Port forwarding from WAN to LAN

Is it best practice for the firewall to port forward the WAN interface to the relay and then for the relay to communicate directly with the block producer via the LAN?

Yep, BP shouldn’t have an open port to the internet. Only to the relay.

This is kind of contradictory to the best practice to have two relays in different datacenters, ideally far away from each other. At least one of them has to connect to the BP through the Internet.

Agree about having separate relays, but I read their question as relating to a local baremetal setup. In that setup, the BP shouldn’t have an open port, as there is no need (and is against best practice), i.e. the relay should only talk to the BP and that can happen completely on the LAN side.

1 Like

Indeed. In that case, you can use Wireguard between the remote Relay, and your BP, so you don’t have to open the Cardano Node port to the internet

Or you can just configure your firewall (nftables) so that only the specific IP addresses of your relays can connect into your BP.