Cloudflare Magic Transit

What’s everyones take on this new product?

Similar offering to what Sharktech, Psychz, & Voxility, offer over GRE’s.

CF’s doing it over GRE too.


1 Like

Didn’t find any information about pricing.

To my eyes, as a smaller hosting provider, it’s certainly not worth it.

Honestly: Voxility has always trashed my traffic, it’s why I don’t and can’t use it. Troubleshooting it isn’t worth it, my customers make tons of small and fast connections and it just doesn’t fit well.

On the other side, I’ve seen CF first hand handle complex attacks while users saw no visible impact. They are the seasoned veterans, the real experts of that field.

$5000/month is their bottom price it seems.

I had one host forward me their quote where it was something like:

  • 100Mbit clean
  • 8 mitigations a year
  • $4000.00/month, paid yearly



Yeah we’ve had our share of issues with Voxility. They give good value and it works pretty well with what they list as supported. The problem is that there is a lot of markets we can’t enter because their filtering eats the packets.

Support for users to play on XBL or PSN are something that is blocked. We’ve been with Voxility for 3 years now and have spent probably…100 hours to date trying to get them to help us fix XBL. Its only recent that they’ve started at least looking at the PCAP captures I took.

To be fair, some of the previous PCAP’s we would take with customers would be full of pornhub DNS/streams. Our users couldn’t put their dicks down for 5 minutes to give me a clean packet sample. For the latest round of debugging I ended up just hooking up an XBOX to a laptop and VPN’d it to a filtered IP. Perfect captures.

There’s many other games they don’t support that I really wish they did.



I wonder if Incapsula, Arbor and other “enterprise” protections are cheaper at this point…

There certainly is a lot of players in the infrastructure DDOS protection market.

How many are actually running hardware that’s built for filtering versus acls and built in anti DDoS at their core?

Well, CF’s running purely on commodity servers with their own inhouse filtering on top.

Their blog posts documenting how they filter/handle things are pretty interesting.


1 Like

We’re the same setup. Choopa and ProxyPipe as well.

I don’t know of anyone else that does it this way. All of the European brands use of branded hardware, and everyone else is just using basic rules at their core or setting up a tunnel to someone else.

What sort of setup does voxility have?

I think they have Arbors along side ACL’s.


Ah, that would explain their lack of flexibility with the DDoS protection.

Don’t get me wrong, I’m not faulting them. Full time mitigation is a really really tough thing to get right, we’ve been playing the 2 steps forward, 1 step back game for a while with our own mitigation. It’s easy to block attacks. It’s hard to block attacks without blocking legitimate traffic, especially when you’re filtering full time.

I use DDOS protection supplied by my DC, which they give me for a small additional fee along with transit - the nice thing is that it protects downstreams as well. No idea what powers it in the backend, I think it’s mostly DIY based on Arista gear and {Net,s}Flow analysis. This is in Europe btw.

Before that, I used my own DIY solution based on spawning few Vultr VMs in various parts of the world, anycasting my prefixes (with an “export only to NTT” community), filtering stuff with IPTables and then tunneling clean bandwidth back to me with GRE. While it worked fantastically, it wasn’t very cheap and I always felt like that setup was janky, especially since it reduced MTU from the standard 1500.


Super creative solution with the Vultr VMs.