• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Cloudflare problems with my IPv6 prefix

Started by TrulyFoxy, August 01, 2020, 10:06:38 AM

Previous topic - Next topic

TrulyFoxy

This has been going on for several weeks now, after many years of using IPv6 without trouble.

Every site I visit that is protected by Cloudflare, I get protracted "checking your browser" delays, often followed by a capcha. That is to sites I visit many times a day; I get the checks every time I close my browser, or navigate away from the site for more than a few minutes.

Worse, I've just discovered I'm also being blocked completely from some websites by their Cloudflare firewall.

If I disable IPv6 and force just IPv4, there are no problems. The issue happens on all my PCs and on a clean test installation. Any IPv6 address in my prefix gets 'caught'.

There is no good reason for this, not at my end anyway. No viruses, nothing has been compromised... all of that was the very first thing I checked.

Any suggestions? Is there a way to check 'reputation' for IPv6 addresses? I've done it for my public IPv4 subnet before I discovered it was IPv6 that was causing the problem.

Edit to add: I checked the reputation of my IPv6 at https://www.projecthoneypot.org/search_ip.php as recommended on Cloudflare's forum.
No problems were found. So it's not that.

cholzhauer

I used to see this fairly often, but I can't think of the last time I saw it show up for me.

TrulyFoxy

It's the first time for me.

I've done some more testing and determined that it is the entire /48 prefix which is being blocked by Cloudflare. Anywhere in it gets blocked.

If I change to the /64 prefix we also get, everything works OK. I need the /48 for local subnets though.

Cloudflare still has not replied to me of course. Frankly it's outrageous that some company can arbitrarily block someone's use of the internet.

I'm going to delete and reallocate the /48 in a couple of days if I get no reply; maybe sooner if I get annoyed waiting. Hopefully the system won't reallocate the same prefix, and I get one that works.

TrulyFoxy

#3
Well, this is interesting...

Someone told me about adding " /cdn-cgi/trace" to the Cloudflare websites to get troubleshooting info.

All of them, when connected through my /48 prefix on the London HE server, give loc=RU.

RU as in Russia??? Something wrong there surely. I've checked my tunnel server address, it is correct and is the London server.

If I use the separate /64 prefix, I get loc=GB and everything works.

Who moved me to Russia?

ETA: Maxmind is the one that  has it in Russia, the entire 2001:470:6800::/40 prefix! All the other geolocations databases I've checked are North America (not really correct since I use it from the UK, but that's a known issue that has never bothered anyone except Netflix).

There is a procedure to correct it, but really it should be HE doing that, not me. ETA2: I've done it myself - now to see if they make the correction.

https://www.maxmind.com/en/geoip-demo
https://support.maxmind.com/geoip-data-correction-request/