[Gateway] Surface third-party/iCloud limitation (#17711)

Author: maxvp

src/content/docs/cloudflare-one/connections/connect-devices/agentless/dns/locations/index.mdx

@@ -11,13 +11,10 @@ import { GlossaryDefinition, Render } from "~/components";
 <Render file="gateway/add-locations" />
 
 10. Change the DNS resolvers on your router, browser, or OS by following the setup instructions in the UI.
-
 11. Select **Go to DNS Location**. Your location will appear in your list of locations.
 
 You can now apply [DNS policies](/cloudflare-one/policies/gateway/dns-policies/) to your location using the [Location selector](/cloudflare-one/policies/gateway/dns-policies/#location).
 
-<Render file="gateway/add-locations-static-ip-warning" />
-
 ## DNS endpoints
 
 ### IPv4 and IPv6 DNS
@@ -49,3 +46,13 @@ For more information, refer to [DNS over TLS](/cloudflare-one/connections/connec
 <GlossaryDefinition term="DNS over HTTPS" />
 
 Gateway requires a DoH endpoint for default DNS locations. For more information, refer to [DNS over HTTPS](/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https/).
+
+## Limitations
+
+### Captive portals
+
+<Render file="gateway/add-locations-static-ip-warning" />
+
+### Third-party filtering
+
+<Render file="gateway/third-party-warning" />

src/content/docs/cloudflare-one/policies/gateway/block-page.mdx

@@ -13,6 +13,12 @@ Configuring a custom block page in Zero Trust helps avoid this confusion. Your b
 
 Gateway supports custom block pages for DNS and HTTP policies.
 
+:::caution[Third-party filtering conflict]
+
+<Render file="gateway/third-party-warning" />
+
+:::
+
 ## Prerequisites
 
 In order to display the block page as the URL of the blocked domain, your devices must have the [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/) installed. Enterprise users can also [deploy their own root CA certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/).

src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx

@@ -426,7 +426,7 @@ Use this selector to filter based on the country where the query arrived to Gate
 
 ### Third-party filtering conflict
 
-Gateway will not properly filter traffic sent through third-party VPNs or other Internet filtering software, such as [iCloud Private Relay](https://support.apple.com/102602). To ensure your DNS policies apply to your traffic, we recommend restricting software that may interfere with Gateway.
+<Render file="gateway/third-party-warning" />
 
 ### Magic WAN forwarding
 

src/content/docs/learning-paths/cybersafe/gateway-onboarding/gateway-locations.mdx

@@ -3,11 +3,16 @@ title: Gateway locations
 pcx_content_type: learning-unit
 sidebar:
   order: 2
-
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
 <Render file="gateway/add-locations" product="cloudflare-one" />
 
-<Render file="gateway/add-locations-static-ip-warning" product="cloudflare-one" />
+:::caution[Captive portal limitation]
+
+<Render
+	file="gateway/add-locations-static-ip-warning"
+	product="cloudflare-one"
+/>
+:::

src/content/partials/cloudflare-one/gateway/add-locations-static-ip-warning.mdx

@@ -1,18 +1,11 @@
 ---
 {}
-
 ---
 
-:::caution[Captive portal limitation]
-
-
 Deploying Gateway DNS filtering using static IP addresses may prevent users from connecting to public Wi-Fi networks through captive portals. If users are experiencing connectivity issues related to captive portals, they should:
 
 1. Remove the static IP addresses from the device.
 2. Connect to the Wi-Fi network.
 3. Once the connection has been established, add the static IP addresses back.
 
 To avoid this issue, use the [WARP client](/cloudflare-one/connections/connect-devices/warp/) to connect your devices to Cloudflare Zero Trust.
-
-
-:::

src/content/partials/cloudflare-one/gateway/add-locations.mdx

@@ -1,9 +1,8 @@
 ---
 {}
-
 ---
 
-import { GlossaryDefinition, GlossaryTooltip } from "~/components"
+import { GlossaryDefinition, GlossaryTooltip } from "~/components";
 
 <GlossaryDefinition term="DNS location" />
 
@@ -12,26 +11,15 @@ The fastest way to start filtering DNS queries from a location is by changing th
 To add a DNS location to Gateway:
 
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Gateway** > **DNS Locations**.
-
 2. Select **Add a location**.
-
 3. Choose a name for your DNS location.
-
 4. Choose at least one [DNS endpoint](/cloudflare-one/connections/connect-devices/agentless/dns/locations/#dns-endpoints) to resolve your organization's DNS queries.
-
 5. (Optional) Toggle the following settings:
-
-   * **Enable EDNS client subnet** sends a user's IP geolocation to authoritative DNS nameservers. <GlossaryTooltip term="EDNS Client Subnet (ECS)" link="/cloudflare-one/glossary/?term=ecs">EDNS Client Subnet (ECS)</GlossaryTooltip> helps reduce latency by routing the user to the closest origin server. Cloudflare enables EDNS in a privacy preserving way by not sending the user's exact IP address but rather a `/24` range which contains their IP address.
-
-   * **Set as Default DNS Location** sets this location as the default DoH endpoint for DNS queries.
-
+   - **Enable EDNS client subnet** sends a user's IP geolocation to authoritative DNS nameservers. <GlossaryTooltip term="EDNS Client Subnet (ECS)" link="/cloudflare-one/glossary/?term=ecs">EDNS Client Subnet (ECS)</GlossaryTooltip> helps reduce latency by routing the user to the closest origin server. Cloudflare enables EDNS in a privacy preserving way by not sending the user's exact IP address but rather a `/24` range which contains their IP address.
+   - **Set as Default DNS Location** sets this location as the default DoH endpoint for DNS queries.
 6. Select **Continue**.
-
 7. (Optional) Turn on source IP filtering for your configured endpoints, then add any source IPv4/IPv6 addresses to validate.
-
-   * Endpoint authentication is required for standard IPv4 addresses and optional for dedicated IPv4 addresses.
-   * **DoH endpoint filtering & authentication** lets you restrict DNS resolution to only valid identities or user tokens in addition to IPv4/IPv6 addresses.
-
+   - Endpoint authentication is required for standard IPv4 addresses and optional for dedicated IPv4 addresses.
+   - **DoH endpoint filtering & authentication** lets you restrict DNS resolution to only valid identities or user tokens in addition to IPv4/IPv6 addresses.
 8. Select **Continue**.
-
 9. Review the settings for your DNS location, then choose **Done**.

src/content/partials/cloudflare-one/gateway/third-party-warning.mdx

@@ -0,0 +1,7 @@
+---
+{}
+---
+
+Gateway will not properly filter traffic sent through third-party VPNs or other Internet filtering software, such as [iCloud Private Relay](https://support.apple.com/102602). To ensure your DNS policies apply to your traffic, Cloudflare recommends turning off software that may interfere with Gateway.
+
+To turn off iCloud Private Relay, refer to the Apple user guides for [macOS](https://support.apple.com/guide/mac-help/use-icloud-private-relay-mchlecadabe0/) or [iOS](https://support.apple.com/guide/iphone/protect-web-browsing-icloud-private-relay-iph499d287c2/).