Users cannot connect by IPV6 with cellular device

I have had a few instances recently of users not being able to connect to my website when using their cell phone via a straight IPV6 connection. They get 'ACCESS DENIED". At first I white listed the IPV6 address noted in the firewall log, but of course, that only works in the short term.

My latest work around is to create a special firewall rule allowing all from the ASN numbers of their cell phones. That’s not really a good long term solution in my opinion

For awareness, I run a LOT of firewall rules, but can’t see that any of mine specifically block IPV6 in general or unique addresses/ranges.Also, nothing at all shows up on the logs of my IP providers so I am thinking the blocking is occuring at the Cloudflare level, maybe at DNS.

Does anyone have an idea that will allow IPV6 connections, but still uphold other firewall denies?

Can you get a screenshot of one such message?

Users are simply saying “Access Denied”. They are the type of people who
would not feel comfortable doing a screen shot. They are far away.

When I look at my logs this is what I see. Since this happened, I
whitelisted the addresses in question. Also the log shows an ATT cell
address of 76.224.89.172 was blocked and to my knowledge I have no rule
specifically blocking that address or range.

I DID create a new firewall rule whitelisting the relevant ASN numbers
(Charter and AT&T) for these addresses. They can get through now. I think.

I guess my question is, why were the IPV6 addresses blocked in the first
place, and what would be the RIGHT way to allow them (USA only).

Thanks for any help, very appreciated…john

The screenshot you posted refers to a firewall rule you must have set up. Check that rule and adjust it accordingly, so that it blocks fewer requests. You’d need to post the full rule for more advice.

Very true.

But, how am I to know which rule???

I have a very extensive set of firewall rules, yet none that
specifically blocks that address to my knowledge, IPV6 in general, or a
range of IPV6 addresses…I am totally clueless what rule that posted
log entry refers to.

Is there a way to figure that out? The exact rule or rules? For example
searching my rules for that address yields nothing.

Again thanks so much for looking at this.

Your firewall page looks like that, right?

image

Assuming that is the case you can only get a dump of all your firewall rules via https://api.cloudflare.com/#firewall-rules-list-of-firewall-rules and then search for the filter ID (b0d76.....).

Your advice lead me to a crash course in using MS Powershell on Windows
10 to run CURL commands to access the Cloudflare API for firewall
rules. Let’s just say that didn’t turn out well. At all.
:slight_smile: (-H is not a recognized cmdlet…etc. )

Nevertheless, I did go ahead and thoroughly review my fire wall rules
through the usual web page interface. I cleaned up the rule list up
pretty well but didn’t specifically see any rule that was causing my
problem. I do think firewall logs SHOULD reference the specific rule
right which allowed/blocked a connection right on the web interface.
Using the API seems like something for pro sys admins, to me.

If it happens in the future I will simply whitelist specific ips, ranges
or ASN numbers.

Thank you again for your help on this…john

Hence my question how your page looks, as there is a new UI in the works which makes that a bit more obvious.

Did you manage the dump all the firewall rules?

What I see on the webpage firewall event log is these columns:

Rule ID Action Taken IP Address Loc. Host Date

So, if a certain ip address is blocked, and the rule is for that
specific address, that can be back tracked easily by search the firewall
rules. However, listing a specific ip address in the log, when the rule
covers an entire ASN number for example isn’t any help at all.More data
is available on the details tab, but not enough to isolate the specific
rule that was triggered.

I haven’t seen the organization you posted above. That might be better.I
think the changes you suggest are a great idea, but apparently they
aren’t available yet, at least to me.

As for the rule dump. Nope.

As far as I could tell the only way is through the API route and I
couldn’t make that work for me (although I gave it a good try)!

Thank you again for your assistance. Cloudflare is lucky to have you around!

Try the following in PowerShell

First, run [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 to enable TLS 1.2.

Then, run

(Invoke-RestMethod -Uri "https://api.cloudflare.com/client/v4/zones/......./firewall/rules" -Method "GET" -ContentType "application/json" -Headers @{'X-Auth-Email' = '[email protected]m'; 'X-Auth-Key' = 'KEY' }).result

The dots should be replaced with your zone ID and indicate the right email and authentication key.

