(Solved) CF only connects to IPv4 despite having both A and AAAA RR

Hi community

My site enabled IPv6 for a front-end app, so I created a AAAA RR for it proxied through CloudFlare. The public IPv4 is dest NAT on Firewall, IPv6 is just reside on the LB without NAT (simple routing)

The RR may look like this:
wiki.example.com A Proxied
wiki.example.com AAAA 2001:db8::192:0:2:10 Proxied

Traffic would be like this:
Client ---> CloudFlare ---> Firewall ---> LB ---> App

When a client with IPv6 (dual-stack IPv4/v6) browses to wiki.example.com, in traffic log on the firewall, I can only see CloudFlare connecting to my LB’s NAT IPv4

If I removed Proxied, allowing the traffic to come directly to my site:
wiki.example.com A
wiki.example.com AAAA 2001:db8::192:0:2:10

Client ---> Firewall ---> LB ---> App

Then if client with IPv6 (or dual-stack) connects to the site, the firewall log can see the client’s IPv6 connecting to my LB IPv6.

When IPv4-only client connects, the firewall log can see client’s IPv4 connecting to my LB’s NAT IPv4.

Is this expected behaviour?

Thank you,

The post was hidden due to being a new user, so I just want to bump it up. First to edit the post, secondly wonder if anyone else is encountering the same? :innocent:

I don’t think this has any impact on how Cloudflare connects to the origin. I suspect Cloudflare strongly favors IPv4 for origin connections.

1 Like

This is correct. From the documentation:

When both IPv4 and IPv6 connections are available, Cloudflare prefers IPv4.

It sounds like you need to restore the visitor IP:


Thank you so much @sdayman and @michael, that was the case.

P.s: And yes, we do recover the visitors’ IP, not on our firewall though. The LB manages to read either the CF-Connecting-IP or X-Forwarded-For and such logs are forwarded to SIEM, so everything is ay-okay. We do geo-block on CloudFlare firewall before traffic even hitting our firewall.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.