it’s at the other location, it will get that public IP, and can probably get the standard 6000, there.
Register your pool using the DNS names in your pool registration certificate. Now you can change the IP addresses of each of your relays if you need to by just updating the DNS records and without having to re-register your pool.
If you want to setup a secure local network between the block producer and both relays you could then also optionally use wireguard (VPN)
If you use wireguard this will provide an extra level of security and a degree of “hidden-ness”. Wireguard lets you configure a nice VPN between the three devices each with its own private IP address to communicate over. You can also put your home management PC on the wireguard VPN and therefore connect seemlessly to each device over the VPN to manage things. Furthermore, if you need to manage things from another location, you can setup wireguard on a laptop and connect into your VPN from anywhere you can get a wifi internet connection. Wireguard is not “chatty” and does not respond to port scans (unless packets are encrypted with the key) so other people cannot then see if you have ssh or other ports open on the individual machines.
You will still need to provide port forwarding and firewalling to allow external connections to each of your relays.
I’ve done both of these but still no incoming connections…perhaps I missed a step somewhere along the line. I’ll just wipe the drive and rebuild it from scratch at this point. I appreciate your help.
Just to clarify, if I run this relay from another IP I can use port 6000 for both relay node 1 & 2? And just direct topology via public IP?
Don’t u see the Producer as IN peer? Did u added the Relay inside the Producer topology? Also u will need to restart the Producer if u didn’t.
try from producer
telnet Relay_IP 6000 do u see connected?
Yes it says it’s connected to the relay, that’s the weird part: my producer says it’s connected with the relay (2 in / 2 out), but the relay still says 0 in / 22 out
We got it folks!! My problem was the CNode port which both Alex and Hepta suggested. I had tried these items before but i must have messed something else up along the way.
I now have 1 connection in (my BP)/ 23 out on the 2nd relay - which i assume is okay considering this relay is not registered and should not have other incoming connections?
BP shows 2 in/2 out, 1st relay still working as normal i just need to update the node now.
oh crud you’re right. I skipped over the part in step 14 where you’re supposed to wait 4 hours before proceeding after creating the crontab. What would you suggest doing now?