Customer routing dossier

One customer, three lanes, zero ambiguity.

This view keeps operator judgment tight: dedicated IP tunnel for full L4 identity, TCP SNI passthrough for tunnel-less TLS domains, and Cloudflare SaaS for web.

Customer

northforge labs

Status: healthy across all active products.

Live

Dedicated IP tunnel

Public IP routed through WireGuard

Public IP: 130.162.134.208

Private IP: 10.0.0.43

Tunnel address: 10.240.8.2/32

Identity

Real TCP/UDP IP preserved

Routing

No SNAT

Billing

0 dedicated IP unit

TCP Domain Proxy mode

TLS passthrough route set

Tunnel-less, SNI-bound.

Customer domain

panel.northforge.gg

Backend

172.18.40.22:443

Proxy v2

enabled

Customer domain

tls-api.northforge.gg

Backend

api-origin.northforge.internal:8443

Proxy v2

disabled

Billing posture

Dedicated IP and per-GB traffic

Month-to-date

0 IP / 0 GB

Tunnel lane and TCP domain lane both feed the traffic counter. Web lane can stay separately itemized later.

Traffic split

0 GB tunnel / 0 GB SNI proxy

Operators can see when a customer should move a service from shared TLS proxy to a dedicated IP lane.

Distribution

Tunnel 71% SNI Proxy 29%

Operator warnings

Guardrails by product lane

rule_settings

TCP domain proxy

Reject non-SNI TCP

SSH, arbitrary binary TCP, and other non-SNI traffic must move to dedicated IP or tunnel lanes.

Tunnel IP mode

Keep source/destination check disabled

If OCI source/destination check flips back on, routed public IP traffic dies even though the tunnel still looks healthy.

Proxy protocol

Backend support must be explicit

When PROXY v2 is enabled against an unaware backend, the first bytes of the TLS stream become garbage and the app fails hard.