Remote Connection to NAS via External Domain Stopped Working

[JulesC 51]

My remote access connection using an external domain name stopped working suddenly. My family has been accessing my Emby Server remotely for awhile. I moved my domain name to Cloudflare and it's been working well until today. It suddenly stopped working. 

Any ideas on why? Please let me know if you need any additional information. Thanks for your help.

UPDATE: I have attached the server log.

embyserver.txt

Edited November 5, 2024 by JulesC

[JulesC 51]

Problem solved. The WAN IP Address for my local network has changed. Once I update the Cloudflare DNS "A" Record IP Address, my remote access started working again.

Naive question: Why is my WAN IP Address changing and is there a way to prevent this? Thank you

[sa2000 674]

1 hour ago, JulesC said:

Naive question: Why is my WAN IP Address changing and is there a way to prevent this? Thank you

Depends on the ISP. Normally one would need to pay a monthly fee for a static WAN IP address. I have seen WAN IP Address change after firmware or settings updates made remotely by the ISP - also I have seen it arise on router restarts. Again it depends on the ISP 

[tedfroop21 86]

Otherwise you can sign up for a Dynamic DNS.  You need a provider.

How it works is you get a DDNS address like mynet.ddns.net.  You have a pc or device on your network that updates your ddns provider with your current WAN address regularly so if it changes, the address associated with mynet.ddns.net is automatically updated.

You connect through your DDNS address - and even if your WanIP changes, DDNS gets updated with the new address and you just connect.

I got it because first off its easier to remember my DDNS address than my WanIP address.  Secondly - my ISP rotates my Wan address regularly, and with my address being updated constantly - I just connect without having to change configuration or worry that my address has changed.

[Carlo 4560]

https://developers.cloudflare.com/dns/manage-dns-records/how-to/managing-dynamic-ip-addresses/

Cloudflare supports DDNS functionality but requires you to supply the client.
They list 2 on that page.:
ddclient requires perl installed. I probably wouldn't install perl just for this.
DNS-O-Matic is the grand daddy of DNS IP update services.  Yep a service or 3rd party actually doing the updates.  You still need a client on your local computer.

If you're running on Windows, try DDNS Cloudflare PowerShell Script available here: https://github.com/fire1ce/DDNS-Cloudflare-PowerShell
It uses the Cloudflare API to directly change your A record. Optional Telegram or Discord Notifications as well.
You can update multiple domains, etc

BTW, check your router as it might have an option to update DDNS providers. If so and Cloudflare isn't supported, then I think DNS-O-Matic is worth using.

[sa2000 674]

There is also a free DDNS option from https://dynu.com/ - There free DDNS service allows you to add a hostname as a prefix to one of their domains and they also provide a free app to reglary update the IP address on their system. I do not know how reliable they are but it is there to try out

[Carlo 4560]

That won't work for Cloudflare as you need to update your own DNS records on their DNS servers which are authoritative for your domain.
So any type of update utility has to change this directly at Cloudflare.

[JulesC 51]

On 11/7/2024 at 12:53 AM, Carlo said:

That won't work for Cloudflare as you need to update your own DNS records on their DNS servers which are authoritative for your domain.
So any type of update utility has to change this directly at Cloudflare.

@Carlothanks for your response. I have a naive question. My domain for my Emby server and DDNS is supported by Cloudflare. Is there an automated way to change the DNS “A” Record on Cloudflare when the WAN IP is changed? Hope this makes sense. Thanks for any guidance 

[Carlo 4560]

I just covered that a couple messages above.  There are quite a few variables to take into consideration to know what's best, such as if your router has this ability built in or not.  If you're router supports DDNS updates but not specifically Cloudflare, heck if it can update DNS-O-Matic and if so use that.  Having your router update this is ideal because it knows when your IP has changed.

If you can't do it that way and you happen to be on Windows:
https://github.com/fire1ce/DDNS-Cloudflare-PowerShell

[JulesC 51]

@CarloAs always, thank you for your assistance. I found out that my ASUS Router does support DDNS updates. Where I could use some help is . . . I already have a domain/url for my Emby Server hosted on my Synology NAS hosted by Cloudflare. If I add a DDNS to my ASUS Router, what does the integration look like between the two? Should I used the ASUS DDNS or point to my Cloudflare DDNS ? Thanks for any guidance you can offer this newbie.

On 11/10/2024 at 4:35 PM, Carlo said:

I just covered that a couple messages above.  There are quite a few variables to take into consideration to know what's best, such as if your router has this ability built in or not.  If you're router supports DDNS updates but not specifically Cloudflare, heck if it can update DNS-O-Matic and if so use that.  Having your router update this is ideal because it knows when your IP has changed.

