#Cloudflare connects me so far away

There is a server right near me, I get 1-2ms when pinging 1.1.1.1 but warp and https://speed.cloudflare.com/ connects me so far away. Zero trust is working with this too so it gives so much ping. Since there is no choose server button or anything, how can I fix this?

I check https://www.cloudflarestatus.com/ and it's Operational, I check by pinging 1.1.1.1 to confirm. And it still uses so far away servers when it comes to warp and zero trust.

Routing is not "closest location is fastest" but depends on more complex things such as your ISP's routing decisions/capacity.

WARP is also only available in specific locations. Not available in most smaller locations. What do you mean by "Zero Trust" works with that too? If you turn off warp/any vpn, do you get routed to the closest location on speed.cloudflare.com or on https://cloudflare.com/cdn-cgi/trace ?

I want to get the closest servers since all my clients are connecting from the same location as I am, to my servers. This makes them get a lot of ping which is not good. And the second thing that I said is warp and zero trust are connecting me to the far servers instead of closest, and low ping ones for me. But if warp is not possible on this location, then zero trust should be possible right? Or why else there is a server here if it's not used for anything.

Would need more information to say more, like the extra routing info I asked for above, but some locations are super small essentially enterprise only locations due to low capacity/high costs

Is it possible to choose the server like in other vpns? in warp or in zero trust. I'm just curious about those two at the same time so I'm asking at the same time.

Is it possible to choose the server like in other vpns? i
No. WARP doesn't really consider itself to be a vpn either, hence the lack of that option. It's more meant for security and speed. It's also quite possible ARN is the closest warp enabled location to you

"Zero Trust" is vague and there's a lot of products within it. If you mean with CF Access or something, that's just behind the normal anycast cdn, so no but worth noting it inherits your website's plan for routing preference

So there is no way to host something with low ping without port forwarding?

For the clients that are in the same city/country as me

it's def possible, with Cloudflare or other, but for Cloudflare it just depends on their routing

If you go to: https://debug.chaika.me/?findColo=true, do any of them route locally to gyd?

{
  "cdn-cgi": {
    "local-free-v4": [
      "IPv4",
      "colo=AMS"
    ],
    "local-free": [
      "IPv4",
      "colo=AMS"
    ],
    "local-pro": [
      "IPv4",
      "colo=AMS"
    ],
    "local-biz": [
      "IPv4",
      "colo=AMS"
    ],
    "local-ent": [
      "IPv4",
      "colo=AMS"
    ],
    "local-ent-IPv4-spectrum": [
      "IPv4",
      "colo=AMS"
    ],
    "local-1111-ipv4": [
      "IPv4",
      "colo=AMS"
    ]
  },
  "durable-object": {
    "colo": "LHR",
    "cached": true
  }
}```

I tried with some other isp here

and it shows this:

{
  "cdn-cgi": {
    "local-free": [
      "IPv4",
      "colo=FRA"
    ],
    "local-free-v4": [
      "IPv4",
      "colo=FRA"
    ],
    "local-pro": [
      "IPv4",
      "colo=FRA"
    ],
    "local-biz": [
      "IPv4",
      "colo=BRU"
    ],
    "local-ent": [
      "IPv4",
      "colo=CPH"
    ],
    "local-1111-ipv4": [
      "IPv4",
      "colo=LLK"
    ],
    "local-ent-IPv4-spectrum": [
      "IPv4",
      "colo=ARN"
    ]
  },
  "durable-object": {
    "colo": "ARN",
    "cached": false
  }
}```

LLK is one of the cloudflare servers here, in other city but it doesn't connect me to there either in zero trust.

When GYD gets operational, it doesn't connect me to there too :d

AMS is better/more reasonable then ARN but yea looks like your isp's/their partners routing just don't take you locally. tracert cloudflare.com may show some interesting information but probably not something that you could fix

Today it shows it like this, but how can I know which one of theese shows cloudflare zero trust tunnels?

