Where should I be setting that rule? Currently, the TURN server is proxied by Cloudflare Spectrum for UDP. You can see the Firewall rule as coturn.
Config:
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
ipv6-network-group cf-ipv6 {
network xxxx:xxxx::/32
network xxxx:xxxx::/32
network xxxx:xxxx::/32
network xxxx:xxxx::/32
network xxxx:xxxx::/32
network xxxx:xxxx::/29
network xxxx:xxxx::/32
}
network-group cf-ipv4 {
network xxx.xxx.48.0/20
network xxx.xxx.244.0/22
network xxx.xxx.200.0/22
network xxx.xxx.4.0/22
network xxx.xxx.64.0/18
network xxx.xxx.192.0/18
network xxx.xxx.240.0/20
network xxx.xxx.96.0/20
network xxx.xxx.240.0/22
network xxx.xxx.128.0/17
network xxx.xxx.0.0/15
network xxx.xxx.0.0/13
network xxx.xxx.0.0/14
network xxx.xxx.0.0/13
network xxx.xxx.72.0/22
}
}
ipv6-name EXTERNAL-IN-v6 {
default-action drop
enable-default-log
rule 10 {
action accept
log enable
state {
established enable
related enable
}
}
rule 20 {
action accept
destination {
port 80,443
}
log enable
protocol tcp_udp
source {
group {
network-group cf-ipv6
}
}
state {
new enable
}
}
}
ipv6-name EXTERNAL-LOCAL-v6 {
default-action drop
enable-default-log
rule 10 {
action accept
log enable
state {
established enable
related enable
}
}
rule 20 {
action accept
icmpv6 {
type echo-request
}
log enable
protocol icmpv6
state {
new enable
}
}
rule 30 {
action drop
description ssh
destination {
port 22
}
log enable
protocol tcp
recent {
count 15
time 60
}
state {
new enable
}
}
rule 31 {
action accept
destination {
port 22
}
log enable
protocol tcp
state {
new enable
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name EXTERNAL-IN {
default-action drop
enable-default-log
rule 10 {
action accept
log enable
state {
established enable
related enable
}
}
rule 20 {
action accept
description servarr-vlan200
destination {
address xxx.xxx.71.2
port 80,443
}
log enable
protocol tcp_udp
source {
group {
network-group cf-ipv4
}
}
state {
new enable
}
}
rule 21 {
action drop
description bind-vlan200
destination {
address xxx.xxx.71.2
port 5053
}
log enable
protocol tcp_udp
recent {
count 100
time 60
}
state {
new enable
}
}
rule 22 {
action accept
description bind-vlan200
destination {
address xxx.xxx.71.2
port 5053
}
log enable
protocol tcp_udp
state {
new enable
}
}
rule 30 {
action accept
description kvm
destination {
address xxx.xxx.69.6
port 80,443
}
log enable
protocol tcp_udp
source {
group {
network-group cf-ipv4
}
}
state {
new enable
}
}
rule 40 {
action accept
description coturn-servarr
destination {
address xxx.xxx.71.2
port 3478,5349,49152-65535
}
log enable
protocol udp
state {
new enable
}
}
}
name EXTERNAL-LOCAL {
default-action drop
enable-default-log
rule 10 {
action accept
log enable
state {
established enable
related enable
}
}
rule 20 {
action accept
icmp {
type-name echo-request
}
log enable
protocol icmp
state {
new enable
}
}
rule 30 {
action drop
description ssh
destination {
port 22
}
log enable
protocol tcp
recent {
count 15
time 60
}
state {
new enable
}
}
rule 31 {
action accept
destination {
port 22
}
log enable
protocol tcp
state {
new enable
}
}
rule 40 {
action accept
description magic-wan
log enable
protocol gre
source {
group {
network-group cf-ipv4
}
}
}
rule 50 {
action accept
icmp {
type-name echo-reply
}
log enable
protocol icmp
}
}
name VLAN-100 {
default-action accept
enable-default-log
rule 10 {
action accept
log enable
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Printer access"
destination {
address xxx.xxx.69.12
}
}
rule 30 {
action accept
description "Pihole DNS"
