Skip to content

[CF1] SWG w/o DNS filtering mode IPv6 limitation #23415

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 10, 2025
Merged

[CF1] SWG w/o DNS filtering mode IPv6 limitation #23415

merged 4 commits into from
Jul 10, 2025

Conversation

@deadlypants1973
Copy link
Contributor

@deadlypants1973 deadlypants1973 commented Jul 2, 2025

Summary

PCX-18090

Screenshots (optional)

Documentation checklist

  • The documentation style guide has been adhered to.
  • If a larger change - such as adding a new page- an issue has been opened in relation to any incorrect or out of date information that this PR fixes.
  • Files which have changed name or location have been allocated redirects.

@deadlypants1973 deadlypants1973 requested review from a team and ranbel as code owners July 2, 2025 23:14
@github-actions github-actions bot added the size/s label Jul 2, 2025
@hyperlint-ai
Copy link
Contributor

hyperlint-ai bot commented Jul 2, 2025

Howdy and thanks for contributing to our repo. The Cloudflare team reviews new, external PRs within two (2) weeks. If it's been two weeks or longer without any movement, please tag the PR Assignees in a comment.

We review internal PRs within 1 week. If it's something urgent or has been sitting without a comment, start a thread in the Developer Docs space internally.

PR Change Summary

Updated documentation for the Secure Web Gateway without DNS filtering mode to clarify IPv6 limitations and enhance user understanding.

  • Clarified that the Secure Web Gateway without DNS filtering mode is also known as tunnel only mode.
  • Added information about the limitation regarding DNS servers with IPv6 addresses.
  • Included guidance on manually excluding IPv6 DNS servers from the WARP tunnel for proper functionality.

Modified Files

  • src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/index.mdx
  • src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx
How can I customize these reviews?

Check out the Hyperlint AI Reviewer docs for more information on how to customize the review.

If you just want to ignore it on this PR, you can add the hyperlint-ignore label to the PR. Future changes won't trigger a Hyperlint review.

Note specifically for link checks, we only check the first 30 links in a file and we cache the results for several hours (for instance, if you just added a page, you might experience this). Our recommendation is to add hyperlint-ignore to the PR to ignore the link check for this PR.

@github-actions
Copy link
Contributor

github-actions bot commented Jul 2, 2025

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern Owners
/src/content/docs/cloudflare-one/connections/connect-devices/ @kkrum, @kokolocomotion1, @ranbel, @cloudflare/pcx-technical-writing

@github-actions
Copy link
Contributor

github-actions bot commented Jul 2, 2025
edited
Loading

Preview URL: https://7fbcf48b.preview.developers.cloudflare.com
Preview Branch URL: https://kate-fixes-tunnel-update.preview.developers.cloudflare.com

Files with changes (up to 15)

Original Link Updated Link
https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations/ https://kate-fixes-tunnel-update.preview.developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations/
https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/ https://kate-fixes-tunnel-update.preview.developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/

samin-cf
samin-cf reviewed Jul 3, 2025
View reviewed changes
...t/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx Outdated
Comment on lines 162 to 168
In [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) mode, after the WARP tunnel is established, WARP checks connectivity by resolving `connectivity.cloudflareclient.com` using the DNS server configured on the device.

Sometimes this check fails because the DNS server—often assigned by DHCP and accessible only on the local network—becomes unreachable when traffic is routed through the WARP tunnel.

For IPv4, failure is uncommon because DHCP-assigned DNS servers typically use private (RFC 1918) addresses, which WARP excludes from the tunnel by default.

However, in an IPv6 environment, there is no automatic exclusion. If your DNS server uses an IPv6 address, you must manually exclude it from WARP’s tunnel using [split tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) settings for Secure Web Gateway without DNS filtering mode to work properly.
Copy link
Contributor

@samin-cf samin-cf Jul 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can probably skip on some of the implementation details. How about something like:

In Secure Web Gateway without DNS filtering mode, devices using IPv6 DNS servers may experience connectivity issues if these servers are not manually excluded from the WARP tunnel. Unlike common IPv4 DHCP configurations where DNS servers often fall within automatically excluded private address ranges, IPv6 environments typically require manual exclusion of DNS server addresses via split tunnel settings for proper operation.

samin-cf
samin-cf reviewed Jul 4, 2025
View reviewed changes
Copy link
Contributor

@samin-cf samin-cf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thank you!

marciocloudflare
marciocloudflare approved these changes Jul 10, 2025
View reviewed changes
deadlypants1973 and others added 2 commits July 10, 2025 14:27
@deadlypants1973 @marciocloudflare
Apply suggestions from code review
3ae587e 
Co-authored-by: marciocloudflare <[email protected]>
@deadlypants1973 @marciocloudflare
Update src/content/docs/cloudflare-one/connections/connect-devices/wa…
7fbcf48 
…rp/troubleshooting/known-limitations.mdx

Co-authored-by: marciocloudflare <[email protected]>
@deadlypants1973 deadlypants1973 merged commit 90d56aa into production Jul 10, 2025
11 checks passed
@deadlypants1973 deadlypants1973 deleted the kate/fixes-tunnel-update branch July 10, 2025 13:44
sdnts pushed a commit to sdnts/cloudflare-docs that referenced this pull request Jul 24, 2025
@deadlypants1973 @marciocloudflare @sdnts
[CF1] SWG w/o DNS filtering mode IPv6 limitation (cloudflare#23415)
0a15e8a 
* [CF1] SWG w/o DNS filtering mode IPv6 limitation

* Update src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx

* Apply suggestions from code review

Co-authored-by: marciocloudflare <[email protected]>

* Update src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx

Co-authored-by: marciocloudflare <[email protected]>

---------

Co-authored-by: marciocloudflare <[email protected]>
thomasgauvin pushed a commit that referenced this pull request Aug 15, 2025
@deadlypants1973 @marciocloudflare @thomasgauvin
[CF1] SWG w/o DNS filtering mode IPv6 limitation (#23415)
74427e3 
* [CF1] SWG w/o DNS filtering mode IPv6 limitation

* Update src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx

* Apply suggestions from code review

Co-authored-by: marciocloudflare <[email protected]>

* Update src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx

Co-authored-by: marciocloudflare <[email protected]>

---------

Co-authored-by: marciocloudflare <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marciocloudflare marciocloudflare marciocloudflare approved these changes

@ranbel ranbel Awaiting requested review from ranbel ranbel is a code owner

+1 more reviewer

@samin-cf samin-cf samin-cf left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@ranbel ranbel

Labels

product:cloudflare-one size/s

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@deadlypants1973 @marciocloudflare @samin-cf @ranbel