Routing Issues with Leased Subnet to Cloudflare-Protected Destinations
I am encountering connectivity issues with my BGP-routed subnet (45.87.175.0/25) when accessing websites and services that are behind Cloudflare’s CDN or protection. Here are the details:
Affected Subnet: 45.87.175.0/25Observed Behavior: Downloads and connectivity to Cloudflare-protected destinations fail from any IP in this subnet. Tests Performed:
Traceroutes from 45.87.175.1 to Cloudflare IPs result in dropped packets. Successful connectivity from 1GServers’ IPs suggests the issue is specific to my subnet.
44 Replies
I'm wondering, do you really mean /25 here?
If so, that would explain it very well, as BGP routers on the Internet won't accept anything smaller than a /24 of IPv4, and a /48 of IPv6.
If you need to use something smaller than a /24 of IPv4, the only thing you can do, is to announce the corresponding /24 to the global Internet, on the edge of your network, and then internally (after it reaches your routers that handle the public /24), you're then routing the smaller chunks to wherever you need it to go.
The public will that way see the /24, but never the /25.
Same
/25? wtf
Eitherway it's likely to be outside of the scope of this discord/cf. If you just want a hint, https://bgp.tools/prefix/45.87.175.0/24#connectivity IPXO is announcing the /24 via Equinix as well. I've heard before they do so on suspensions or payment issues to blackhole traffic/stop use of the prefix. Something you'd have to follow up with them eitherway, If you're trying to use 1GServers only they should be announcing it unless you're trying to anycast/multi-home
It seems like its ONLY connected to equinix rn
there's some routes being announced by 1gserver, you can see under the "super lg"
looks like maybe just peering and not transit though, idk, not my specialty lol
Only announcing to HE
Obviously all traffic will go to IPXO, they have way more presence
Not sure about the wtf part was in relation to anything I wrote, but -
It was meant as in you can use the /25 just fine, the traffic will just on the public Internet be sent to the equivalent of the /24.
Attempting to send:
IPv4 /25-/32
IPv6 /49-/128
To the public Internet, will be a no-go.
You need to be extremely lucky to find any networks accepting sizes in those areas.
Regarding the /24 supernet, it seemed unannounced according to https://bgp.tools when I looked earlier (before being afk for I guess ~ 2 - 2.5 hours) though.
https://bgp.he.net said low visibility, seen on 1 out of ~ 648.
more like 0
(which definitely has changed now)
unless I'm misremembering I believe I saw someone saying once that they use Equinix with their decent presence to try to blackhole traffic when suspension or payment failure, etc occurs
probably the best lead for him is to ask them about it, and ask 1gservers about the announcement/make sure he's not trying to do just the /25 lol, eitherway outside of this disc
Definitely not impossible to do something like that.
And it would also make (financial) sense to do, e.g. "suspend" (and make sure that the suspension is being felt) unpaid services though.
A huge 👍, and also why I initially asked / suggested to look in to that /25 part.
Sorry, my bad just typing error but yeah same issue for /24
i am just using /25 subnet out of /24 but issue is for whole /24 subnet.
If you are actually announcing the /24 in your BGP configurations, then you would need to contact the service provider that you're attempting to announce it from, for further assistance.
yes, my BGP provider is 1GServers and i told them regard this issue, but they told this issue by cloudflare because cloudflare blocked that subnet to access cloudflare proxified sites / cloudflare subscribed products.
also i am not into networking so can you explain me if i am making any mistakes?
Traceroutes from 45.87.175.1 to Cloudflare IPs result in dropped packets.and
cloudflare blocked that subnet to access cloudflare proxified sites / cloudflare subscribed products.Sounds somehow contradicting to me. And leads me towards: 1. What exactly do you see? 2. What exactly did you do, in order to see that?
Haha also created ticket on cloudflare and they marked as pending
I was trying to download the installation files for CPanel from their source https://securedownloads.cpanel.net/latest, but the download failed. AaPanel seems to have a similar issue. My suspicion is that Cloudflare's proxying is interfering with the download process on my VPS. It seems like my VPS cannot access websites behind Cloudflare's network using those specific IP addresses.
i utilised that subnet for virtualization use.
On <t:1717580220:F>,
AS14315 (1GSERVERS, LLC) was added, and AS834 (IPXO LLC) was removed, from the Route Origin Authorizations (ROA) to announce your Internet.Ohk, and
On <t:1719838920:F>, this change was reversed, by removing
AS14315 (1GSERVERS, LLC), and adding AS834 (IPXO LLC) instead.f, this is strange
<t:1719838920:F> was roughly
1 hour, 19 minutes later than your initial message in this thread.it's not really strange, the roa's being removed and ipxo announcing points to just a suspension or payment issue with ipxo. Talk to them.
no i don't have any payment issues with them i have more than 5-6 subnet with them over 1.5 years never faced any issue but on this subnet i got this issue.
If you didn't do something from your end, regarding that, - then taking to IPXO, as @Chaika so nicely said, will be the way to go.
sure, brother i understood, i really appreciate your efforts.
Yes i would.
fwiw as far as I know, CF would only block IPs/do IP Jailing in response to a large ddos attack
(which is unlikely, so I don't think they'd be blocking you)
umm, yes.
it could be a routing issue or something else though, eitherway step 1 is to contact ipxo and get them to stop announcing and get the roa back authorizing 1g, then you can troubleshoot the rest
sure i do this.
I'm also adding the reference here: Routing Issues with Subnet 45.87.175.0/25 to Cloudflare-Protected Destinations.
Sure sir, Thanks.
IPXO is an IP address leasing company. Looks like they leased the prefix to 1G
The prefix is RPKI invalid, so it's most likely being dropped at the edge
1G needs to work with IPXO to solve this
Hi, sir https://rpki-validator.ripe.net/ui/45.87.175.0%2F24?validate-bgp=true
records for route to 1GServers seems correct okay?
still i am still not able to connect to cloudflare
i tried on cloudflare protected site.
tracert 104.21.4.88?
AS834 (IPXO LLC) is still announcing the address space to the public Internet.
As such, the route that reaches towards them is likely causing an effect similar to a null route, once e.g. the return traffic (e.g. replies) to your traffic goes back, but reaches AS834 (IPXO LLC) instead of the intended destination.
https://bgp.he.net/net/45.87.175.0/24
In addition, you have a conflicting IRR, which may cause issues with some networks, that do not rely solely on the ROA.
AS834 (IPXO LLC) added a route object in RADB yesterday.ohh getting