Mod_remoteip gives invalid IPv4 results

We are using CF Pro plan

Our website / web server (apache) does not listen on IPv6; so all connections are IPv4

With CF WAF disabled, ALL our site visitors are logged with valid IPv4 address. “Valid” means that a reverse-lookup on the IP gives a domain-name, and IP Geolocation gives a valid location.

With CF WAF enabled, and using Apache mod_remoteip exactly as instructed here: HowTo install and configure mod_remoteip
and using the current CF IPv4 list (Cloudflare IP v4 list)

THEN - about 2/3 - 3/4 of the traffic gives a valid IPv4 address.
the remaining 1/4 - 1/3 of the traffic shows an invalid IPv4 address. “Invalid” means that reverse-lookup on the IP does not give a domain-name, and IP Geolocation does not show a valid location.

The first octet of these “invalid” IP addresses are 250 or above, so I assume it’s the IP of a router somewhere on the internet, probably in the site-visitor’s ISP network.

Best guess is that the site-visitor has an IPv6 address, and somehow the IP address of the IPv6->IPv4 proxy server on the ISP network is showing as the IP in my site logs.

QUESTIONS:

  • WHY does this problem only occur with CF WAF enabled and mod_remoteip installed? Again, if I disable the orange cloud, I get valid IPv4 values for ALL my site visitors
  • HOW to fix it so ALL traffic shows the IPv4 address of the actual site visitor, with CF WAF enabled, just as it is shown with CF WAF disabled.

You are probably using cloudlfare’s Pseudo IPv4 support.
https://support.cloudflare.com/hc/en-us/articles/229666767-Understanding-and-configuring-Cloudflare-s-IPv6-support

If someone is connecting to your site via IPv6, Cloudflare will provide an ipv4 address in the range you are seeing. The article has a deeper explanation of the various settings.

2 Likes

Excellent! This is definitely the answer. I added some debugging logic and see the HTTP_CF_CONNECTING_IPV6 and HTTP_CF_PSEUDO_IPV4 headers in traffic coming from site-users with IPv6 addresses.

Much obliged :slight_smile:

Jeremy

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.