If everything works you should get all your rules, in which you should find the filter ID in question.

I recall reading somewhere that W10 PowerShell has similar functionality
as cUrl, but with limitations.

Anyway, the first command threw this error, unexpected ‘to’:

At line:1 char:81

  • … ger]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 to
    enabled …
  • ~~
    Unexpected token ‘to’ in expression or statement.
    • CategoryInfo : ParserError: (:slight_smile: ,
      ParentContainsErrorRecordException
    • FullyQualifiedErrorId : UnexpectedToken

(I think a recent W10 update took care of this regardless.)

However, the second command* with correct key and email inserted did
indeed create a firewall rule dump! (I temporaily turned off windows
firewall to avoid problems at my end.)

*THIS WORKS:

(Invoke-RestMethod -Uri
https://api.cloudflare.com/client/v4/zones/…/firewall/rules”
-Method “GET” -ContentType “application/json” -Headers @{‘X-Auth-Email’
= ‘[email protected]’; ‘X-Auth-Key’ = ‘KEY’ }).result

So, that’s a great leap forward since I know now the Windows10
Powershell can be used to access the Cloudflare API without an added
and complicating cUrl layer to the system. Or, any need to use a linux
box, etc.

Now for the bad news, which is also good news. Cloudflare has SEVERAL
systems that operate as a firewall of sorts.

For example, the IP Access Rules tool which I use extensively. And,
that’s where I think my problem was. The dump didn’t dump those rules.

Also, of course, the *USER AGENT BLOCKING *form is available, which I
always have max’d out. Also there is a WAF block which I don’t use.
Also, I think there is a general security setting somewhere, and there
are several upgrade security functions that I don’t use.

That’s all GOOD, GOOD, GOOD, in my view btw. The more security the
better and it should be a layered and flexible system that works like
CF. But, I guess sometimes isolating a problem is harder, since there
are so many options.

Thanks again Sandro.

I think I will play around with some more API calls now that I have W10
Powershell template that works.

You copied too much :slight_smile: but anyhow, apparently on your system PowerShell already takes TLS 1.2 by default.

Good, did you find the filter ID in it?

Its not that difficult to be honest -> https://curl.haxx.se/windows/

True, this command only fetches firewall rules, not IP access ones. However the request you referred was blocked by a firewall rule and not an IP access one, was it not?

Cloudflare is working on consolidating the rule engines, and I believe it was initially mentioned for Q2, but as that is almost over and we still havent heard word I wouldnt expect anything before the end of Q3, maybe even the end of the year.

Re: TL1 security, etc command

Yes, I did copy too much for the command. When I fixed it, nothing
happened at all!
Which is fine because the other expression you provided works like a
charm. Awesome in fact. I have tried it out on a few other API calls and
it’s good.

Re: Firewall rule

Yes, I did finally figure out the IPs that were blocked were by a
certain firewall rule. However, that particular rule blocks TOR, known
bots, cyveillance and a couple other troublemakers without any specific
reference to IPV6, Charter or AT&T. (I have since whitelisted certain
Charter and AT&T ASNs).

So, it’s till somewhat of a mystery, but it has been isolated and I
think fixed.

Re: cUrl

I had already installed cUrl on Windows10 from the source you noted and
got it going, sort of. However, whatever I did threw error, after error,
after error. I suspect I was missing a space or slash here and there or
whatever…I gave up eventually. In particular, Powershell was having a
big problem with the -H command.

Re: Cloudflare security options

feature. And, so the many layers are very good in my opinion.
Obviously, consolidating some of it would be a good next step…as long
as they don’t take anything away doing it.

Cloudflare API access

Other users who want to use W10 Powershell to access the Cloudflare API
should most definitely copy, paste and SAVE the expression you provided
as a template because quite simply it works and is rock solid:

1 Like

Nothing is supposed to happen, it just sets a flag.

If you feel comfortable revealing the rule, post it here and maybe we can figure it out.

Merci :bowing_man:t2: