Since the 1st of November, 2024, my 6to4 IPv6 address of my ISP (AS15557, SFR/Cegetel) is no longer accepted by Cloudflare’s proxy service
What steps have you taken to resolve the issue?
Tried adding proxied records to 6to4 IPv6 addresses on IPv4 netblocks others than AS15557, SFR/Cegetel → works
Tried adding proxied records to 6to4 IPv6 addresses on IPv4 netblocks from AS15557, SFR/Cegetel → Error 1002, “disallowed IP”
These addresses were perfectly accepted by Cloudflare until the 1st of November, 2024.
Did Cloudflare blocklist proxying to SFR’s network (one of the biggest network operators in France) or is that just a bug?
What feature, service or problem is this related to?
DNS records
What are the steps to reproduce the issue?
Add a record pointing to 6to4 IPv6 addresses on SFR’s network → Error 1002, “disallowed IP”
Correction: it now refuses any 6to4 IPv6 address (that is anything starting with 2002:/16), regardless of the underlying IPv4 netblock (previously, that is a few weeks ago, it was just rejecting a subset of this space, esp. the one corresponding to SFR).
So to answer your question: affected 6to4 IPv6 addresses are basically anything under 2002:/16 (→ “disallowed IP”).
No error appears in the Cloudflare Dashboard, this error appears when trying to load the website:
Error 1002
Ray ID: 90def461e821d159 • 2025-02-06 23:35:05 UTC
DNS points to local or disallowed IP
This error started appearing since the 1st of November, 2024 (it was working perfectly before).
Disabling Cloudflare proxying allows to successfully connect to the underlying IPv6 server.
No matter if I use 6to4 IPv6 addresses that correspond to IPv4 addresses announced by AS15557, as you mentioned in your first post, or even those 6to4 IPv6 addresses that correspond to reserved IP4 addresses, I am unable to reproduce that Error 1002, while trying to access the corresponding host name.
So that leads me back to the original question, -
Are you able to provide the exact 6to4 IPv6 address, and/or the exact corresponding IPv4 address, that you see issues with?
→
In addition, - if I may ask:
Is there any kind of problem, that you’re trying to solve, by trying to use these 6to4 addresses?
Or what exactly lead you to start playing around with them?
Hi and sorry: I was just assuming the whole 2002::/16 was just blocklisted (regardless of the underlying IPv4 ASN) by Cloudflare’s proxy service as per my last tests yesterday.
Here is a practical example (this time hosted on AS2611): 2002:8268:cc50:abcd:ef01:2345:6789:2
For convenience, I added two DNS records to illustrate the issue: ip6test.sd2.net (proxied through Cloudflare) ip6test-noproxy.sd2.net (not proxied through Cloudflare)
(please note that only HTTP is enabled on this test server, not HTTPS)
As you could see, the first one directly leads to an Error 1002:
Error 1002
Ray ID: 90e42498b8707906 • 2025-02-07 14:41:48 UTC
DNS points to local or disallowed IP
The reason I am using 6to4 addresses is that I need to access an IPv6-only service and that my ISPs do not offer native IPv6 yet (yes, in 2025…).