It was suggested to me that when a site uses a batch IP check to look for duplicate member accounts to flag, some of those flagged IPs may be loaded into Cloudflare tools dashboard with a new IP access rule to add an IP address or series of IP addresses for being blocked by either one or all websites in a Cloudlare account.

It could explain why this site is blocking IP addresses that aren’t blocked by most or all other sites using the Cloudflare dashboard tools.

Perhaps IBJoel or Oxon Flyer can share more about whether this is a factor in why the VPN blocking — particularly commercial VPN node blocking — hits with FT but not with independent sites using Cloudflare tools.

My insight is that commercial VPNs have many and varied uses by their customers, some users use them for nefarious uses. So commercial VPN IP addresses typically have a poor reputation, one because they are labelled as "anonymous IPs", and secondly because some users are generating malicious or abusive traffic from them.

I have used the analogy before, but using a commercial VPN in terms of your perceived source IP reputation is typically similar going into some seedy downtrodden bar in the dodgy part of town and rubbing shoulders the local lowlife and crims. You're not a lowlife, but you're sharing a IP with others who are and might typically not wish to be associated with.

Whilst I don't have access to a Cloudflare account with this specific control on it, having spoken to someone who does, there's a dial you can twiddle from laissez-faire to suspicious to paranoid about the reputation of source IPs, and my guess is that IB as a customer of cloudflare that is using their service to defend their services from recurring DDOS attacks have got that source IP reputation dial turned to the max.

Then the question is why not for all the IB sites.

FWIW, IME it seems to be that free, open Wi-Fi networks available and used by tens of thousands — or even hundreds of thousands — tend to be way more likely to be left to be with regard to the FT-specific Cloudflare dashboard tool blocks. And this is even as these are the kind of internet networks that aren’t spared of “seedy” traffic any more than the commercial VPN nodes are.

I obvs can't say why IB don't do the same for all their sites.

But responding on the public WiFi point, you're right that they are misused but generally the people who use those networks are broadly transitory, so the misuse tends to come and go and is more sporadic than commercial public VPNs where the users are typically more sticky and persistent.

So when they turn up in source IP reputation lists commercial public VPNs are usually near the top of the risk list, whereas public WiFi is typically a few notches below in the risk stakes, and to be fair public WiFi often isn't that far removed from consumer ISPs who have significant CGNAT on their IPv4

That mention about consumer ISPs who have significant CGNAT on their IPv4 is an interesting one. Would you say that could be a part of why some of these FT-specific Cloudflare connection blocks — even of non-VPNs — may be geographically clustered with their impact on FTers and others trying to connect with the site?

It's certain possible. IP reputation tools can down score the address used by an IPv4 CGNAT service where they see patterns of dubious activity just in the same way that a commercial VPN (which will also certainly be CGNAT). The one difference is that the connections are less likely to be so anonymous.

My own personal assessment of the typical averages of the IP reputation of categories of each type of service.

Anonymous - the extent to which users are trying to hide their ID
Malicious - the extent of usage that is malicious or naughty
Longevity - how long users would typically use such a service
Geohopping - the utility of the service to permit a user to jump elsewhere globally

Commercial VPN:
Anonymous high, Malicious high, longevity high, geohopping high

Public WiFi:
Anonymous medium, Malicious medium, longevity low, geohopping n/a

ISP CGNAT:
Anonymous medium, Malicious medium, longevity high, geohopping n/a

ISP individual user IP:
Anonymous low, Malicious low, longevity high, geohopping n/a

I am sure we can all argue cases for all of the above to be different low/medium/high but I am trying to set out typical values.

Many ISPs who are using CGNAT for IPv4 addresses would hopefully be running IPv4/IPv6 dual stack in which case there's the additional dimension that v6 connections could individual and personal whereas v4 could be CGNAT.

In case anyone at IB thinks this is not affecting their bottom line:

I used to be extremely active on this forum. Multiple posts per day, several hours per week (sometimes multiple hours per day). You can check my history from 3-4 years ago. With some changes in my life came the need to start using a VPN most of the time (particularly while traveling, which I hear most of us on this site do very regularly). The inability to access your website using a paid VPN means I just plain don't visit anymore. (Turning a VPN on and off randomly completely destroys the security that it provides, so that's not an option.)

This is the only website that blocks my VPN (Nord). There's not a single other website that gives me any issues at all, and I go to a lot of them. This needs to be fixed.

I agree. I used to get on this site daily. Now I only get on once a week. Having to turn off my vpn just so I can access this one site is annoying. When I do turn it off it is only for as long as it takes me to catch up on the strings I am following. I don't randomly surf the site anymore. A travel site that blocks the individual's effort to keep their computer secure doesn't make any sense.

I've always used VPNs to block the worst kind of advertising. Those that harvest and sell whatever kinds of personal information, browsing habits, etc that are to be found on your computer (or whatever device you use). I have been concerned about this for a long time and have found NordVPN with some of its optional features to be excellent in doing this. I also have always assumed that organizations that work diligently in preventing you from accessing their site(s) while using this kind of configuration are making money off such adverting.

I have asked our network team to explore options for unblocking ASNs. NordVPN, for instance, uses multiple colocation facilities such as DigitalOcean, Datacamp, etc. where we've seen attacks, crawls, etc.
originating from.

