Block producer node off public internet?

Hi, I am planning to set up a stakepool physically and have only 1 public static IP, that one is linked to my fibre connection.

For several reasons, I want to keep the miniPC which has the block producer OFF of the direct/public internet, i.e. not only the block producing node connects to cardano chain via the first relay, it also has only network contact to the relay PC. From internet side, only the relay shall be visible.

Wanted to ask if this is feasible at all, or are there known pitfalls.

Thx

I am uncertain what your particular setup looks like.

But assuming you have a router that has the public static IP, then you can forward any particular port to any other host on the local network that is behind your router. In Linux firewalling terms this is called destination NAT (network address translation) but many routers call it “port forwarding”. Basically you configure your router so that any traffic destined for your public IP on say port 3001 should be forwarded to your relay PC on your local network.

Here is an example:

Router has your public IP on eth0 and 192.168.0.1 on eth1 which is connected to your LAN via a switch.
Relay1 is connected to router via LAN and has IP 192.168.0.2 with cardano-node running on port 3001.
BP is connected to router via LAN and has IP 192.168.0.3 with cardano-node running on port 3001.

You configure your router to forward any traffic destined to your public IP on port 3001 to 192.168.0.2 (relay1) port 3001.

You configure your BP topology file like this (assuming P2P mode):

{
  "localRoots": [
    { "accessPoints": [
        { "address": "192.168.0.2", "port": 3001 }
      ]
      , "advertise": false
      , "valency": 1
    }
  ]
, "publicRoots" : []
}

IE: The only localRoot is your relay1 and it has NO publicRoots.

You configure your relay1 topology file like this (assuming P2P mode):

{
  "localRoots": [
    { "accessPoints": [
        { "address": "192.168.0.3", "port": 3001 }
      ]
      , "advertise": false
      , "valency": 1
    }
  ]
, "publicRoots" : [
    { "accessPoints": [
        { "address": "backbone.cardano-mainnet.iohk.io", "port": 3001 }
      , { "address": "backbone.cardano.iog.io", "port": 3001 }
      , { "address": "backbone.mainnet.emurgornd.com", "port": 3001 }
      ]
      , "advertise": true
    }
  ]
, "useLedgerAfterSlot": 110332824
}

IE: localRoot is your BP. It will obtain publicRoots using the P2P mechanism using the IOHK nodes and the registered relays of other stake pools recorded in the pool certificates on the blockchain.

Then when you register your stake pool certificate on-chain your provide your relay address as your Public static IP address with port 3001.

This way any other relays on the Cardano network will be able to connect to your relay1 by contacting your public static IP port 3001 and this traffic will be forwarded by your router to relay1 on your local network. Your BP can connect directly to relay1 and relay1 can connect directly to BP both via your LAN switch. Nobody from the internet can directly connect into your BP since you are not forwarding any ports from your router to it. You should ensure your router firewall is blocking all other ports you don’t provide a public service for.

If this is the sort of setup you envisioned then you really should eventually get a second relay. This second relay should be on a different IP preferably with a different service provider. You might want to use a friend who has a separate reliable internet connection or rent a virtual machine from a cloud VPS provider. When you setup your relay2 you will need to configure some additional port forwarding to enable it (and only it) to directly connect into your BP. You will also need to update your BP topology file to include the address of this relay2.

Cool, that was basically what I needed. I’m not very good yet but think I’ll sort it out.

The 2nd relay is planned as you said, it may be w/ a provider but it is important to me that the key parts are physically controlled by me, geographically decentralized and safeguarded. So it must be.

ps. one of the reasons I don’t want the PC directly online: it’s Windows. The relay will be standard Linux. So far the rest is working

Do you mean the BP will run on Windows?

I would try to steer you to Linux particularly for the BP. At least when you have a couple of relays you will have some redundancy so if they were running on Windows it might not matter as much. Also you need more security on your BP since it will have your pool’s KES and VRF keys on it. With Linux you can make it more secure by limiting the software installed to only what is required and using only open source software which has had many eyes looking at the code. The only other service my BP provides is ssh and that requires a key to login, which in my case is on a hardware smart card. Also openssh is probably the most scrutinised service code out there.

Charles did a video recently where he mentioned these Beelink computers which are small, reasonably cheap, and powerful enough with enough RAM. I just checked their site and you can get one for $549 US with 32G RAM and 500G SSD. You might be able to find an even cheaper option with some searching. I know there are some ARM computers with 32G RAM that cost less, but then your Linux install won’t be so easy. If you are just getting into Linux then it would be better to stick with an x86 Intel/AMD style processor.

I am also guessing that you intend to use the firewalling that came with your router. Your router would be running Linux but probably provides a web based GUI for firewall and port forwarding configuration. When you get your second router, you will need to configure the port forwarding so that only that second router can connect into your BP.

The way you do that is as follows:

Say this second router has public IP address of 8.8.8.8.

Recall from my previous post that you already told your router to port forward all internet traffic (from any IP) coming to your Public IP on port 3001 should be redirected (NATed) to your relay1 on 192.168.0.2 port 3001.

eth0 traffic: any source IP, any source port, destination IP your Public IP, destination port 3001 —> 192.168.0.2 port 3001.

You need to do something similar, but more restrictive, for traffic from your router2. You need to configure it so that only traffic from your relay2 IP address will be redirected to your BP.

eth0 traffic: source IP of relay2 (8.8.8.8), any source port, destination IP your Public IP, destination port 3001 —> 192.168.0.3 port 3001.

Carefully check those 2 examples so that you fully understand the difference. The first is less restrictive because it allows all IPs and redirects the traffic to your relay1. The second rule only accepts traffic from your relay2 IP and redirects it to your BP.

Note that this example configuration will also means that your relay2 can’t connect to your relay1. But there is no advantage in having your two relays be peers for each other anyway. However, if for some reason you wanted to allows the two relays to connect with each other then you can run cardano-node on your relays and BP using different ports. IE: relays could use port 3001 say and BP port 3002 or whatever you like. Of course you would then need to change that second port forwarding configuration to redirect to 192.168.0.3 port 3002. You would also need to reconfigure your topology file on relay1 so that the localRoot port is 3002 since your BP is now running on port 3002.

Thx again, and Regarding Windows:
That’s why it’s experimental and so far only for testnet. But the idea is to see what is problematic and can it help decentralization (onboarding more spos). There are enough paranoid people on MS systems, too, and I know from my admin times what I do have to look for. I am not so sure with Linux, that’s why I think I can control a Windows system better in practice.

Still not clear how it works out, but worth trying. I have budget of 1K Euro for the BP w/ 2TB SSD and that will do.

Problem of the day is that literally yesterday support for Windows Server 2019 ended, and I have to bring it to 2022 which has Windows 11 codebase, and the cardano-node is tested with Windows 10 only?!

I see why you are talking Linux very clearly.

CU Cheers

Cut the umbilical cord. You will quickly learn, be more secure, and never look back.

If you are going to run both the block producer and relay node off of the same machine then it’s safer to get a machine with 64GB ram, as a single node process will get close to requiring 16GB, so “just” 32GB of RAM might be on the edge.

If you have a strict 1k eur budget, then getting less disk space might be an option, as just 1TB of disk will do: a single node takes about 150GB so there is plenty of headroom there.