If you can't do it that way and you happen to be on Windows:
https://github.com/fire1ce/DDNS-Cloudflare-PowerShell

 

[JulesC 51]

4 hours ago, JulesC said:

@CarloAs always, thank you for your assistance. I found out that my ASUS Router does support DDNS updates. Where I could use some help is . . . I already have a domain/url for my Emby Server hosted on my Synology NAS hosted by Cloudflare. If I add a DDNS to my ASUS Router, what does the integration look like between the two? Should I used the ASUS DDNS or point to my Cloudflare DDNS ? Thanks for any guidance you can offer this newbie.

 

Additional clarification - hope it helps: I already have a domain/url (hosted by Cloudflare) for my Emby Server which is on my Synology NAS. If I add Cloudflare DDNS to my ASUS Router, how does the remote access work for my Emby domain or any other access I might want to provide (i.e. Surveillance, Synology Drive Server, etc.)? Does the DDNS for the ASUS Router need to be different than my Emby domain? I'm just seeking to understand this setup and chose the best approach. Thanks in advance.

[Carlo 4560]

You'll want to do everything through your domain so all edits will be to Cloudflare DNS.
How exactly you do this will depend on your setup.

A typical way of doing this would be similar to:
Setup an A record on your domain which is the record you'll be updating when WAN IP changes
Additional C name records are created for different apps you want to go through Cloudflare and exposed to the Internet.
You could for example have emby.domain.ext, photos.domain.ext, drive.domain.ext, office.domain.ext that you want to use publicly.
You would have one A record which could be emby then setup C records pointed to A record that are used by photos, same for drive, same for office.
Each of those could be setup as different websites in Cloudflare to benefit from caching and all Cloudflares protection, or these DNS C names could be setup not to be proxied.
They could also be setup to all use A records instead of C records but you would need the script to update each A record.
On the server side you would have reverse proxy setup which looks at the subdomain name and routes it to the proper service accordingly.

Carlo

[JulesC 51]

20 hours ago, Carlo said:

You'll want to do everything through your domain so all edits will be to Cloudflare DNS.
How exactly you do this will depend on your setup.

A typical way of doing this would be similar to:
Setup an A record on your domain which is the record you'll be updating when WAN IP changes
Additional C name records are created for different apps you want to go through Cloudflare and exposed to the Internet.
You could for example have emby.domain.ext, photos.domain.ext, drive.domain.ext, office.domain.ext that you want to use publicly.
You would have one A record which could be emby then setup C records pointed to A record that are used by photos, same for drive, same for office.
Each of those could be setup as different websites in Cloudflare to benefit from caching and all Cloudflares protection, or these DNS C names could be setup not to be proxied.
They could also be setup to all use A records instead of C records but you would need the script to update each A record.
On the server side you would have reverse proxy setup which looks at the subdomain name and routes it to the proper service accordingly.

Carlo

Carlo, I truly appreciate the details and assistance. I have a couple more questions I was hoping you could help me with:

1. With the setup using the A record and additional C name records using Cloudflare DNS - see my examples
   1. A record: emby123.net (example)
   2. For the C records, do I need a separate domain for each record like you gave examples above (e.g. photos.domain.ext, drive.domain.ext) or how would this work?
2. Do I need to enable DDNS on my ASUS Rapture GT-AXE 16000? 
3. With the setup options you graciously listed above, how does the WAN IP update the DNS A record on Cloudflare?

My sincere apologies for these naive questions. I greatly appreciate your help.

[Carlo 4560]

3. Use the powershell script mentioned a few posts up.
2. No, you'll just use the powershell script and domain you have at Cloudflare.
1. Nobody can really answer that since don't know exactly what apps or services besides Emby, you want to publish or make available on the internet. Or for that matter, what may be the best way to connect to Cloudflare.  For example, instead of having to open ports on your router to forward traffic to your servers, you could instead use Cloudflared tunnels which require no port forwarding nor need to know your WAN address. If using a Tunnel(s) you won't have WAN IP that Cloudflare needs to know about as it will use the tunnel instead.

Carlo

[JulesC 51]

@Carlothank you. I thought about using Cloudflare Tunnels, but I saw references stating that Cloudflare Tunnels will no longer support media streaming - like Emby. Do you know if this is true? Also, do I need to use a Docker for Tunnels? If so, can I move my Emby install on my Synology NAS into a Docker? Sorry again, but I have no experiences with Dockers. Thank you!!!

