[ZT] CGNAT IPS in local firewall (#24876)

* tip to check local firewall

* remove partial

Author: ranbel

src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-connector/user-to-site.mdx

@@ -25,7 +25,8 @@ This guide covers how to connect WARP client user devices to a private network b
 ## Prerequisites
 
 - A Linux host [^1] on the subnet.
-- Verify that your firewall allows inbound/outbound traffic over the [WARP IP addresses, ports, and domains](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/).
+- For WARP Connector to connect to Cloudflare services, your firewall should allow inbound/outbound traffic for the [WARP IP addresses, ports, and domains](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/).
+- For WARP clients to connect to your subnet, your firewall should allow inbound traffic from the <GlossaryTooltip term="CGNAT IP">WARP CGNAT IP range</GlossaryTooltip>: `100.96.0.0/12`
 
 ## 1. Install a WARP Connector
 
@@ -125,3 +126,5 @@ You can now send a request from a WARP client user device to a device behind WAR
     	file="tunnel/warp-connector-linux-packages"
     	product="cloudflare-one"
     />
+
+

src/content/docs/cloudflare-one/connections/connect-networks/private-net/warp-to-warp.mdx

@@ -8,7 +8,7 @@ head:
     content: Create private networks with WARP-to-WARP
 ---
 
-import { GlossaryTooltip } from "~/components";
+import { Render, GlossaryTooltip } from "~/components";
 
 With Cloudflare Zero Trust, you can create a private network between any two or more devices running Cloudflare WARP. This means that you can have a private network between your phone and laptop without ever needing to be connected to the same physical network. If you already have an existing Zero Trust deployment, you can also enable this feature to add device-to-device connectivity to your private network with the press of a button. This will allow you to connect to any service that relies on TCP, UDP, or ICMP-based protocols through Cloudflare's network.
 
@@ -42,3 +42,9 @@ This will instruct WARP to begin proxying any traffic destined for a `100.96.0.0
 ## Connect via WARP
 
 Once enrolled, your users and services will be able to connect to the virtual IPs configured for TCP, UDP, or ICMP-based traffic. You can optionally create [Gateway network policies](/cloudflare-one/policies/gateway/network-policies/) to define the users and devices that can access the `100.96.0.0/12` IP space.
+
+## Troubleshooting
+
+### Check your firewall
+
+Verify that your local firewall allows traffic from the <GlossaryTooltip term="CGNAT IP">WARP CGNAT IPs</GlossaryTooltip>. For example, Windows Firewall blocks inbound traffic from `100.96.0.0/12` by default. On Windows devices, you will need to add a firewall rule that allows incoming requests from `100.96.0.0/12` for the desired protocols and/or ports.