destination {
address xxx.xxx.69.7
port 53
}
protocol tcp_udp
}
rule 50 {
action drop
description "Restrict Access to INTERNAL1 network"
destination {
address xxx.xxx.69.0/24
}
}
rule 51 {
action drop
description "Restrict Access to VLAN200 network"
destination {
address xxx.xxx.71.0/24
}
}
}
name VLAN-200 {
default-action accept
enable-default-log
rule 10 {
action accept
log enable
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Printer access"
destination {
address xxx.xxx.69.12
}
source {
address xxx.xxx.71.2
}
}
rule 30 {
action accept
description "Pihole DNS"
destination {
address xxx.xxx.69.7
port 53
}
protocol tcp_udp
}
rule 31 {
action accept
description "Pi Prometheus"
destination {
address xxx.xxx.69.7
port 9100
}
protocol tcp_udp
source {
address xxx.xxx.71.2
}
}
rule 32 {
action accept
description "Vyos Prometheus"
destination {
address xxx.xxx.69.1
port 9100
}
protocol tcp_udp
source {
address xxx.xxx.71.2
}
}
rule 33 {
action accept
description "Unbound DNS"
destination {
address xxx.xxx.71.2
port 5054
}
protocol tcp_udp
source {
address xxx.xxx.69.7
}
}
rule 40 {
action accept
description servarr
destination {
address xxx.xxx.71.2
port 80,443,53
}
protocol tcp_udp
}
rule 41 {
action accept
description coturn
destination {
address xxx.xxx.71.2
port 3478,5349,49152-65535
}
protocol udp
}
rule 42 {
action accept
description "ERFI1 Access"
destination {
address xxx.xxx.69.3
}
source {
address xxx.xxx.71.2
}
}
rule 50 {
action drop
description "Restrict Access to INTERNAL1 network"
destination {
address xxx.xxx.69.0/24
}
}
rule 51 {
action drop
description "Restrict Access to VLAN100 network"
destination {
address xxx.xxx.70.0/24
}
}
}
options {
interface tun0 {
adjust-mss 1436
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address dhcp
description EXTERNAL1
duplex auto
firewall {
in {
ipv6-name EXTERNAL-IN-v6
name EXTERNAL-IN
}
local {
ipv6-name EXTERNAL-LOCAL-v6
name EXTERNAL-LOCAL
}
}
hw-id xx:xx:xx:xx:xx:12
speed auto
}
ethernet eth1 {
address dhcp
description EXTERNAL2
duplex auto
firewall {
in {
ipv6-name EXTERNAL-IN-v6
name EXTERNAL-IN
}
local {
ipv6-name EXTERNAL-LOCAL-v6
name EXTERNAL-LOCAL
}
}
hw-id xx:xx:xx:xx:xx:13
speed auto
}
ethernet eth2 {
address xxx.xxx.69.1/24
description INTERNAL1
duplex auto
hw-id xx:xx:xx:xx:xx:14
ip {
arp-cache-timeout 30
}
speed auto
vif 100 {
address xxx.xxx.70.1/24
description asus
firewall {
in {
name VLAN-100
}
}
}
vif 200 {
address xxx.xxx.71.1/24
description servarr
firewall {
in {
name VLAN-200
}
}
}
}
ethernet eth3 {
address xxx.xxx.73.1/24
description INTERNAL2
duplex auto
hw-id xx:xx:xx:xx:xx:15
speed auto
}
loopback lo {
}
tunnel tun0 {
address xxx.xxx.72.20/31
description magic-wan
encapsulation gre
mtu 1476
remote xxx.xxx.66.5
source-address xxx.xxx.189.102
}
}
load-balancing {
wan {
flush-connections
interface-health eth0 {
failure-count 2
nexthop dhcp
success-count 1
test 10 {
resp-time 5
target xxx.xxx.8.8
ttl-limit 1
type ping
}
test 20 {
resp-time 5
target xxx.xxx.1.1
ttl-limit 1
type ping
}
}
interface-health eth1 {
failure-count 2
nexthop dhcp
success-count 1
test 10 {
resp-time 5
target xxx.xxx.8.8
ttl-limit 1
type ping
}
test 20 {
resp-time 5
target xxx.xxx.1.1
ttl-limit 1
type ping
}
}
interface-health tun0 {
failure-count 1
nexthop xxx.xxx.72.21
success-count 1
test 10 {
resp-time 5
target xxx.xxx.72.21
ttl-limit 1
}
}
rule 10 {
description vlan100-exclusion-eth2
destination {
address xxx.xxx.69.1/24
}
exclude
inbound-interface eth2.100
protocol all
}
rule 11 {
description vlan200-exclusion-eth2