[Carlo 4560]

I don't want this to become a discussion here in the Emby forums, as it's not up to you, me, other customers or Emby. Any question concerning use of Cloudflare services, should be addressed to Cloudflare itself, if you have questions about their services.  As with many things in life, sometimes things are more grey than black or white.

https://community.cloudflare.com/t/streaming-over-a-cloudflare-tunnel/517388/4
Question:

Quote

Up until recently, I understand that using a Cloudflare tunnel to transfer media (such as Plex, etc.) was against section 2.8 of their ToS.

However, 2.8 has since been removed, with the following blog post providing more information:
https://blog.cloudflare.com/updated-tos/

Answer

Quote

To address the problem, we’ve done a few things. First, we moved the content-based restriction concept to a new CDN-specific section in our Service-Specific Terms. We want to be clear that this restriction only applies to use of our CDN. Next, we got rid of the antiquated HTML vs. non-HTML construct, which was far too broad. Finally, we made it clear that customers can serve video and other large files using the CDN so long as that content is hosted by a Cloudflare service like Stream, Images, or R2. This will allow customers to confidently innovate on our Developer Platform while leveraging the speed, security, and reliability of our CDN. Video and large files hosted outside of Cloudflare will still be restricted on our CDN, but we think that our service features, generous free tier, and competitive pricing (including zero egress fees on R2) make for a compelling package for developers that want to access the reach and performance of our network.

Above we have a pretty clear cut question with an answer, not black or white on first read.  I think it's clear they state the restriction only applies to the use of their CDN and not the tunnels themselves.
Cloudflare has many offerings and services that can be part of different plans from free to paid services. Some features are optionally used with some combination of plans and upgrades on others plans.Some services are paid for based on use or consumption Each of these services or offerings may have specific use clauses based on the type of plan you have or the way you are using the service or offering. Some free services they offer, give them a marketing and technical advantage over other competitors be it connectivity to other cloud services or direct connections to homes or businesses. For example, when CF controls traffic using a tunnel on their services they can dynamically route traffic beyond what's normally possible using convention DNS and typical routing of packets. In a sense they have a layered network running on top of the Internet under their control. Even when some of this traffic is "free", it becomes part of a strategic advantage to other services they offer which are very profitable.

If Cloudflare has direct control of one side of a connection that's an advantage a competitor doesn't have.  If both sides of a connection are under their control, they have a much greater advantage over competitors as they can direct/redirect traffic at will to make point A to B faster. They can also manipulate traffic in ways that might make A to B actually slightly slower but open up resources on C or D that traffic might have passed through allowing overall faster service as a whole.

It might sound counter intuitive, but adjusting packet routing on the fly to a slower pathway can make overall use faster. But if you think about it, if you were to start playing a video or download from a service and your packets are using the fastest route possible you benefit from it.  Once a video starts playing or the download starts, if packets take a detour using a slower path with more latency, it won't be matter to the user nor matter because the client has enough data on hand in a buffer to satisfy it's needs. Meanwhile that freed up bandwidth on the "main" pipe where lowest latency is key. The more control they have of end-points the more control they have over spreading loads in a smart manner to provide the most beneficial performance for all traffic under their control.

So lets just say that Cloudflare can benefit from carrying traffic over it's network, even when free. On the other hand, a service such as CDN can use resources that other wise wouldn't have been used but can be highly beneficial to the owner of the origin data. If all the graphic content of a site is replicated throughout the network, it's going to be much closer to the "edge" of the network in many local/regional areas making access faster for the last mile. A startup or growing company may find having their data replicated to the edge a strategic advantage and willing to pay for this benefit.

Getting back to our use. If a thousand Emby servers were using a free plan you would see lots of patterns of data like our graphics. If all thousand Emby servers had top gun there would almost certainly be a high overlap of the graphics between the systems. By way of de-duplication algorithms these 1000 images will likely be reduced to a dozen images. It is likely beneficial to push these graphics out to edge servers as it will save overall bandwidth. As a whole a lot of content like common graphics will benefit this way. In affect the difference between 500 and 5000 servers offering similar content is not 10x difference but much smaller. The more servers with overlapping graphics the more the overall saving from pushing the content to the edge, done smartly.  If the traffic might pass through the Cloudflare network it can make sense to have control over the origin even if free as it can save them overall bandwidth and allow legit statistics showing they "control" X amount of traffic flowing over the Internet and accelerate it Y amount.

What does not work for the above is when a large portion of that traffic is video, especially when it's being transcoded as every stream is unique  It's one thing to carry this data from point A to point B in a local area where a cluster of users will reside like local customers, friends and family vs replicating this unique data throughout the network. Knowing this is key to setting up a home media server on Cloudfront on a free plan as you can set rules to direct Cloudflare not to cache or replicate specific data.

