My site enabled IPv6 for a front-end app, so I created a AAAA RR for it proxied through Cloudflare. The public IPv4 is dest NAT on Firewall, IPv6 is just reside on the LB without NAT (simple routing)
The RR may look like this: wiki.example.com A 192.0.2.10 Proxied wiki.example.com AAAA 2001:db8::192:0:2:10 Proxied
Traffic would be like this: Client ---> CloudFlare ---> Firewall ---> LB ---> App
When a client with IPv6 (dual-stack IPv4/v6) browses to wiki.example.com, in traffic log on the firewall, I can only see Cloudflare connecting to my LB’s NAT IPv4
If I removed Proxied, allowing the traffic to come directly to my site: wiki.example.com A 192.0.2.10 wiki.example.com AAAA 2001:db8::192:0:2:10
Client ---> Firewall ---> LB ---> App
Then if client with IPv6 (or dual-stack) connects to the site, the firewall log can see the client’s IPv6 connecting to my LB IPv6.
When IPv4-only client connects, the firewall log can see client’s IPv4 connecting to my LB’s NAT IPv4.
The post was hidden due to being a new user, so I just want to bump it up. First to edit the post, secondly wonder if anyone else is encountering the same?
P.s: And yes, we do recover the visitors’ IP, not on our firewall though. The LB manages to read either the CF-Connecting-IP or X-Forwarded-For and such logs are forwarded to SIEM, so everything is ay-okay. We do geo-block on CloudFlare firewall before traffic even hitting our firewall.