If they open up all of those ASNs (networks) for those cloud providers, FT won't stay up for long. Still, I've asked them to se if there's a way we can be a little more delicate and discerning in what gets blocked and what doesn't

My home IP-address (Orange Poland) gave problems using FT, since pictures were not visible. I used a VPN (Privado) for a few months and that workaround was OK, until today.
My regular VPN server (Amsterdam) was blocked, tried Vienna, Copenhagen and some other, all blocked. My home IP: blocked

I found 1 VPN server that works, otherwise I wouldn't have been able to access this thread.
It's crazy, pls do something about it.


https://cimg4.ibsrv.net/gimg/www.fly...dd968b17a2.jpg

Started using Norton VPN with AutoSelected Region and getting
https://cimg3.ibsrv.net/gimg/www.fly...db31a9f2e0.png

Suggestions, work arounds???

See what servers you are connected to. I use Linux. I would open a command window and run "nordvpn status" . This will show how you are connected. See my ouput below. You would want to report this to IB_Joel as indicated upstream.
https://cimg1.ibsrv.net/gimg/www.fly...e21f18a833.png

I normally don't have troubles connecting in via their US Chicago servers. You may want to try the following. In the command window do a "nordvpn disconnect" and then "nordvpn connect us chicago". See if that fixes it.

Windows user.
Yesterday I was unable to set the Norton VPN to USA servers, but today I can, And now the access to FT works OK. There have been some issues with hotel wifi. But also appears some Norton VPN sites are not whitelisted.

My apologies. You distinctly wrote "Norton VPN" and I keep reading it as NordVPN. I'm glad it worked out for you.

I do not pretend to be an expert in VPN tunnels and/or CloudFlare. But I know enough to understand that well over 90% of the commercial and financial sites that I visit and use on a daily basis use CloudFlare and I have absolutely no issues with my VPN (NordVPN). So I approach it from a classically end user perspective. Basically, if everyone else can get it to work, why can't Interstate Brands?.

I used to submit IP addresses I wanted FT to whitelist in this thread, but since no action was ever taken, I gave up unless they suddenly start blocking a server that they haven't blocked previously. Basically, I've pretty much come to accept the fact that being uber vigilant about DDOS attack defense is more important than catering to our individual needs.

I'll be honest, I didn't expect much to come from my post. But I was wrong. I'm now able to access FT over NordVPN. Well done, and thank you.

ExpressVPN still doesn't work.

Nor is PrivadoVPN (well, most of the servers not)

I'm in the middle of something right now but I will do NordVPN testing later and use several different countries.

For me, NordVPN works sometimes and sometimes not. I frequently have to shift location.

Feel free to PM me if you want good A severs. I will only mention Santa Clara here because it is no longer fast (i want to keep the best ones somewhat secret).

ETA: Santa Clara is fine for browsing FT.

I'm not sure how good Google's VPN is, but I'm testing the free VPN benefit that comes with owning a Pixel 7. The app is quite simple and doesn't have a lot of ways to configure the service. I toggle a few settings to conceal my precise IP address. FT seems to be working for now.

DP: Today I was finally able to access the forums with my VPN connected. I am using ExpressVPN. Hopefully this will continue to work. We'll see.

Which server?

USA - Miami - 2

IBJoel, it would be nice if a West Coast server isn't blocked.

I don't use Exp anymore, but California IP addresses are definitely desirable from many of us because CA's anti-spam laws are kind of effective (though, less and less so, sadly).

I have tested all of Exp's west coast servers and FT is blocking all of them.

Another NordVPN user here having significant issues accessing FT. I’m currently in the KSA, otherwise I wouldn’t be using this type of tool. I can generally access a few pages then get a block. Very frustrating indeed.

KSA = Kingdom of Saudi Arabia (presumably)
KSA ≠ Kosrae Airport, Federated States of Micronesia (this time) :D

LOL, yes, although I did just do the island hopper a couple of weeks ago!

I tried several different servers from Private Internet Access, and all of them are blocked.

Miami 2 is working for me, a solution finally. Thank you for posting!

I didn't see mention of BitDefender VPN here, but this is the one I am using and the servers I've tried are blocked. Are there suggestions for a server that can work, or is this something that can be enabled by IBJoel and team?

Cheers.

Using latest version of NordVPN with Threat Protection enabled. Some characters on FT, not on other websites, are garbled such as these two:

https://cimg0.ibsrv.net/gimg/www.fly...a9bef6e8d6.png
https://cimg1.ibsrv.net/gimg/www.fly...ff7c37376d.png

I'm unable to access the site with NordVPN online. It automatically blocks me, but works once the VPN is turned off.

Try to disconnect/reconnect. I get that every once in a while (usually connecting through a Chicago gateway server) and just refreshing my NordVPN connection seems to fix it. If that doesn't work try connecting to US Chicago. That's where I typically connect and I haven't had a hard lock out for a log time.

I have the exact same problem!

Also had tried to Disconnect/Connect to no avail!

Is this site so special it needs such a heavy-handed approach to blocking VPN users? Lol. I mean, of course the owners of the site are free to do as they choose. Just like I am free to reduce my use of the site. It's just curious to me that of ALL the sites I visit, this is the only site that blocks me.