IPv6 whitelist / allowlist not supported?

I'm trying to create a whitelist/allowlist for IPv6 addresses however nothing I have tried works and the only posts I have come across on the forum don't have any answers.
When using ipv4 this works perfectly fine however when I try to introduce ipv6 I always get a forbidden response. Is this supported at all? I dont think so and I think this should be noted as i've wasted way more time than i'd like to admit trying to get this to work

Extra info: this is running as a service in its own VM not as a docker container so IPv6 works system and network wide, ipv6 entry points work just fine , it's when I try adding an whitelist middleware to the service do things go south.

I have tried every possible variation of the following :

http:
  middlewares:
    mywhitelist:
      ipWhiteList:
        sourceRange:
          - "fe80::/10"
          - "[fe80::]/10"
          - "2000:3000:aeff::/64"
          - "fe80::6969/128"
    myotherwhitelist:
      ipAllowList
        sourceRange:
          - "fe80::/10"
          - "[fe80::]/10"
          - "[2000:3000:aeff::]/64"
          - "fe80::6969/128"

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

Your IPv6 works without the middlewares?

Yes everything works perfectly fine, but as soon as I add the middleware i get forbidden for those routes.

So now that I think about it , I might know what is going on, I have not tried the solution yet however I was doing/testing this while transitioning to a dual stack configuration and so I created a separate middleware to handle just the ipv6 addresses so that i could separate and comment it out if needed but is it possible that because I am using 2 allow list middle wares that the ipv4 will block any ipv6 addresses and then vice versa the ipv6 middle ware will block ipv4 addresses - essentially the ipv6 addresses should be in the same middleware as the ipv4 addresses? It's late so I will try this tomorrow and report back, but for the mean time this is my setup, ipv6 included

static config

global:
  checkNewVersion: true
  sendAnonymousUsage: false
log:
  level: DEBUG
  filePath: "/srv/traefik/logs/process.log"
  format: common
accessLog:
  filePath: "/srv/traefik/logs/access.log"
  bufferingSize: 10
  format: common
providers:
  providersThrottleDuration: 10s
  file:
    directory: /srv/traefik/config.d
    watch: true
api:
  dashboard: true
  debug: true
entryPoints:
  web:
    address: '192.168.22.10:22080' # router handles forwarding from port 80 to 22080
  web-secure:
    address: '192.168.22.10:22443'  # router handles forwarding from port 443 to 22443
  web_v6:
    address: '[2:4:a:5::4]:22080' # router handles forwarding from port 80 to 22080
  web-secure_v6:
    address: '[2:4:a:5::4]:22443' # router handles forwarding from port 443 to 22443
certificatesResolvers:
  personal:
    acme:
      email: A@gmail.com
      storage: /srv/traefik/sslcerts/cert-personal.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 30
  certifiedb:
    acme:
      email: A@gmail.com
      storage: /srv/traefik/sslcerts/cert-certifiedb.json
      httpChallenge:
        entryPoint: web

