WAF rule blocks one Google Cloud subnet even if it is allowed

Hello everyone,

I just discovered the (free) Cloudflare services that I want to use ‘in front of’ my website, a Home Assistant installation.

I’m trying to get the Google Cloud/Assistant IP ranges to be accepted by an allow rule in the WAF, but for some reason, a specific range is blocked (by my second rule, a geoip rule allowing only my country The Netherlands). Other Google IP ranges pass my Google Cloud rule and pass the country rule without problems.

The first rule, the Google allow rule, is:

(ip.src in {8.8.4.0/24 8.8.8.0/24 8.34.208.0/20 8.35.192.0/20 23.236.48.0/20 23.251.128.0/19 34.64.0.0/10 34.128.0.0/10 35.184.0.0/13 35.192.0.0/14 35.196.0.0/15 35.198.0.0/16 35.199.0.0/17 35.199.128.0/18 35.200.0.0/13 35.208.0.0/12 35.224.0.0/12 35.240.0.0/13 64.15.112.0/20 64.233.160.0/19 66.102.0.0/20 **66.249.64.0/19** 70.32.128.0/19 72.14.192.0/18 74.114.24.0/21 74.125.0.0/16 104.154.0.0/15 104.196.0.0/14 104.237.160.0/19 107.167.160.0/19 107.178.192.0/18 108.59.80.0/20 108.170.192.0/18 108.177.0.0/17 130.211.0.0/16 136.112.0.0/12 142.250.0.0/15 146.148.0.0/17 162.216.148.0/22 162.222.176.0/21 172.110.32.0/21 172.217.0.0/16 172.253.0.0/16 173.194.0.0/16 173.255.112.0/20 192.158.28.0/22 192.178.0.0/15 193.186.4.0/24 199.36.154.0/23 199.36.156.0/24 199.192.112.0/22 199.223.232.0/21 207.223.160.0/20 208.65.152.0/22 208.68.108.0/22 208.81.188.0/22 208.117.224.0/19 209.85.128.0/17 216.58.192.0/19 216.73.80.0/20 216.239.32.0/19} and ip.geoip.asnum eq 15169 and http.host eq "my.homeassistant.domain" and http.request.uri.path eq "/api/google_assistant") or (http.request.uri.path eq "/auth/token")

My second, the all-other-countries-blocked-except-NL, is:

(not ip.geoip.country in {"NL"} and http.host eq "my.homeassistant.domain")

My problem is, that when Google Assistant uses an IP in the 66.249.81.* range, that is does not match the first rule, and is blocked by the second rule, eventhough 66.249.81.* is part of the 66.249.64.0/19 subnet in the first rule.

Only difference I can find is that the rande 66.249.81.* is listed as

Country: Unknown states, other entities or organizations

and all other Google Cloud IPs have a country.

Can someone please advise me?
Thank you :slight_smile:

I added ** ** in the first rule to highlight the specific subnet, it is not really there in the rule itself :wink:

The Firewall Events Activity Log should show you which rule is allow/blocking that IP address. If it triggers the first rule, it shouldn’t trigger the second rule.

The second rule, the country blocking rule, blocks that specific range, because it isn’t The Nehterlands. The other Google IPs, which aren’t originating from NL either, are not being blocked by the second rule and are allowed by the first rule…

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.