You can use Cloudflare without the tunnel too, then it’s just a reverse proxy.

2a01:4ff:1f0:c2f8::/64 is the whole subnet, your server will have one (or more) addresses in that subnet. This could be 2a01:4ff:1f0:c2f8::1, but could also be a randomly generated suffix.

they route your traffic, they know where it’s going.

.local is mDNS - and I’m using that, saves me so much hassle with split-horizon issues etc.

I also use global DNS for local servers (AAAA records on my own domain), again, this eliminates split-horizon issues. Life is too short to deal with the hassle of running your own DNS server.

/r/Zerotier or /r/Tailscale

with the caveat that this entails installing a application on the client device that accesses the server & whitelist it - so workable if you’re accessing your server using your own phone/laptop, not so much on a random company PC or your friends.

If you want ‘random’ externals accessing your server, you’ll have to VPN out to a third party server that forwards ports, or host the entire thing in the cloud.

Tailscale/Zerotier yes. Other option is tunnel out to a 3rd party VPN server with port forwarding: cloudflare does that, and a number of others.

Yeah that’s nearly universal. Primary reasons are:

• security: if you leave it to the customer, 99.9% of them will never update router firmware, so nearly all your customers are vulnerable (or already have zombie router)
• lower support costs: if everyone has the same router, much easier for support

with iOS/iPadOS it’s as simple as downloading a DNS profile https://www.reddit.com/r/Adblock/comments/koowte/encrypted\_dns\_profiles\_for\_ios\_14/

If I look at that screenshot it looks like you can define specific rules? The only problem i see is that you’re using link-local (fe80:: address) as the Local IP, that should be the stable global one (2a0d:xxxx:3040).

Does the TP Link router allow you to create rules in the firewall to open specific ports towards specific endpoints?

That’s how most routers do, but some only have a firewall on/off setting without the ability to create individual rules.

I have disabled the TP-Link router firewall

Completely? I definitely wouldn’t do that, only open the one single port you need towards the one server that’s listening.