Firewall Tools Whitelist IPv6 works but IPv4 does not

I have a single personal blog site and am using the free Cloudflare service and its the best thing I ever did, but I have found a problem with the Firewall Tools section in which I enter my own public IP address to whitelist myself against the other firewall rules. One of the rules blocks access to my Wordpress admin section for example. If I enter my public IPv6 address it works properly and lets me into my WordPress admin section. If I enter my IPv4 address instead, then I’m blocked by Cloudflare. The problem is my ISP does not offer a fixed IP address service and they have a habit or rotating my IPv6 address about twice a day. The IPv4 address is sticky and only changes if I turn my modem off overnight for example. It would be a lot better therefore to have Cloudflare whitelist me by IPv4. Is there something I’m overlooking here?

Hi @ian16,

I would guess that you are connecting using IPv6, which is why you need to whitelist that.

What you could do, instead of using firewall rules to block access to your wp-admin is to use Cloudflare Access which is free for up to 5 users and let’s you protect a specific area of your site.

https://www.cloudflare.com/en-gb/products/cloudflare-access/

IPv6 is preferred. If you local network, your ISP and the site you want to access support v6, it will be used instead of v4.

Since it seems to me that you have native IPv4 support from your ISP and not some DS-Lite ■■■■, disabling IPv6 on your PC could solve this.

Thank you so much for the guidance so far!

I followed the Access tutorial and set it up for the /wp-admin path of my site with just the basic one-time pin and my email address, but I can’t get it to work. If I could, I’d try the next step of verifying with my Google account.

For the moment if I whitelist my ever-changing IPv6 I can get into my WordPress Admin.
If I disable the whitelist I am blocked by my own firewall rule.
If I temporarily disable that firewall rule I can get straight in without anything from Access wanting me to enter my email address for a one-time pin.

I’m not an IT guy. Just a blogger and perhaps overlooking something. For example I haven’t created Access Groups as it’s just me, and I don’t understand the button “Generate a Service Token”.

Any further assistance would be very much appreciated.

No problem! Happy to try and help you configure Access :slight_smile:

You will probably need to disable that block firewall rule for wp-admin, the Access setup should replace the need for that (once it is working!).

You shouldn’t need Access groups or service tokens for your use case.

Can you post a screenshot of the access policy you have created (blurring out any sensitive details)? Are you also able to share the domain?

The Access Policy edit page is:

https://1drv.ms/u/s!Al0WO3GTRXzWv0OYXYDFTyBaga5p?e=vIQqwJ

Reluctant to share domain in fear of attacks from random viewers during “debug” stage when all rules might temporarily be off.

Thanks heaps for your help. :slight_smile:

That looks OK to me, completely understand about the domain. If I send you a private message on here, would you be happy to share the domain with me?

Sure. :smiley:

1 Like

I have sent you a message with details of how you can share the information asked for more privately. It is more helpful if you can post it publicly so more people can help you, but if you can’t, please see your messages by clicking your profile icon in the top right.

Done. :grin:

1 Like

Just had a look, in that access policy you created, can you put www in the ‘optional subdomain’ box and see if that works (or create a second access policy for www)? Your site seems to redirect the root domain to www.

It seems to be working for me, now.

www.domain.com/wp-admin now has the Cloudflare Access page to secure it and domain.com/wp-admin is blocked :slight_smile:

Thanks. You’re a terrific volunteer helper. Yes - I seem to recall, when setting up the domain, reading somewhere that there was some advantage if the full “www” was used. I have now added “www” to the “optional subdomain” field in the existing Access Policy and will test it ASAP. Very tired now - will get back tomorrow with results. Cheers and thanks again.

1 Like

No problem, happy to help! It all seems to be working for me now :slight_smile:

Please let us know if it works for you and if you have any further questions!

You’re a genius! It works - just sent myself a one-time code and I’m in! So now there’s no need to whitelist my temporary IPv6 address in the Firewall Tools page right? What about the Block URI Path Contains (various things including “/wp-login.php”, “/xmlrpc.php”, “/wp-content”) Firewall Rule? Can it be deleted now? Just that the Access Policy only covers “/wp-admin”. Maybe I should add those areas to the Policy?

1 Like

Excellent! Really glad it works :slight_smile:, the one-time code works really well, but you could look at other methods such as a Google account, if you want.

You don’t need the firewall file for wp-admin, now as this will protect it (the same as the firewall rule will, it will protect from normal visitors going through Cloudflare, ideally what you should do to stop both the firewall and Access getting bypassed is to block all IPs on the server, except the Cloudflare ones. Your web host should be able to help with this). You won’t need to whitelist your IP to gain access.

The access policy does only cover wp-admin, so if there are other areas that you want protected, you will either need another Access policy, or to keep using firewall rules.

OK I have a grasp on it now.

My host is not very good and getting them to do that would be like trying to pull hen’s teeth… I’ll be leaving them soon anyway. In the meantime I found a third party WordPress plug-in that claims to do the “block all IPs except these ones” thing. But it rang alarm bells about possibly locking me out. Perhaps something like that should be built into the CloudFlare WordPress plug-in.

Thanks so much for all of this.

1 Like

I am not sure about that to be honest!

I seem to remember @sdayman and/or @sandro had some .htaccess magic with Cloudflare headers as a ‘better than nothing’ measure if you can’t do it by IP on your host’s firewall…

Edit: Alternatively, you could look at @floripare’s solution here:

This topic was automatically closed after 31 days. New replies are no longer allowed.