(Using a free Cloudflare account, very new to CF.)
Looks like our ISP changes the IPv6 every so often (not sure how often, but frequent enough that it’s a hassle). (The IPv4 stays the same, but Cloudflare is checking the IPv6 and blocking us if it’s not accurate/current in the rules that I set up.)
We have multiple computers trying to login to edit websites, and each one has a different IPv6 – but the first 4 sets of numbers are the same across the computers (and when each is updated, those first 4 sets of numbers seem to stay the same, too).
Am I on the right track in thinking I could create a WAF IP Access Rule to account for this so that we don’t have to keep updating Cloudflare with the new addresses? (Is the first 4 sets of numbers specific enough that it would be letting us in but likely blocking the majority of others?)
If so, I don’t know how to form that IP Access Rule. Looking through forum posts, I think maybe it’s something like this?
For the Value, I put in:
and then CF updated it to:
Is that right?
I also see suggested in posts here that you create a Firewall Rule like this instead:
Those are the same address, it’s just a convention on how IPv6 addresses are displayed. IP address formats can be strange, try typing http://0x01010101/ into your browsers address bar.
In IPv6, one or more /64 prefixes should be assigned to each End Site (subscriber/customer). A single /64 should never be shared between multiple End Sites. So it’s relatively safe to use /64 in a WAF rule as you are proposing.
It might be safer and offer your users more flexibility to use Cloudflare Access/Cloudflare Zero Trust to protect the sensitive areas of your application. You can use an existing Identity Provider (such as Microsoft Azure, Auth0 etc.), and not have to rely on users being able to use a particular IP address prefix.
I may have answered one of my own questions – with the IP Access Rule versus Firewall Rule, if I want the Firewall Rules to still be evaluated, I need to put this into one of those rules (otherwise I think the IP Access Rules whitelist the IP address and the Firewall Rules don’t get evaluated).