Server IP being blocked by cloudflare servers

I recently started self hosting my websites from my homelab using Cloudflare proxy features.

But doing so seems to have “blacklisted” my IP to Cloudflare IPs, when I attempt to open mine or other sites protected with Cloudflare I just get connection timeout.

This block doesn’t seem to be constant as it will start working for a time until it’s blocked again.

When my homelab IP is blocked I can still open the site normally using other IPs on my ISP and uptime monitor still reports the site as up.

Deploying a VM on azure and putting it in between Cloudflare and my homelab (port forwarding) unblocked my homelab IP and I can access Cloudflare sites normally.

I noticed all Cloudflare protected sites were on these ips 188.114.96.12,
188.114.97.12. The same ones assigned to my own site.

I’ve been unable to determine if the VM IP got blocked in the same way due to forwarding IP rules breaking dns resolution (see bellow), will try and test once I figured out how to not break dns.

sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination home.lab.ip.address:443
sudo iptables -t nat -A POSTROUTING -j MASQUERADE # breaks dns

Everything seems to indicate that Cloudflare drops any traffic from proxied IPs, people on Cloudflare developer forums have told me that’s not by design so I don’t know what else to do as no documentation or forum post seems to refer to similar issue.

TL/DR: Connections from the IP being proxied by Cloudflare are being dropped (timeout) by Cloudflare IP assigned to my site. How do i fix this?

Cloudflare doesn’t do timeouts. They’ll immediately challenge or block you. These should show up at dash.cloudflare.com in your Firewall Events Activity Log.

Cloudflare proxied IPs shouldn’t be initiating connections to Cloudflare proxied IPs. How would one even initiate an outbound request through a proxied IP address?

My homelab IP never showed on the firewall log, also tried to create an allow rule which had no effect.

Cloudflare proxied IPs shouldn’t be initiating connections to Cloudflare proxied IPs. How would one even initiate an outbound request through a proxied IP address?

Not sure if I understand, it’s a homelab thus the IP is being a firewall that does DNAT port forward to my cluster. There’s many other devices using it as outbound address.

The network flow is simply:

homelab ip → Cloudflare frontend ip → homelab ip

Which works as long as Cloudflare frontend ips accept the connection (as I said it’s not a constant block, there where times that connection is allowed).

Forgot to mention it’s not much different of the current working setup:

homelab ip → Cloudflare frontend ip → azure VM → homelab ip

Only difference is the extra jump seems to make Cloudflare frontend ip accept my connections (will need a few more days to confirm).

After a few days of running tests and trying out ideas I believe I found the actual problem, documenting my findings here in case anyone faces the same issue.

When using google DNS (8.8.8.8) my domain Cloudflare dns returns:

Addresses:  2a06:98c1:3120::c
          2a06:98c1:3121::c
          188.114.96.12
          188.114.97.12

which would timeout and seemed unreachable.

When using Cloudflare own DNS servers (1.1.1.1) the ip returned are:

Addresses:  2606:4700:3033::ac43:cf7d
          2606:4700:3035::6815:2ab7
          104.21.42.183
          172.67.207.125

Same as my own ISP DNS results, which works just fine. So when testing access with mobile and different IP on my ISP I was getting the different IPs.

So the problem seems to have been google DNS returning bad/unreachable IPs to Cloudflare frontend IP. Using Cloudflare public DNS or my ISP DNS gives me different IPs that works.

Things that contributed to wrong diagnosis:

  • Termux on android uses google DNS instead of the connection DNS, so testing on android browser and doing a nslookup on termux mislead me into thinking I was getting the same IPs and one was working and the other was not.
  • Problem was intermittent, meaning connectivity would be working ok until it wouldn’t making troubleshooting take longer
  • Coincidentally connectivity was restored when I created a traffic forwarder on azure, so while i thought It had done something, it seems it was simply coincidental.

Corrective actions

  • Replaced google DNS on my home network and termux putting Cloudflare DNS as primary and my own isp DNS as secondary

Don’t use google DNS people, it’s not reliable :frowning:

We’re still trying to figure out the new 188 addresses. It’s a new behavior for certain European DNS resolvers and it’s been unreachable for others as well.

Is there an article on the support center that I missed regarding this issue? If not, would it be possible to create one to perhaps save someone else the trouble?

What would you like it to say?

Something allong the lines of

Title/Keywords:

  • Cloudflare blocking my IP
  • Timeout when accessing Cloudflare sites

Content:

Cloudflare doesn’t do timeouts. They’ll immediately challenge or block you.

However some DNS servers may give Cloudflare IPs that are unreachable, if experiencing timeouts when connecting to cloudflares sites please try changing the dns server of the connecting system to Cloudflare and see if that resolves it.

Something along those lines but hopefully better written (not a tecnical writer).

2 Likes