WAF exception does not recognize my IPV4

WAF’s managed rule set is preventing me from managing my website via the WordPress dashboard (WAF blocks me from creating or updating pages). So, I created a WAF exception to skip the managed WAF rules for my IP address. Unfortunately, WAF does not seem to recognize my IPV4 address because my WordPress page updates continue to be blocked. Interestingly, WAF does recognize my IPV6 address if I specify it in the WAF exception, but that is not a good solution since my IPV6 address changes much more frequently than my IPV4 address. Note that I have a firewall exception set up at DigitalOcean which recognizes my IPV4 address just fine.

Does anyone know why WAF would fail to honor a WAF exception defined for an IPV4 address?

The most likely cause here is that you are actually connecting via IPv6.

The fact you have both an IPv4 and an IPv6 address doesn’t mean you are connecting with both, you connect with one to each server, which is normally IPv6 for modern systems/browsers. IPv4 is used only when a resource doesn’t have IPv6.

To your DO server I’m guessing you are connecting to the IPv4 address, which means you use your outbound IPv4.

Changes how much? Is it in the same /64 range or is your IPv6 range dynamic from your ISP? Normally IPv6 ranges assigned by ISP are static, as that’s the recommended setup by the standard.

1 Like

Thanks, Matteo, that makes sense. The DO firewall exception is for my server’s port 25, so only I can connect to that port. My SSH tools connect to the server using the server’s IPV4 address, as you guessed, so that explains why I’m not seeing the same problem on DO.

I switched from Spectrum to AT&T as my ISP less than a week ago, so I’m not sure about the frequency of the IP changes yet, but I’m seeing the IPV6 address change at least on every reboot of the PC. The IPV4 address doesn’t seem to be changing, so I suspect it’s like my old Spectrum address and generally only changes when the connection to the ISP is lost.

So, now I need to figure out how to prevent WAF from blocking me while I manage my site via WordPress. I could pay AT&T $100 plus an extra $15 per month for a static IP address, which requires a visit from their tech, but maybe there’s an easier way? Perhaps I can ask AT&T to disable my IPV6 address. Or, I can try inserting a hub between my PC and the router (hoping that will hide PC reboots from the router thus preserving the IPV6 address). Or, is there some other way to tweak WAF to stop blocking me?

AT&T isn’t just giving you one IPv6 address. They are probably giving you a /64 range, though it might be something different. If you can verify what size address range they are assigning you, then you can set up a rule to allow any address in that range, as they are all yours, even if there are 18,446,744,073,709,551,616 of them.

That is how IPv6 is supposed to work, you get a /64 range (18.014.398.509.481.984 IPv6 addresses) for each network (normally). You computer will get at least two, one is static and is normally tied to the MAC address of the interface for inbound connections (other devices connecting to services it offers) and one is dynamic, changing periodically (the frequency varies from device to device).

You need to find out (I guess AT&T has a dashboard which gives you your IPs, be it in the router or somewhere, but I’m not in the US, so never used AT&T). You need allow the whole range assigned to your connection (or to your specific network).
This range is normally a between a /48 and a /56, but it can be larger or smaller depending on the ISP. Some do go down to a /64, but that makes it mostly unusable.

Allow the whole /64 range (shortcut, which should work, is use your machine’s IPv6 address and append a /64 at the end, it will most likely work, e.g. 2001:db8:f682:8757:08ee:4757:644a:ca32/64).

That wouldn’t solve the problem, that IP would be a static IPv4.

This is totally ridiculous, it’s a setting on their backend. Wow. Just wow.

Don’t do that, keep IPv6. You are lucky to have it, you just need to learn how they work and how they differ from IPv4.

That wouldn’t work either.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.