IP Access Rule or Firewall Rule for ISP Dynamic IPv6

(Using a free Cloudflare account, very new to CF.)

Looks like our ISP changes the IPv6 every so often (not sure how often, but frequent enough that it’s a hassle). (The IPv4 stays the same, but Cloudflare is checking the IPv6 and blocking us if it’s not accurate/current in the rules that I set up.)

We have multiple computers trying to login to edit websites, and each one has a different IPv6 – but the first 4 sets of numbers are the same across the computers (and when each is updated, those first 4 sets of numbers seem to stay the same, too).

Am I on the right track in thinking I could create a WAF IP Access Rule to account for this so that we don’t have to keep updating Cloudflare with the new addresses? (Is the first 4 sets of numbers specific enough that it would be letting us in but likely blocking the majority of others?)

If so, I don’t know how to form that IP Access Rule. Looking through forum posts, I think maybe it’s something like this?

For the Value, I put in:
1234:1234:1234:1234::/64

and then CF updated it to:
1234:1234:1234:1234:0000:0000:0000:0000/64

Is that right?

I also see suggested in posts here that you create a Firewall Rule like this instead:

(ip.src in {1234:1234:1234:1234::/64})

Is that right?

One method better than the other?

Thank you.

Those are the same address, it’s just a convention on how IPv6 addresses are displayed. IP address formats can be strange, try typing http://0x01010101/ into your browsers address bar.

In IPv6, one or more /64 prefixes should be assigned to each End Site (subscriber/customer). A single /64 should never be shared between multiple End Sites. So it’s relatively safe to use /64 in a WAF rule as you are proposing.

It might be safer and offer your users more flexibility to use Cloudflare Access/Cloudflare Zero Trust to protect the sensitive areas of your application. You can use an existing Identity Provider (such as Microsoft Azure, Auth0 etc.), and not have to rely on users being able to use a particular IP address prefix.

@michael Thank you very much.

Okay, so looks like I got that formatting set up okay?

If I just specify the first 4 segments like that and use the /64, how specific is that? (Is that what you’re saying should be assigned just to me as a subscriber/customer?)

Is doing what I listed in an IP Access Rule or Firewall Rule better (or does that not matter)?

I’ll explore what you suggested, but for the moment this is a very small situation. (Me and one other person updating our WordPress websites with 2FA also active.)

Thanks again.

I may have answered one of my own questions – with the IP Access Rule versus Firewall Rule, if I want the Firewall Rules to still be evaluated, I need to put this into one of those rules (otherwise I think the IP Access Rules whitelist the IP address and the Firewall Rules don’t get evaluated).

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.