Understanding Cloudflare's IPv6 Support

Learn how Cloudflare supports IPv6 traffic by default and the features Cloudflare recommends if your origin web server or application software does not support IPv6 traffic.


Overview

By default, Cloudflare provides free IPv6 support to all domains without requiring additional configuration or hardware. If your origin web server is not compatible with IPv6, Cloudflare allows toggling IPv6 Compatibility to Off. Alternatively, if clients connect to your Cloudflare-proxied domain via IPv6 but the origin web server uses older software that only understands IPv4 formatted IP addresses, use Cloudflare’s Pseudo IPv4 feature mentioned below.


Disable Cloudflare’s IPv6 Compatibility

If your hosting provider supports IPv6 for your origin web server, Cloudflare’s IPv6 Compatibility  allows you to proxy IPv6 connections through Cloudflare's global network when proxying AAAA DNS records through Cloudflare.

Domains on Enterprise plans are allowed to toggle IPv6 within the UI:

  1. Login to your Cloudflare account.
  2. Select the appropriate domain.
  3. Click the Cloudflare Network app.
  4. Toggle IPv6 Compatibility Off or On.
If no toggle exists in the Cloudflare UI (such as for domains on Free, Pro, or Business plans), update IPv6 Compatibility via an API call.
Even with IPv6 disabled, domains receive IPv6 traffic via the Tor network. To completely disable all IPv6 traffic, also disable Onion Routing via the Edge Certificates tab of the Cloudflare SSL/TLS app.

Enable Pseudo IPv4

Some older origin analytics and fraud detection software expect IP addresses in an IPv4 format and do not support IPv6 addresses. Therefore, to support migration to IPv6, Cloudflare provides an IPv6 to IPv4 translation service available for all Cloudflare domains: Pseudo IPv4.

Pseudo IPv4 uses Class E IPv4 address space to provide as many unique IPv4 addresses corresponding to IPv6 addresses as possible.

  • Example Class E IPv4 address: 240.16.0.1

  • Example IPv6 address: 2400:cb00:f00d:dead:beef:1111:2222:3333
Class E IPv4 addresses are designated as experimental and are not used for production Internet traffic.

There are three options for Pseudo IPv4:

  • Off - Default.
  • Add Header - Cloudflare automatically adds the Cf-Pseudo-IPv4 headerwith a Class E IPv4 address hashed from the original IPv6 address.
  • Overwrite Headers - Cloudflare overwrites the existing Cf-Connecting-IP and X-Forwarded-For headers with a Pseudo IPv4 address while preserving the real IPv6 address in a Cf-Connecting-IPv6 header.
Software changes are not required at your origin web server when using Overwrite Headers.

Troubleshoot an IPv6 network issue

Provide the following information to Cloudflare Support if you experience issues with IPv6 connectivity:


Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk