Advice please re: Paypal's new IP addresses for IPNs

I’m hoping for some advice please re: the new set of IP addresses that Paypal started using recently for IPNs (Instant Payment Notifications). I am confused about two things:

  1. I already had Paypal’s original IP’s whitelisted on our Cloudflare firewall. However when I went to add the new ones, I was only allowed to add the single IP addresses from their list, not the new ranges. They are using five new IP ranges, this one as an example: 64.4.240.0/21 but when I tried to add that to our whitelist I got the error message “only an IPv4 range (CIDR) value of /16 or /24 is allowed for IP Access Rules”. So how can I add these ranges, which all end in either “/20”, “/21”, “22” or “/23” ?

  2. I also wasn’t sure if I also needed to get these Paypal IP’s whitelisted on our own server’s firewall too. When I asked our webhost, they said they need to know if the Paypal IP’s need to be accepted through a specific port. (Paypal’s information didn’t mention anything about port numbers). I can phone Paypal’s tech support, but thought I would ask here first.

Just to also clarify, that we are getting Paypal’s IPN’s OK at the moment, none missing that I am aware of, but that could be just luck that they have so far come from an IP address that we
have already whitelisted.

Any advice much appreciated!

Give IP Lists a try. It looks like it will take a /21 list and then can be used in a Firewall Rule as an “Allow”.

I don’t even know where IP Lists is documented, but from dash.cloudflare.com, click “Configurations” at the top, then click on Lists. You can create your ‘paypal’ list there.

1 Like

Maybe this could help?:

Thanks so much for the suggestions! It’s really useful to know the extra info about IP lists.

However in this case, it has transpired that we didn’t need to do anything at all… I telephoned Paypal’s merchant support in the end as it didn’t make sense to me that we would need to know a port number for these IPN’s. After 20 minutes of head-scratching (theirs) and screen-shotting (mine) they confirmed that we didn’t need to do anything! Turns out their emails were just “blanket” emails sent out to anyone running a webshop that takes Paypal payments, BUT the changes only apply if you are running a “pro” version of their merchant solution (which we aren’t!!!). Anyone running the “standard” version (which we are) the IP filter is taken care of within the application itself.

I have to say I am not impressed with Paypal sending me emails with “actions” that I didn’t need to take, and causing me to spend hours looking into it!

Thanks for the helpful replies anyway!!!

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.