Using the 5 rules available on the free plan can allow you to strategically tell Cloudflare not to cache video or audio. This is a friendly way of not taking advantage of the CDN features. Cloudflare can still cache and replicate this data by it's own decision if it makes sense for them to do this. It might be only replicated to 1 or 2 other edge servers or two a regional server or two but it's done by them based on their own algorithms in a way to benefit their service which benefits all parties involved.

Think about the use of your server and the perception Cloudflare will have of your server from a resource usage standpoint. If you have 10 friends and family that are geographically close to you the content will likely all be handled by the same edge server using little to no backbone resources. With 50 local users it's still mostly the same with occasional use outside the local edge server area requiring more data to traverse their network. If your in Phila with friends/family in LA, Miami, Chicago & Dallas the use of Cloudflare resources is quite a bit different looking now as your server has a different footprint that will likely start caching some data in different locations. Text and graphics are one thing being cached vs video caching. With video caching turned off your not trying to abuse their network but they are still transporting each video stream to different regions. If these 10 friends/family watch a movie or two each week your use is going to look different then if the same friends/family watch 3 hours of video each evening. Same with 25 users viewing a movie or two each week vs 25 users watching 3 hours a night.

25 heavy local users might look like a blip in usage from a backbone standpoint, but the same 25 heavy use destinations spread out to many multiple regions is going to look much different from a resource usage standpoint. One use case is clearly using more CDN functionality and possible replication then the other case all things being equal.

Keep in mind how your content will affect their resource usage. Saying 1 or 2 hours a week per user or 3 hours a day isn't as qualified as it might sound until you consider the actual media. If you have well encoded UHD HEVC content using 5 or 6Mb/s bitrate vs torrent acquired 12 to 15Mb/s or "high quality" 25 to 40Mb/s rips your foot print is going to look a lot different. The makeup/bitrate of your media, number of friends/family as well as geographic dispersion of users will have a wildly different footprint on their network. You could be nothing but a blip on their radar, to a user on a free plan that shows up or stands out on a statics report using resources well beyond the norm that gets you an email notice for violation of their TOS.

Having a better understanding of their services and how it works combined with how you setup, configuration, number or users, geographic dispersion of users as well as your consideration of their bandwidth using quality compressed media should help makes their answer much clearer. Understanding your use of their services combined with good common sense will take you a long way!

If your use case isn't clear how it fits into what you can do and what you shouldn't do, reach out directly to them and ask.

[JulesC 51]

@Carlothanks again for your help and guidance. I understand that we shouldn't use this forum to discuss Cloudflare settings. 

I just wanted to share the option I went with in hopes that it might help someone else who is providing remote access to their Emby servers and wish to automatically update their WAN IP.

To set up dynamic DNS updating for your Cloudflare-hosted domain using DNS-O-Matic and your ASUS router, you'll need to follow these steps:

1. Configure DNS-O-Matic:
   • Log in to DNS-O-Matic (www.dnsomatic.com)
   • Add a new service and select "Cloudflare"
   • Enter your Cloudflare account email as the username
   • Use your Cloudflare Global API Key as the API Token/password
   • Set the hostname to your full domain (e.g. yourdomain.com)
   • Set the domain to your root domain
2. Set up Cloudflare DNS:
   • Log in to your Cloudflare account
   • Go to the DNS settings for your domain
   • Create an A record with the name "@" (or your subdomain) pointing to your current WAN IP
   • Ensure the proxy status is set to "DNS only" (gray cloud icon)
3. Configure your ASUS GT-AXE 16000 Router:
   • Access your router's admin interface
   • Navigate to the WAN or DDNS settings
   • Look for a DDNS or Dynamic DNS option
   • Select "Custom" or "DNS-O-Matic" as the DDNS provider
   • Enter the following details:
     • Server: updates.dnsomatic.com
     • Hostname: all.dnsomatic.com (or your specific hostname if you prefer)
     • Username: Your DNS-O-Matic username
     • Password: Your DNS-O-Matic password
4. Save and apply the settings on your router

With this setup, your ASUS router will automatically notify DNS-O-Matic when your WAN IP changes. DNS-O-Matic will then update the A record in your Cloudflare DNS settings with the new IP address.

Note:

• Make sure to use the Cloudflare Global API Key, not an API Token, as DNS-O-Matic doesn't support the newer token-based authentication
   
• The "dynamic" hostname mentioned in some instructions is not necessary for your setup. Use your actual domain or subdomain instead
   
• If you're updating multiple subdomains, you may need to create separate service entries in DNS-O-Matic for each one