{
  "cdn-cgi": {
    "local-free": [
      "IPv4",
      "colo=LLK"
    ],
    "local-free-v4": [
      "IPv4",
      "colo=LLK"
    ],
    "local-pro": [
      "IPv4",
      "colo=AMS"
    ],
    "local-biz": [
      "IPv4",
      "colo=GYD"
    ],
    "local-ent": [
      "IPv4",
      "colo=ARN"
    ],
    "local-1111-ipv4": [
      "IPv4",
      "colo=GYD"
    ],
    "local-ent-IPv4-spectrum": [
      "IPv4",
      "colo=ARN"
    ]
  },
  "durable-object": {
    "colo": "ARN",
    "cached": true
  }
}

If you're using free plan, should have around the same routing as local-free option. It looks unstable though considering higher plans don't get routed to it

You can go to https://<your-access-domain>/cdn-cgi/trace and look for the colo= line to see which you connect to for it

Tunnels themselves connect to a few closer locations without caring about your zone plan's routing, so you end up with something like:
User -> CF Colo (ex: LLK) -> CF Tunnel -> CF Tunnel Colo (ex: AMS) -> Cloudflared running locally.
You can check in your tunnel logs (journalctl -u cloudflared -f --lines=100 where its connecting

LLK's closer, yea? The magic of waiting for ISPs to fix their routing

:d

the closest is GYD, and second closest is LLK

I wonder if I call them about this, will they know what I'm talking about

depends on how big/nice your isp is

Hmm it gives internet to whole country, but it's a small country so I think I would only know that by trying calling

What does colo do?

CF colo

airport code of the Cloudflare datacenter you are connecting to

If you mean their actual use: It's what is processing your requests (decrypting ssl, handling locally if it can, proxying request to your origin otherwise, etc)

So it actls like a DNS server right?

For 1.1.1.1 it acts as a dns server, yes. For http request it's acting as the reverse proxy, like nginx

It's just the location Cloudflare has physical machines and is processing at (including http/dns/spectrum apps, etc)

Since there is literally no server for anything in my country, my wish is to get low ping from anything possible. Like when I host a minecraft server, everyone gets 500 ping from it :d

And that's because, relay servers are so far away

Can I ask how did you make that? I want to have something similar to that, that shows cloudflare servers

Just the same thing

you'd need a zone for each level i'm pretty sure :p

so enterprise, free, pro, biz, ...

You can just use any domains cdn-cgi/trace

Chika just uses random ones and for some reason appends okplsnoblockme to it

ah, didn't know that

The can see it tho ( on plans with se urity analytics)

You can't see it in events

interesting

But it doesn't give much information as chaika's

it gives you exactly what chika gives you. all he does is aggregate the info from a few diff sites and displays it in json

some ublock lists block /cdn-cgi/trace lol

but yea all I'm doing is using all of my own domains on the various plan levels that I know they're on

that makes sense

also you respond to favicon.ico with the html page

didnt realize that you used your own ones, didnt want to use cia.gov?

lol I wanted to be 100% sure what plan they were on

that was the issue with past community tools and why Matteo took his down

do champ ent domains actually have the same prioritization as real ent tho?

as far as I know and can see. Unrelated to this I have a ton of monitoring for https://delay.cloudflare.chaika.me/v2/locations, and my ent zones can reach every edge location, even ones like JNB, LIS, Jakarta, bom, etc

It's not like there's a special rate plan or anything for "champ ent zones", as far as I know and can see my zones are just the normal enterprise any paying customer would get as it's all negotiated outside of it anyway

do you jus run a vps in many locations?

yup

you have actual paid ent zone plans right? You could check your rate plan/subs vs the one on my ent acct

I do, Is there an api endpoint for this?

GET /zones/<zone-id>/subscription

stand by

I have Argo Smart Routing on the ent zone as well but it doesn't change the inbound IPs if already ent

