Good morning, I use a corporate VPN for security reasons. I would like to create a WAF rule to block all IPs except the one assigned by the VPN (fixed IP). The problem is that my internet provider assigns me both an IPv6 and an IPv4 address. The IPv4 is correctly replaced with the IP assigned by the corporate VPN, while the IPv6 remains the one assigned by the internet provider. I have set up this WAF rule where I specify that if I am on a certain subdomain and have an IP different from 111.111.111.111 (IP assigned by the VPN), then the traffic should be blocked. The problem is that it seems Cloudflare checks my IPv6 and not my IPv4, which has been assigned 111.111.111.111 by the VPN. Do you see any solutions? Thank you.
Kindly, instead of the URI completo I’d suggest you to use Hostname to make the rule work as expected. Make sure the rule is 1st from above on the Custom Rules list.
May I ask if there is an option to use only IPv4 or IPv6 from your Network adapter/settings?
By default, I assume Cloudflare checks IPv6 then IPv4 for some reason.
However, may I ask what IP do you get if you visit https://subdomain.website.com/cdn-cgi/trace endpoint under the ip=xx.xxx.xxx.xxx paremeter? Is it IPv4 or IPv6?
Otherwise, you can use is in and add both IPv4 and IPv6 (multiple) into the field.
Is the IP changing (dynamic) or fixed (static)? If it’s changing, you’d need to adjust the rule each time, otherwise you won’t be able to access the subdomain via VPN.
In such case, I’d suggest you to configure Access Policy and use Zero Trust for this subdomain.
Anyway, I found out that my provider forces my IP to use version V6 if I browse from the LAN (via wifi is IPv4). I have no idea why. I can disable the option via setting of the router, and it seems to work. Thanks for your help!