[ZT] clarify split tunnel requirements for WARP-to-WARP and Host selectors (#26257)

* clarify split tunnel requirements

* remove IP

* revert LB changes

Author: ranbel

src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp.mdx

@@ -8,7 +8,7 @@ head:
     content: Create private networks with WARP-to-WARP
 ---
 
-import { Render, GlossaryTooltip } from "~/components";
+import { Render, GlossaryTooltip, Tabs, TabItem } from "~/components";
 
 With Cloudflare Zero Trust, you can create a private network between any two or more devices running Cloudflare WARP. This means that you can have a private network between your phone and laptop without ever needing to be connected to the same physical network. If you already have an existing Zero Trust deployment, you can also enable this feature to add device-to-device connectivity to your private network with the press of a button. This will allow you to connect to any service that relies on TCP, UDP, or ICMP-based protocols through Cloudflare's network.
 
@@ -34,16 +34,26 @@ This guide covers how to:
 3. Enable **Allow WARP to WARP connection**. This allows Cloudflare to route traffic to the <GlossaryTooltip term="CGNAT IP">CGNAT IP</GlossaryTooltip> space.
 4. In your [Split Tunnel configuration](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/), ensure that traffic to `100.96.0.0/12` is going through WARP:
 
-- If using **Exclude** mode, delete `100.64.0.0/10` from the list and add the following IP addresses:
-  
-  - `100.64.0.0/12`
-  - `100.81.0.0/16`
-  - `100.82.0.0/15`
-  - `100.84.0.0/14`
-  - `100.88.0.0/13`
-  - `100.112.0.0/12`
+    <Tabs> <TabItem label="Exclude IPs and domains">
+		If using Split Tunnels in **Exclude** mode:
+			1. Delete `100.64.0.0/10` from the list.
+			2. We recommend [adding back the IPs](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used for Zero Trust services. For example, if you are using WARP-to-WARP alongside [Gateway host selectors](/cloudflare-one/traffic-policies/egress-policies/host-selectors/) or [private hostname routing](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/), add routes to exclude the following IP addresses:
+
+				- `100.64.0.0/12`
+				- `100.81.0.0/16`
+				- `100.82.0.0/15`
+				- `100.84.0.0/14`
+				- `100.88.0.0/13`
+				- `100.112.0.0/12`
+
+    </TabItem> <TabItem label="Include IPs and domains">
+		If using Split Tunnels in **Include** mode:
+
+		1. Add the required [Zero Trust domains](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list.
+		2. [Add a route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include `100.96.0.0/12`.
+
+    </TabItem> </Tabs>
 
-- If using **Include** mode, add `100.96.0.0/12` and `100.80.0.0/16` to your list.
 
 This will instruct WARP to begin proxying any traffic destined for a `100.96.0.0/12` IP address to Cloudflare for routing and policy enforcement.
 

src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx

@@ -5,7 +5,7 @@ sidebar:
   order: 2
 ---
 
-import { Tabs, TabItem, Details, APIRequest } from "~/components";
+import { Tabs, TabItem, Details, APIRequest} from "~/components";
 
 <Details header="Feature availability">
 
@@ -92,23 +92,21 @@ To configure your Zero Trust organization to use Host selectors with Egress poli
 
 {/* prettier-ignore-start */}
 
-2.  In your WARP [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/), configure your [Split Tunnel](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/) depending on the mode:
+2.  In your WARP [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/), configure [Split Tunnels](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/) depending on the mode:
 
     <Tabs> <TabItem label="Exclude IPs and domains">
-		1.  [Remove the route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel exclude list.
-		2.  [Add routes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses:
+		1. [Remove the route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel exclude list.
+		2. We recommend [adding back the IPs](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used for Zero Trust services. For example, if you are using Gateway host selectors alongside [WARP-to-WARP connectivity](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp/) add routes to exclude the following IP addresses:
 			- `100.64.0.0/12`
 			- `100.81.0.0/16`
 			- `100.82.0.0/15`
 			- `100.84.0.0/14`
 			- `100.88.0.0/13`
 			- `100.112.0.0/12`
-			
-			And remove `100.64.0.0/10` IP address.
 
     </TabItem> <TabItem label="Include IPs and domains">
-		1.  Add the required [Zero Trust domains](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list.
-		2.  [Add a route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include `100.80.0.0/16` and `100.96.0.0/12` IP addresses.
+		1. Add the required [Zero Trust domains](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list.
+		2. [Add a route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include `100.80.0.0/16`.
 
     </TabItem> </Tabs>
 

src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx

@@ -133,6 +133,7 @@ In order for WARP clients to connect to your load balancer, the load balancer's
    - **Exclude mode**: Delete the IP range that contains your load balancer IP. For example, if your load balancer has a Cloudflare-assigned CGNAT IP, delete `100.64.0.0/10`. We recommend [adding back the IPs](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used by your load balancer.
      :::note
      Some IPs in the `100.64.0.0/10` range may be reserved for other Zero Trust services such as Gateway <GlossaryTooltip term = "initial resolved IP">initial resolved IPs</GlossaryTooltip> or <GlossaryTooltip term = "CGNAT IP">WARP CGNAT IPs</GlossaryTooltip>. These IPs should remain deleted from the Exclude list.
+		 :::
    - **Include mode**: Add your load balancer IP.
 
 WARP traffic can now reach your private load balancer. For example, if your load balancer points to a web application, you can test by running `curl <load-balancer-IP>` from the WARP device. This traffic will be distributed over Cloudflare Tunnel to your private endpoints according to your configured steering method.