WAF custom rules only works with IPv6

I would like to restrict access to our admin area with a WAF custom rule. I have a static IP4 address from our business line at our provider. But my IPv6 address is changing. This results in a no access page by Cloudflare. Cloudflare only uses IPv6. How can I enforce IP4 checking?

The custom rule I use is the following (dummy IP-Address used in the example):
(http.request.uri.path contains “/admin” and not ip.src in {192.168.1.1})

That’s not correct. If you have IPv6 available on your internet connection, then you will connect using IPv6 (assuming it’s not disabled on your zone). If IPv6 isn’t available, you will connect over IPv4.

Usually for IPv6 you need to specifiy aaaa:bbbb:cccc:dddd::/64 as modern devices randomise and change the lower 64 bit for security. Allowing a single IPv6 address probably won’t work for long.

If your internet connection has both IPv6 and IPv4 available, it is usual to have a rule like (ip.src in {192.0.2.1 aaaa:bbbb:cccc:dddd::/64}) to cover both.

Thanks for your answer. My Ipv6 address shown on the error page of Cloudflare is 2a02:8106:28:1900:b5de:592f:ebda:87b5. When I add this IP6 address I have access to my admin area.
But this IP6-address constantly changes. How can I add my IP6 address to the allowed IP-addresses as IP4 doesn’t work.

Is adding the following ipv6 address possible?
2a02:8106:28::/50

As my ipv6 address is 2a02:8106:28:1900:b5de:592f:ebda:87b5

Use 2a02:8106:28:1900::/64.

1 Like

Thanks a lot. This works!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.