Flarely Legal
  • Flarely Legal Magic Transit
    • Overview
    • Architecture
    • Configuration Components
      • GRE Tunnels
        • Overview
        • Active Tunnels
        • Tunnel Configuration (pfSense)
        • Traffic Flow
        • Security Considerations
        • Troubleshooting
        • Performance Monitoring
        • Maintenance
      • Anycast IP Addresses
        • Overview
        • How Anycast Works
        • Benefits
        • Protected IP Ranges
        • Configuration
        • Traffic Steering
        • Use Cases
        • Monitoring
        • Best Practices
        • Integration with Magic Transit
      • Health Checks and Monitoring
        • Overview
        • Health Check Types
        • Monitoring Configuration
        • Failover Behavior
        • Alerting
        • Performance Baselines
        • Troubleshooting
        • Best Practices
        • Integration with Monitoring Tools
      • Traffic Steering and Policies
        • Overview
        • Steering Methods
        • Current Configuration
        • Load Balancing
        • Failover Configuration
        • Performance Optimization
        • DDoS Mitigation
        • Monitoring and Analytics
        • Best Practices
        • Advanced Features
        • Future Enhancements
    • Current Deployment
    • Performance
    • Integration with Other Services
    • Documentation Status
    • Related Documentation
  • GitHub Workflows
Flarely Legal
  • Flarely Legal Magic Transit
  • View page source

Flarely Legal Magic Transit

Comprehensive DDoS protection and traffic routing through Cloudflare’s global network.

Overview

Magic Transit provides network-layer DDoS protection by routing all traffic through Cloudflare’s Anycast network before it reaches the origin infrastructure. Traffic is scrubbed at Cloudflare’s edge and clean traffic is forwarded via GRE tunnels to the pfSense edge router.

Benefits:

  • DDoS Mitigation: Automatic protection against volumetric and protocol attacks

  • Always-On Protection: All traffic flows through Cloudflare, not just during attacks

  • Global Routing: Intelligent traffic steering to optimal edge locations

  • Health Monitoring: Automatic failover and tunnel health checks

  • Zero Trust Integration: Works with Cloudflare Access and other security products

Architecture

Magic Transit sits upstream of the entire network infrastructure:

  1. Internet Traffic → Cloudflare Anycast IPs

  2. Cloudflare Edge → DDoS scrubbing and filtering

  3. GRE Tunnels → Encrypted tunnels to pfSense

  4. pfSense Router → On-premises network

Configuration Components

  • GRE Tunnels
  • Anycast IP Addresses
  • Health Checks and Monitoring
  • Traffic Steering and Policies

Current Deployment

Status: Active and operational

Primary Tunnel:

  • Endpoint: 203.0.113.5 (Cloudflare example)

  • Local: 198.51.100.1 (pfSense WAN example)

  • Tunnel IPs: 198.51.100.1/31 (pfSense) ↔ 198.51.100.0/31 (Cloudflare)

  • Health Status: Online (9.3ms latency, 0% loss)

Protected Services:

  • All inbound traffic to Site 1

  • Site-to-site connectivity between locations

  • Public-facing services and applications

Performance

Magic Transit adds minimal latency while providing comprehensive protection:

  • Tunnel Latency: ~9.3ms average

  • Packet Loss: 0.0%

  • Jitter: <1ms

  • Availability: 99.99%+ (via Cloudflare SLA)

Integration with Other Services

Magic Transit integrates with the following Cloudflare services:

  • Cloudflare Access: Zero Trust network access

  • Gateway: DNS filtering and policies

  • Spectrum: TCP/UDP application protection

  • Load Balancing: Multi-origin traffic distribution

Documentation Status

Note

This section is under active development. Additional details about tunnel configuration, Anycast IPs, health checks, and traffic steering policies will be added.

Related Documentation

  • pfSense Configuration

  • Cloudflare Zero Trust

Previous Next

© Copyright 2025, Flarely Legal. Last updated on Nov 27, 2025.