Adding callout for CGNAT ranges

Author: kennyj42

src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx

@@ -35,6 +35,12 @@ This feature replaces the legacy [private network app type](/cloudflare-one/acce
     Private hostnames on port `443` over HTTPS must have a valid Server Name Indicator (SNI). All other ports do not require a valid SNI value. If you are configuring a private IP on any port other than `443` and plan to use Browser Isolation, note that this [will result in a Gateway block page](/cloudflare-one/remote-browser-isolation/known-limitations/#browser-isolation-is-not-compatible-with-private-ips-on-non-443-ports).
     :::
 
+If using a non-443 private hostname, ensure that the following CGNAT IP addresses are not blocked by any firewalls or excluded from Gateway traffic:
+IPv4: 100.80.0.0/16
+IPv6: 2606:4700:0cf1:4000::/64
+
+[More connectivity information](cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/#prerequisites)
+
 7.  <Render file="access/add-access-policies" product="cloudflare-one" />
 
 8.  Configure how users will authenticate: