Added information for Warp to Warp with MWAN (#22883)

dledfordcf · marciocloudflare · web-flow · commit d196a41da880 · 2025-06-16T16:38:29.000Z
* Added information for Warp to Warp with MWAN

We have it documented that MWAN and Warp connectors are unsupported, but theres also specific considerations needed for using Warp to Warp when MWAN is in use. Added a note to expand on this.

* Update warp.mdx

Cleaned up note and removed the more technical reasons on how the change works and why its needed.

* Update src/content/docs/magic-wan/zero-trust/warp.mdx

---------

Co-authored-by: marciocloudflare &lt;83226960+marciocloudflare@users.noreply.github.com&gt;
diff --git a/src/content/docs/magic-wan/zero-trust/warp.mdx b/src/content/docs/magic-wan/zero-trust/warp.mdx
@@ -5,6 +5,13 @@ head:
   - tag: title
     content: Use WARP as an on-ramp
 ---
+:::note
+By default, direct WARP-to-WARP connections are not supported for devices located behind Magic WAN with WARP enabled. This is due to issues caused by double encapsulation and asymmetric routing.
+
+When a device is behind Magic WAN, it is recommended to avoid enabling WARP. Instead, access the device using its local LAN IP from remote systems, rather than relying on WARP-to-WARP communication.
+
+If you do want to use WARP on a device behind Magic WAN and connect to its WARP IP (within the `100.96.0.0/12` range), you will need to adjust your WARP profiles. Specifically, exclude the `100.96.0.0/12` subnet from the on-premises WARP profile, and include it in the off-premises profile.
+:::
 
 import { GlossaryTooltip, Render } from "~/components";
 
@@ -83,4 +90,4 @@ nslookup <SERVER_BEHIND_MAGIC_WAN>
 
 This DNS lookup should return a valid IP address associated with the server or service you are testing for.
 
-Next, test with a browser that you can connect to a service on the WAN by opening a webpage that is only accessible on the WAN. The server can be the same server used in the DNS lookup or another server in the WAN. Connecting using an IP address instead of a domain name should work.
+Next, test with a browser that you can connect to a service on the WAN by opening a webpage that is only accessible on the WAN. The server can be the same server used in the DNS lookup or another server in the WAN. Connecting using an IP address instead of a domain name should work.
