Is it best practice for the firewall to port forward the WAN interface to the relay and then for the relay to communicate directly with the block producer via the LAN?
Yep, BP shouldn’t have an open port to the internet. Only to the relay.
This is kind of contradictory to the best practice to have two relays in different datacenters, ideally far away from each other. At least one of them has to connect to the BP through the Internet.
Agree about having separate relays, but I read their question as relating to a local baremetal setup. In that setup, the BP shouldn’t have an open port, as there is no need (and is against best practice), i.e. the relay should only talk to the BP and that can happen completely on the LAN side.
1 Like
Indeed. In that case, you can use Wireguard between the remote Relay, and your BP, so you don’t have to open the Cardano Node port to the internet
Or you can just configure your firewall (nftables) so that only the specific IP addresses of your relays can connect into your BP.
I know that this question was asked a while ago. But I’d like to know if I understand the answer for sure. It sounds like there is no need for any port forwarding if the BP and relay are on the same lan, behind the same firewall. Is that accurate? The BP talks to the relay. And the relay talks to the BP. If that’s accurate, how can the relay update the BP? I thought the relay was there to get updates and pass them on to the BP?
The relay needs to talk to the rest of the Cardano network, so needs the port forwarded to it. In the LAN scenario, you don’t need to port forward to the BP, as it can have a local connection to the relay. But the relay needs an external connection to the rest of the network.
OK, thank you. That’s what I thought was needed. Where do I set up that port number? I see that a port can be entered into the topology.json file. And that the port number is entered into startcardanonode.sh. Is there anywhere else that the chosen port is entered?
Is it one port number for the BP and another for the relay?
The relay seems to be talking to other relays on the network on one port, but to the BP on another? Is this true (the recommended way)? If so, does that mean that the BP’s topology.json tells it to talk to the relay (that I own) on that same port, the one different from the one the relay uses to talk to other relays on the Cardano network?
Also, does the relay have any entry that tells it to get updates from the Cardano network? The topology.json file?