Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to Reach CloudFlare IP address via DNS/IP

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zatco
      last edited by

      Hello,

      I am experiecing a wierd issue in which any DNS entry associated with Cloudflare IP 172.64.80.1.

      I have searched PFBlocker and Suricata and do not see it blocked. Even disabled both to rule this as a problem. The site can be reached from other locations with PFSense installed.

      Examples are the following sites that resolve to 172.64.80.1
      epochconverter.com
      forums.codeblocks.org

      [21.05.1-RELEASE][admin@Pfsense]/root: ping 172.64.80.1
      PING 172.64.80.1 (172.64.80.1): 56 data bytes
      ping: sendto: Permission denied
      ping: sendto: Permission denied

      --- 172.64.80.1 ping statistics ---
      2 packets transmitted, 0 packets received, 100.0% packet loss
      [21.05.1-RELEASE][admin@Pfsense]/root: ping forums.codeblocks.org
      PING forums.codeblocks.org (172.64.80.1): 56 data bytes
      ping: sendto: Permission denied
      ping: sendto: Permission denied

      --- forums.codeblocks.org ping statistics ---
      2 packets transmitted, 0 packets received, 100.0% packet loss
      [21.05.1-RELEASE][admin@Pfsense]/root: ping epochconverter.com
      PING epochconverter.com (172.64.80.1): 56 data bytes
      ping: sendto: Permission denied
      ping: sendto: Permission denied

      Any other site works, example 8.8.8.8

      [21.05.1-RELEASE][admin@Pfsense]/root: ping 8.8.8.8
      PING 8.8.8.8 (8.8.8.8): 56 data bytes
      64 bytes from 8.8.8.8: icmp_seq=0 ttl=118 time=4.919 ms
      64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=4.985 ms

      If anyone can point me in the right direction, that would be appreciated.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @zatco
        last edited by

        @zatco said in Unable to Reach CloudFlare IP address via DNS/IP:

        172.64.80.1

        What firewall rules do you have on floating? I can duplicate your problem if I specific create an outbound rule on the floating tap

        block.jpg

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        Z 1 Reply Last reply Reply Quote 0
        • Z
          zatco @johnpoz
          last edited by

          @johnpoz I have no floating rules or that IP listed in the IP block lists. I did a tracert to the IP and checked to see if the IPs before the 172.64.80.1 past my ISP are getting blocked, but they are not.

          4 13 ms 13 ms 11 ms 69.63.249.209
          5 17 ms 17 ms 12 ms 209.148.235.214
          6 * * * Request timed out.
          7 18 ms 15 ms 12 ms 172.64.80.1

          Issue affecting people from browsing specific sites. Its got to be something simple, just can't pinpoint it.

          Is it possible ISP could be blocking the IP?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @zatco
            last edited by

            @zatco said in Unable to Reach CloudFlare IP address via DNS/IP:

            Is it possible ISP could be blocking the IP?

            anything is possible - but that shouldn't create a ping permission denied.. Do a sniff on your wan - do you see the ping go out? I would assume no if your getting permission denied on the send to.. But if see it go out - maybe your getting a specific reject back?

            Or maybe that IP specifically is blocking your IP.. But again that really shouldn't create that error, unless there is a specific reject that comes back..

            Sniff on your wan will show for sure be it your sending it out the wire..

            Traceroute via linux normally defaults to UDP, and is not a icmp message other than ttl expired that comes back.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.