Added information for Warp to Warp with MWAN

dledfordcf · web-flow · commit 49bb21320227 · 2025-06-03T16:16:42.000-05:00
We have it documented that MWAN and Warp connectors are unsupported, but theres also specific considerations needed for using Warp to Warp when MWAN is in use. Added a note to expand on this.
diff --git a/src/content/docs/magic-wan/zero-trust/warp.mdx b/src/content/docs/magic-wan/zero-trust/warp.mdx
@@ -5,6 +5,13 @@ head:
   - tag: title
     content: Use WARP as an on-ramp
 ---
+:::note
+By default direct Warp to Warp connections are not supported for machines behind MWAN with Warp connected due to double encapsulation and asymmetric routing.
+
+It's recommended to not connect Warp when a device is in a location behind MWAN, and instead connect to their LAN IP from remote devices connected to Warp instead of using Warp to Warp, as the MWAN onramp will route to remote locations private network, but if you do wish to use Warp inside a MWAN connected location, and directly connect to the devices Warp IP (in the 100.96.0.0/12 range) using Warp to Warp from either remote devices or devices in another location you will need to exclude the 100.96.0.0/12 subnet from you on premises Warp profile and include it in your off premises profile. 
+
+This will allow remote devices to route the 100.96.0.0/12 subnet over Warp > Cloudflare Edge > MWAN > Warp connected device on premises, then the return traffic will follow the same flow but in reverse. If 100.96.0.0/12 is included in the Warp tunnel on both ends the traffic flow will be remote Warp > Cloudflare Edge > MWAN > Warp device on premises, but the return traffic will be on premises device Warp tunnel > Cloudflare Edge > Remote device Warp tunnel, which in turn is asymmetric from the remote > on premises flow and will cause the connection to fail.
+:::
 
 import { GlossaryTooltip, Render } from "~/components";
 
@@ -83,4 +90,4 @@ nslookup <SERVER_BEHIND_MAGIC_WAN>
 
 This DNS lookup should return a valid IP address associated with the server or service you are testing for.
 
-Next, test with a browser that you can connect to a service on the WAN by opening a webpage that is only accessible on the WAN. The server can be the same server used in the DNS lookup or another server in the WAN. Connecting using an IP address instead of a domain name should work.
+Next, test with a browser that you can connect to a service on the WAN by opening a webpage that is only accessible on the WAN. The server can be the same server used in the DNS lookup or another server in the WAN. Connecting using an IP address instead of a domain name should work.
