Flarely Legal Magic Transit =========================== Comprehensive DDoS protection and traffic routing through Cloudflare's global network. Overview -------- Magic Transit provides network-layer DDoS protection by routing all traffic through Cloudflare's Anycast network before it reaches the origin infrastructure. Traffic is scrubbed at Cloudflare's edge and clean traffic is forwarded via GRE tunnels to the pfSense edge router. **Benefits:** - **DDoS Mitigation**: Automatic protection against volumetric and protocol attacks - **Always-On Protection**: All traffic flows through Cloudflare, not just during attacks - **Global Routing**: Intelligent traffic steering to optimal edge locations - **Health Monitoring**: Automatic failover and tunnel health checks - **Zero Trust Integration**: Works with Cloudflare Access and other security products Architecture ------------ Magic Transit sits upstream of the entire network infrastructure: 1. **Internet Traffic** → Cloudflare Anycast IPs 2. **Cloudflare Edge** → DDoS scrubbing and filtering 3. **GRE Tunnels** → Encrypted tunnels to pfSense 4. **pfSense Router** → On-premises network Configuration Components ------------------------ .. toctree:: :maxdepth: 1 gre-tunnels anycast-ips health-checks traffic-steering Current Deployment ------------------ **Status**: Active and operational **Primary Tunnel**: - **Endpoint**: 203.0.113.5 (Cloudflare example) - **Local**: 198.51.100.1 (pfSense WAN example) - **Tunnel IPs**: 198.51.100.1/31 (pfSense) ↔ 198.51.100.0/31 (Cloudflare) - **Health Status**: Online (9.3ms latency, 0% loss) **Protected Services**: - All inbound traffic to Site 1 - Site-to-site connectivity between locations - Public-facing services and applications Performance ----------- Magic Transit adds minimal latency while providing comprehensive protection: - **Tunnel Latency**: ~9.3ms average - **Packet Loss**: 0.0% - **Jitter**: <1ms - **Availability**: 99.99%+ (via Cloudflare SLA) Integration with Other Services -------------------------------- Magic Transit integrates with the following Cloudflare services: - **Cloudflare Access**: Zero Trust network access - **Gateway**: DNS filtering and policies - **Spectrum**: TCP/UDP application protection - **Load Balancing**: Multi-origin traffic distribution Documentation Status -------------------- .. note:: This section is under active development. Additional details about tunnel configuration, Anycast IPs, health checks, and traffic steering policies will be added. Related Documentation --------------------- - `pfSense Configuration `_ - `Cloudflare Zero Trust `_