Let me start by saying, i’m not sure if this is a Cloudflare fix or something on our perimeter firewall. I recently started to proxy traffic through cloudflare and have the WAF setup with the basic Managed Rulesets. I’ve also turned on Pseudo IPV4.
The issue i’m facing is that when i try to connect to my FTP host, it tries to use an IPV6 address instead of the IPV4 address that is set in DNS. When it uses the IPV6 address, it doesn’t connect to my FTP. Is there a setting within CF that I can force IPV4? I’ve found the IPV6 compatibility toggle, but it’s on by default and i can’t change it.
FTP is just not going to work for a proxied hostname, only http/https will. It would with Cloudflare Spectrum, which can proxy any tcp/udp, but you’d need arbitrary ports which is Enterprise Spectrum. Otherwise, create a seperate unproxied hostname (ftp.example.com), or connect by Origin IP directly. You probably want to turn off Psuedo IPv4 too unless your origin can’t handle IPv6 addresses in CF-Connecting-IP header
Some older origin server analytics and fraud detection software expect IP addresses in an IPv4 format and do not support IPv6 addresses.
To support migrating to IPv6, Cloudflare’s Pseudo IPv4 provides an IPv6 to IPv4 translation service for all Cloudflare domains.
You wouldn’t ever get a user’s real IPv6 with it on – probably not what you want.
Side note: This is how Cloudflare proxy fundementally works, it returns Cloudflare’s proxy addresses when the record is proxied, and traffic flows through Cloudflare first. The proxy addresses are shared though, so it’d only ever work for protocols which separately identify which website the traffic is for early on in the connection, and Cloudflare specifically understands the protocol of: HTTP. Even if you turned off IPv6, the IPv4 CF Address still wouldn’t work for the reasons above. (Anything not http needs to be unproxied)
Thanks for the quick reply. I’ve removed the proxy from that host and all is working as expected.
I should have been more specific with this statement, my intention was for it to use the IPV4 proxy address that CF created, not the IPV4 of my FTP host.