dynamic config

http:
    dashboard-auth:
      basicAuth:
        usersFile: "/srv/traefik/dshusr"
    localipwhitelist:
      #ipWhiteList:   # depreciated??
      ipAllowList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.0/16"
    IPv6localipwhitelist:
      #ipWhiteList:   # depreciated???
      ipAllowList:
        sourceRange:
          - "fe80::/10"
          - "2:4:a:5::/64"
    secureRedirectscheme:
      redirectScheme:
        scheme: https
        permanent: true
    sslterminationHeader:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "http"
    gitmetricscorrection:
      replacePathRegex:
        regex: "^/metrics$"
        replacement: "/-/metrics"
  routers:
    personalsite:
      rule: "Host(`a.com`)"
      entryPoints:
        - web
        - web_v6
      service: personalsite
      priority: 11
      tls:
        certResolver: personal
    personalsite-secure:
      rule: "Host(`a.com`)"
      entryPoints:
        - web-secure
        - web-secure_v6
      service: personalsite
      priority: 100
      tls:
        certResolver: personal
        domains:
          - main: "a.com"
            sans:
              - "*.a.com"
    cb:
      rule: "Host(`cb.co`)"
      entryPoints:
        - web
        - web_v6
      service: cb-httpd
    cb-secure:
      rule: "Host(`cb.co`)"
      entryPoints:
        - web-secure
        - web-secure_v6
      service: cb-httpd
      tls:
        certResolver: certifiedb
        domains:
          - main: "cb.co"
            sans:
              - "www.cb.co"
    dashboard:
      rule: "Host(`traefik.a.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      service: api@internal
      entrypoints:
        - web-secure
        - web-secure_v6
      middlewares:
        - dashboard-auth
        - localipwhitelist
        - IPv6localipwhitelist
      tls:
        certResolver: personal
    vwsecure:
      rule: "Host(`bw.a.com`) && !PathPrefix(`/admin`)"
      entryPoints:
        - web-secure
        - web-secure_v6
      service: vw
      tls:
        certResolver: personal
    vw_admin:
      rule: "(Host(`bw.a.com`) && PathPrefix(`/admin`))"
      entryPoints:
        - web-secure
        - web-secure_v6
      service: vw
      middlewares:
        - localipwhitelist
        - IPv6localipwhitelist
      tls:
        certResolver: personal
    tar1090secure:
      rule: "Host(`tar1090.a.com`)"
      entryPoints:
        - web-secure
        - web-secure_v6
      middlewares:
        - localipwhitelist
        - IPv6localipwhitelist
      service: tar1090
      tls:
        certResolver: personal
    gitlabsecure:
      rule: "Host(`git.a.com`)"
      entryPoints:
        - web-secure
        - web-secure_v6
      middlewares:
        - sslterminationHeader
      service: gitlab
      tls:
        certResolver: personal
    gitlabsecure_admin:
      rule: "Host(`git.a.com`) && (PathPrefix(`/admin`) || PathPrefix(`/metrics`))"
      entryPoints:
        - web-secure
        - web-secure_v6
      middlewares:
        - localipwhitelist
        - IPv6localipwhitelist
        - sslterminationHeader
        - gitmetricscorrection
      service: gitlab
      tls:
        certResolver: personal
    grafanaInternal:
      rule: "Host(`grafana.a.com`)"
      entryPoints:
        - web-secure
        - web-secure_v6
      service: grafana
      middlewares:
        - localipwhitelist
        - IPv6localipwhitelist
      tls:
        certResolver: personal
  services:
    personalsite:
      loadBalancer:
        servers:
          - url: "http://ps.servicenet:8083"
    cb-httpd:
      loadBalancer:
        servers:
          - url: "http://cb.servicenet:8083"
    vw:
      loadBalancer:
        servers:
          - url: "http://vw.servicenet:8037"
    tar1090:
      loadBalancer:
        servers:
          - url: "http://tar1090.servicenet:8099"
    gitlab:
      loadBalancer:
        servers:
          - url: "http://git.servicenet:8029"
        healthCheck:
          path: /-/health
          interval: "10s"
          timeout: "3s"
    grafana:
      loadBalancer:
        servers:
          - url: "http://grafana.servicenet:3000"

You need to merge the IPs, otherwise each middlewares will be run and one will always fail.

You were right, that fixed it, thanks.

It seems like there might be some issues with the way the IPv6 addresses are being specified in the whitelist configuration. Here are a few things to check and try:

Correct Syntax and Spelling:
Ensure that the syntax and spelling in your configuration file are correct. For example, the ipAllowList should have the correct indentation and spelling:
http:
middlewares:
mywhitelist:
ipWhiteList:
sourceRange:
- "fe80::/10"
- "2000:3000:aeff::/64"
- "fe80::6969/128"
myotherwhitelist:
ipAllowList:
sourceRange:
- "fe80::/10"
- "2000:3000:aeff::/64"
- "fe80::6969/128"
Brackets:
Remove the brackets around IPv6 addresses. The brackets are generally used for URLs, not for specifying CIDR blocks:
sourceRange:

  • "fe80::/10"
  • "2000:3000:aeff::/64"
  • "fe80::6969/128"
    Proper Indentation:
    Ensure the indentation is consistent. YAML is indentation-sensitive, and incorrect indentation can lead to configuration errors:
    http:
    middlewares:
    mywhitelist:
    ipWhiteList:
    sourceRange:
    - "fe80::/10"
    - "2000:3000:aeff::/64"
    - "fe80::6969/128"
    myotherwhitelist:
    ipAllowList:
    sourceRange:
    - "fe80::/10"
    - "2000:3000:aeff::/64"
    - "fe80::6969/128"
    Check Service Logs:
    Check the service logs for any errors or warnings that might indicate what the issue is. There might be clues that can help you debug the problem.

Service Documentation:
Consult the documentation for the service you are using to ensure that IPv6 whitelisting is supported and that you are using the correct configuration format.

Network Configuration:
Verify that the VM's network configuration is set up to handle IPv6 traffic correctly. This includes checking firewall rules, routing tables, and any other network-related settings.

If you have tried these steps and still face issues, consider seeking help from experts in custom software development, maybe they can help you https://tech-stack.com/