Update Required for Whitelisting Additional PayFast IP Ranges

  • Resolved symington

    (@symington)


    3 months, 2 weeks ago

    Dear Support Team

    I hope this message finds you well.

    I am writing to bring to your attention an issue we have encountered with the current version of the WooCommerce Payfast Gateway plugin regarding the whitelisting of IP addresses for PayFast payment notifications.

    Issue Description:

    We have noticed that some payment Instant Transaction Notifications (ITNs) were not received by our website, resulting in order statuses remaining “Pending payment.” Upon reviewing the log files, I found the following error message:

    "Error occurred: Bad source IP address"

    Background:

    According to a recent notice on PayFast’s website, they have extended their IP range. However, the current version of the plugin does not cover the specified IPs. This discrepancy is causing ITNs from these new IP addresses to be rejected, thereby affecting the order status updates on our site. Required IP Ranges to be Added:

    • 197.97.145.144/28 (197.97.145.144 – 197.97.145.159)
    • 41.74.179.192/27 (41.74.179.192 – 41.74.179.223)
    • 102.216.36.0/28 (102.216.36.0 – 102.216.36.15)
    • 102.216.36.128/28 (102.216.36.128 – 102.216.36.143)
    • 144.126.193.139 (Single IP)

    Current Whitelisted IPs:

    The current plugin version whitelists the following IPs:

    34.107.176.71, 34.120.184.229, 197.97.145.158, 41.74.179.212, 41.74.179.194,
41.74.179.217, 197.97.145.153, 41.74.179.203, 41.74.179.196, 197.97.145.154,
41.74.179.205, 197.97.145.155, 41.74.179.193, 41.74.179.218, 41.74.179.197,
197.97.145.156, 197.97.145.157, 41.74.179.200, 41.74.179.210, 197.97.145.151,
197.97.145.147, 41.74.179.201, 197.97.145.152, 41.74.179.204, 144.126.193.139,
197.97.145.146, 41.74.179.195, 41.74.179.211, 102.216.36.2, 102.216.36.132,
102.216.36.139, 41.74.179.198, 102.216.36.134, 102.216.36.12, 102.216.36.130,
102.216.36.8, 102.216.36.142, 197.97.145.145, 102.216.36.131, 102.216.36.129,
102.216.36.6, 102.216.36.10, 102.216.36.5, 41.74.179.202, 102.216.36.7,
102.216.36.140, 197.97.145.148, 102.216.36.9, 197.97.145.149, 102.216.36.138,
102.216.36.133, 102.216.36.1, 102.216.36.137, 41.74.179.199, 102.216.36.11,
102.216.36.136, 102.216.36.13, 102.216.36.14, 102.216.36.3, 102.216.36.4,
197.97.145.150, 102.216.36.141, 102.216.36.135

    Missing IPs:

    To ensure seamless operation, the following IPs need to be added to the whitelist in the plugin:

    • 197.97.145.144
    • 197.97.145.159
    • 41.74.179.192
    • 41.74.179.214
    • 41.74.179.215
    • 41.74.179.216
    • 41.74.179.219
    • 41.74.179.220
    • 41.74.179.221
    • 41.74.179.222
    • 41.74.179.223
    • 102.216.36.0
    • 102.216.36.15
    • 102.216.36.128
    • 102.216.36.143

    Request:

    Could you please update the plugin to include the additional IP ranges listed above? This update is crucial to ensure all payment notifications are received and processed correctly.

    Thank you for your prompt attention to this matter. If you require any further information, please do not hesitate to contact me.

    Kind regards

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support Rajesh K. (woo-hc)

    (@rajeshml)

    Hello @symington,

    Thank you reaching out and sharing the details of the issue.

    I believe what is happening here is that WooCommerce checks if the Payfast payment notification came from one of the trusted IP addresses, but your host may change that IP address for redirect purposes.

    Please add the following line of code to your child theme’s functions.php file or via a plugin that allows custom functions to be added, such as the Code Snippets plugin. Please don’t add custom code directly to your parent theme’s functions.php file as this will be wiped entirely when you update:

    add_filter( 'woocommerce_gateway_payfast_is_valid_ip', '__return_true' );

    Please let us know if that resolves the issue.

    Cheers!

    I can confirm the same behaviour, which in my case is intermittent. Some ITN request IP addresses are validated correctly, others are failing. The plugin logic performs its own DNS resolution of the list of PayFast hosts using gethostbynamel, so the plugin itself is not responsible for maintaining an accurate list of IP addresses. That responsibility lies with DNS resolution by the server/ISP hosting the website.

    Also, I don’t understand what you meant about the redirect, @rajeshml. Could you explain more?

    Some further information here, it seems like outdated DNS caching on my/our servers or ISP could be to blame.

    This check doesn’t seem that necessary from a security perspective, and does result in longer processing of the ITN request. The request signature is already verified to protect against spoof requests, so verifying the origin by DNS seems redundant. I guess it can be removed from the plugin code entirely?

    The solution @rajeshml gives bypasses this check fully anyway and seems to work fine ??

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.