  "errors": [],
  "messages": [],
  "result": {
    "id": "REDACTED",
    "rate_plan": {
      "id": "cf_ent",
      "public_name": "Enterprise",
      "currency": "USD",
      "scope": "zone",
      "externally_managed": false,
      "sets": null,
      "is_contract": true
    },
    "component_values": [
      {
        "name": "spectrum_bytes_transferred",
        "value": 1,
        "default": 1
      },
      {
        "name": "page_rules",
        "value": 125
      }
    ],
    "zone": {
      "id": "REDACTED",
      "name": "REDACTED"
    },
    "frequency": "not-applicable",
    "state": "Paid",
    "currency": "USD",
    "price": 0,
    "trial": null,
    "product": {
      "name": "prod_cloudflare",
      "period": "",
      "billing": "",
      "public_name": "CloudFlare Services",
      "duration": 0
    },
    "cancel_at_period_end": false,
    "handler": "stripe",
    "created_date": "REDACTED",
    "intent": "MIGRATED"
  },
  "success": true
}```

all my zones have argo enabled

Its different, I have cf_ent

If I did that for my biz/pro ones it'd destroy the routing comparsion lol

lol

yea it is slightly different, that's interesting, the components/features for both look exactly the same though. I wonder if it's because the way they were assigned to me was in bulk (just 3 ent plans I could assign to any zone) vs manually assigned, or new vs old? It's curious you have a handler directly on there too

im not sure why

that zone was always enterprise also

checking a zone that used to be biz has the handler also

my ent contract only has 11 I can assign to zones, its not unlimited

11 is a very specific number

its 1+10

1 primary and 10 aditional

idk why but thats the way it was explained to me

well all this has done is make me more confused

lol

cf's billing stuff is super confusing to begin with though, lots of weird rate plans like how the api calls free 0feeeeeeeeeee

its 0 fee with more eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

i guess

still same component values/settings as normal ent plans though, 125 page rules, have all the same features. I think there's some special routing stuff like with the jurisdictional stuff but same base normal ent routing

is there anything else you want to see from any of my zones?

just your global api key

nah I don't think so lol, thanks for sharing tho

lol

its always interesting to see behind the facade

interesting to look at the sites in the same subnet as one of my ent zone's ip https://bgp.tools/prefix/104.18.16.0/20#dns

lots of random sites

i swear some of these domain names are so bad

ie.gamma.starbucks.com, napster.com.sg, r2.example.walshy.dev,

verify-identity-page-1.s.onefla.re let me just put ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- in my domain

looks like quite are of those aren't ent sites but just using cf for saas and such

*.phjl.ph didnt think we were supposed to see **

104.18.16.18 sweetlabs.cloudflaresso.com, test-404.chaika.me, *.phjl.ph ( 78 total...)

lol, they look like all like ent sites though

the most interesting ones are the cfops domains

https://tenor.com/view/shaggy-shh-quiet-hush-shut-up-gif-21648270

is there something im not allowed to say? everything I know is reverse engineered

no lol was just joking

looking through the crt.sh certs for those domains is fun

the one thing I really wanna know is how cfdata.lol works. I know there is a way to make requests against specific PoP's but ive not figured it out yet

there's really lazy public ways

its 'open source' but not enough to know the secret sauce

You can just LB health check enterprise all data centers

congrats, all colos

I know there is a way to query any PoP publicly

but im too stupid to figure it out

tbh I don't know either and I've never asked any details or cared to learn, I'd rather do it my way

which is I just have VPS's with less then 1ms to LIS/SLC, PDX, etc

will always work and no external deps

there are only a few pops I care about (the ones near client offices) so I monitor those ones and use cfops.net for just down detection since its >30m quicker than the statuspage

process.env.FETCH_FROM_COLO_URL}colo=${colo}&url=https://trace.colo.quest/info?type=fl I just need what goes in FETCH_FROM_COLO_URL

the magic word obviously - please - fetch from colo url /s

lol

I also wanna know how trace.colo.quest works

I played around with making a fun idea with global lb health check -> worker -> worker websocket to durable object -> congrats live fetch from all colos

doubt that's what that does but was a fun idea to play with

small thing

global healthchecks dont really come from all pops

at least not all the time

often the actual source is sf0[something]-DOG

and they also leak the private ips of the metals

which while it does not matter really is kinda tacky

not health checks but load balancer health checks with the All Data center option

(if the origin is a tunnel)

I know

idk if it's all colos constantly but it's a lot of them

when I was trialing LB I saw the actual souce for a lot of them was SF

with private ips in the X-Forrwarded-For

https://trace.colo.quest/ might work like that https://trace.colo.quest/ returns a the worker ip

Http logpush shows I'm constantly seeing about 573 unique colo ids from a global lb health check