WAF custom rule not working with one IPv4 address

What is the name of the domain?

example.com

What is the error message?

Standard Cloudflare blocked screen

What is the issue you’re encountering

Allowed IPv4 address added to allowed custom rule, but being blocked, IP address shown on blocked screen is IPv6

What steps have you taken to resolve the issue?

We have a custom WAF rule to block all access to a subdomain, unless the source IP address is in a Cloudflare list. One of the IP addresses/user’s is in the list as an IPv4 address but the security event when blocked only shows the IPv6 address, which can’t be added in the Cloudflare list.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

If the user accesses using IPv6 then Cloudflare can’t know the IPv4 address is the same user since the connection is made over one or the other.

You can add IPv6 addresses to WAF rules. Usually adding the /64 is needed unless the IP address is fixed to a /128. Can you show what error you get when you try to add it?

2 Likes

Hi Sjr, I have managed to get the IPv6 address to be accepted in Cloudflare by removing the last four blocks of the address and adding the ::/64 as you suggested. This worked perfectly. Thank you for replying so quickly and pointing me in the right direction.

2 Likes

Yes, sorry missed you said “Cloudflare list” rather than just IPs listed in a WAF rule. Lists specifically require ::/64 for IPv6. Any other subnet or even 1111:2222:3333:4444:5555:6666:7777:8888/64 aren’t accepted.

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.