destination {
address xxx.xxx.69.1/24
}
exclude
inbound-interface eth2.200
protocol all
}
rule 12 {
description eth2-exclusion-vlan100
destination {
address xxx.xxx.70.1/24
}
exclude
inbound-interface eth2
protocol all
}
rule 13 {
description eth2-exclusion-vlan200
destination {
address xxx.xxx.71.1/24
}
exclude
inbound-interface eth2
protocol all
}
rule 20 {
description tun0-exclusion-vlan100
destination {
address xxx.xxx.70.1/24
}
exclude
inbound-interface tun0
protocol all
}
rule 21 {
description tun0-exclusion-vlan200
destination {
address xxx.xxx.71.1/24
}
exclude
inbound-interface tun0
protocol all
}
rule 22 {
description tun0-exclusion-eth2
destination {
address xxx.xxx.69.1/24
}
exclude
inbound-interface tun0
protocol all
}
rule 23 {
description vlan100-exclusion-tun0
destination {
address xxx.xxx.72.20/31
}
exclude
inbound-interface eth2.100
protocol all
}
rule 24 {
description vlan200-exclusion-tun0
destination {
address xxx.xxx.72.20/31
}
exclude
inbound-interface eth2.200
protocol all
}
rule 25 {
description eth2-exclusion-tun0
destination {
address xxx.xxx.72.20/31
}
exclude
inbound-interface eth2
protocol all
}
rule 30 {
failover
inbound-interface tun0
interface eth0 {
weight 10
}
interface eth1 {
weight 1
}
protocol all
}
rule 31 {
failover
inbound-interface eth2.100
interface eth0 {
weight 10
}
interface eth1 {
weight 1
}
protocol all
}
rule 32 {
failover
inbound-interface eth2.200
interface eth0 {
weight 10
}
interface eth1 {
weight 1
}
protocol all
}
rule 33 {
failover
inbound-interface eth2
interface eth0 {
weight 10
}
interface eth1 {
weight 1
}
protocol all
}
sticky-connections {
inbound
}
}
}
nat {
destination {
rule 10 {
description servarr-vlan200-eth0
destination {
port 80,443
}
inbound-interface eth0
log enable
protocol tcp_udp
translation {
address xxx.xxx.71.2
}
}
rule 11 {
description bind-vlan200-eth0
destination {
port 5053
}
inbound-interface eth0
protocol tcp_udp
translation {
address xxx.xxx.71.2
port 5053
}
}
rule 12 {
description coturn-vlan200-eth0-3478
destination {
port 3478
}
inbound-interface eth0
log enable
protocol udp
translation {
address xxx.xxx.71.2
port 3478
}
}
rule 13 {
description coturn-vlan200-eth0-5349
destination {
port 5349
}
inbound-interface eth0
log enable
protocol udp
translation {
address xxx.xxx.71.2
port 5349
}
}
rule 14 {
description coturn-vlan200-eth0-relay
destination {
port 49152-65535
}
inbound-interface eth0
log enable
protocol udp
translation {
address xxx.xxx.71.2
port 49152-65535
}
}
rule 20 {
description servarr-vlan200-eth1
destination {
port 80,443
}
inbound-interface eth1
log enable
protocol tcp_udp
translation {
address xxx.xxx.71.2
}
}
rule 21 {
description bind-vlan200-eth1
destination {
port 5053
}
inbound-interface eth1
protocol tcp_udp
translation {
address xxx.xxx.71.2
port 5053
}
}
rule 22 {
description coturn-vlan200-eth1-3478
destination {
port 3478
}
inbound-interface eth1
log enable
protocol udp
translation {
address xxx.xxx.71.2
port 3478
}
}
rule 23 {
description coturn-vlan200-eth1-5349
destination {
port 5349
}
inbound-interface eth1
log enable
protocol udp
translation {
address xxx.xxx.71.2
port 5349
}
}
rule 24 {
description coturn-vlan200-eth1-relay
destination {
port 49152-65535
}
inbound-interface eth1
log enable
protocol udp
translation {
address xxx.xxx.71.2
port 49152-65535
}
}
rule 30 {
description kvm-eth0
destination {
port 2053
}
inbound-interface eth0
log enable
protocol tcp_udp
translation {
address xxx.xxx.69.6
port 443
}
}
rule 40 {
description kvm-eth1
destination {
port 2053
}
inbound-interface eth1
log enable
protocol tcp_udp
translation {
address xxx.xxx.69.6
port 443
}
}
}
source {
rule 100 {
description eth0
log enable
outbound-interface eth0
source {
address xxx.xxx.0.0/16
}
translation {
address masquerade
}
}
rule 200 {
description eth1
log enable
outbound-interface eth1
source {
address xxx.xxx.0.0/16
}
translation {
address masquerade
}
}
}
}
policy {
route magic-wan {
enable-default-log
rule 100 {
description magic-wan
destination {
port 80,443
}
log enable
protocol tcp_udp
set {
table 100
}
source {
address xxx.xxx.71.3
}
}
}
}
protocols {
static {
table 100 {
route xxx.xxx.0.0/0 {
next-hop xxx.xxx.72.21 {
}
}
}
}
}
service {
dhcp-server {
shared-network-name xxxxxx {
subnet xxx.xxx.69.0/24 {
default-router xxx.xxx.69.1
domain-name xxxxxx
lease 300
name-server xxx.xxx.69.7
name-server xxx.xxx.69.1
name-server xxx.xxx.1.1
range 0 {
start xxx.xxx.69.2
stop xxx.xxx.69.254
}
static-mapping xxxxxx {
ip-address xxx.xxx.69.3
mac-address xx:xx:xx:xx:xx:b6
}
static-mapping xxxxxx {
ip-address xxx.xxx.69.6
mac-address xx:xx:xx:xx:xx:33
}
static-mapping xxxxxx {
ip-address xxx.xxx.69.7
mac-address xx:xx:xx:xx:xx:64
}
static-mapping xxxxxx {
ip-address xxx.xxx.69.4
mac-address xx:xx:xx:xx:xx:28
}
}
}
shared-network-name xxxxxx {
subnet xxx.xxx.73.0/24 {
default-router xxx.xxx.73.1
domain-name xxxxxx
lease 300
name-server xxx.xxx.69.7
name-server xxx.xxx.73.1
name-server xxx.xxx.1.1
range 0 {
start xxx.xxx.73.2
stop xxx.xxx.73.254
}
}
}
shared-network-name xxxxxx {
subnet xxx.xxx.70.0/24 {
default-router xxx.xxx.70.1
domain-name xxxxxx
lease 300
name-server xxx.xxx.69.7
name-server xxx.xxx.70.1
name-server xxx.xxx.1.1
range 0 {
start xxx.xxx.70.2
stop xxx.xxx.70.254
}
static-mapping xxxxxx {
ip-address xxx.xxx.70.2
mac-address xx:xx:xx:xx:xx:d8
}
}
}
shared-network-name xxxxxx {
subnet xxx.xxx.71.0/24 {
default-router xxx.xxx.71.1
domain-name xxxxxx
lease 300
name-server xxx.xxx.69.7
name-server xxx.xxx.71.1
name-server xxx.xxx.1.1
range 0 {
start xxx.xxx.71.2
stop xxx.xxx.71.254
}
static-mapping xxxxxx {
ip-address xxx.xxx.71.4
mac-address xx:xx:xx:xx:xx:53
}
static-mapping xxxxxx {
ip-address xxx.xxx.71.2
mac-address xx:xx:xx:xx:xx:07
}
static-mapping xxxxxx {
ip-address xxx.xxx.71.3
mac-address xx:xx:xx:xx:xx:c9
}
static-mapping xxxxxx {
ip-address xxx.xxx.71.5
mac-address xx:xx:xx:xx:xx:1c
}
}
}
}
dns {
forwarding {
allow-from xxx.xxx.0.0/16
cache-size 0
listen-address xxx.xxx.69.1
listen-address xxx.xxx.70.1
listen-address xxx.xxx.71.1
listen-address xxx.xxx.73.1
}
}
ssh {
disable-password-authentication
loglevel verbose
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name xxxxxx
login {
user xxxxxx {
authentication {
encrypted-password xxxxxx
public-keys xxxx@xxx.xxx {
key xxxxxx
type ecdsa-sha2-nistp256
}
}
}
}
name-server xxx.xxx.71.2
name-server xxx.xxx.69.7
name-server xxx.xxx.1.1
name-server xxx.xxx.8.8
ntp {
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
}
static-host-mapping {
host-name xxxxxx {
inet xxx.xxx.70.2
}
host-name xxxxxx {
inet xxx.xxx.69.3
}
host-name xxxxxx {
inet xxx.xxx.69.6
}
host-name xxxxxx {
inet xxx.xxx.69.7
}
host-name xxxxxx {
inet xxx.xxx.69.1
}
host-name xxxxxx {
inet xxx.xxx.71.4
}
host-name xxxxxx {
inet xxx.xxx.71.2
}
host-name xxxxxx {
inet xxx.xxx.69.4
}
host-name xxxxxx {
inet xxx.xxx.71.3
}
host-name xxxxxx {
inet xxx.xxx.71.5
}
}
sysctl {
custom net.ipv4.conf.all.accept_local {
value 1
}
}
syslog {
global {
facility all {
level all
}
facility protocols {
level all
}
}
}
time-zone Asia/Singapore
}