From 6282181ce5495be8debe94e623bb52547c2b317f Mon Sep 17 00:00:00 2001 From: Kate Tungusova Date: Wed, 2 Jul 2025 16:14:14 -0700 Subject: [PATCH 1/4] [CF1] SWG w/o DNS filtering mode IPv6 limitation --- .../warp/configure-warp/warp-modes/index.mdx | 3 ++- .../warp/troubleshooting/known-limitations.mdx | 14 ++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/index.mdx index 0154482d0864044..3821fce48e05a00 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/index.mdx @@ -25,7 +25,7 @@ This mode is best suited for organizations that only want to apply DNS filtering ## Secure Web Gateway without DNS filtering -This mode is best suited for organizations that want to proxy network and HTTP traffic but keep their existing DNS filtering software. DNS traffic is handled by the default mechanism on your device. +This mode (sometimes referred to as tunnel only mode) is best suited for organizations that want to proxy network and HTTP traffic but keep their existing DNS filtering software. DNS traffic is handled by the default mechanism on your device. | DNS filtering | Network filtering | HTTP filtering | Features enabled | | ------------- | ----------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | @@ -35,6 +35,7 @@ This mode is best suited for organizations that want to proxy network and HTTP t - This mode disables all features that rely on WARP for DNS resolution, including [domain-based split tunneling](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#domain-based-split-tunnels) and [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/). - Only available on Windows, Linux, and macOS. +- This mode has a known limitation concerning [DNS servers with IPv6 addresses](/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations/#ipv6-dns-resolution-in-secure-web-gateway-without-dns-filtering-mode). ::: diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx index 87d288503f85f0f..110006683157115 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx @@ -100,7 +100,7 @@ or create a Docker network with a working MTU value: docker network create -o "com.docker.network.driver.mtu=1420" my-docker-network ``` -The MTU value should be set to the MTU of your host's default interface minus 80 bytes for the WARP protocol overhead. Most MTUs are 1500, so 1420 should work for most users. +The MTU value should be set to the MTU of your host's default interface minus 80 bytes for the WARP protocol overhead. Most MTUs are 1500, so 1420 should work for most users. ## Access WARP DNS from Docker @@ -121,7 +121,7 @@ Address: 8.8.8.8:53 ** server can't find connectivity-check.warp-svc.: NXDOMAIN ** server can't find connectivity-check.warp-svc.: NXDOMAIN - + # Create a bridge network called demo ❯ docker network create demo e1e1943a6995a7e8c115a1c60357fe64f87a3ae90074ce6e4c3f0d2bba3fa892 @@ -157,6 +157,16 @@ Address: 127.0.2.3 Use of the WARP client in a Microsoft 365 Windows 10 Cloud PC is not supported. To work around this limitation, use Windows 11. +## IPv6 DNS Resolution in Secure Web Gateway without DNS filtering mode + +In [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) mode, after the WARP tunnel is established, WARP checks connectivity by resolving `connectivity.cloudflareclient.com` using the DNS server configured on the device. + +Sometimes this check fails because the DNS server—often assigned by DHCP and accessible only on the local network—becomes unreachable when traffic is routed through the WARP tunnel. + +For IPv4, failure is uncommon because DHCP-assigned DNS servers typically use private (RFC 1918) addresses, which WARP excludes from the tunnel by default. + +However, in an IPv6 environment, there is no automatic exclusion. If your DNS server uses an IPv6 address, you must manually exclude it from WARP’s tunnel using [split tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) settings for Secure Web Gateway without DNS filtering mode to work properly. + ## Troubleshooting - [Troubleshooting](/cloudflare-one/faq/troubleshooting/) - Review Troubleshooting for other WARP-related troubleshooting errors and solutions. From f9f92643ad06519905e2dafb3e872da83f7c2847 Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Thu, 10 Jul 2025 13:29:52 +0100 Subject: [PATCH 2/4] Update src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx --- .../warp/troubleshooting/known-limitations.mdx | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx index 110006683157115..00af6bddc616967 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx @@ -159,13 +159,11 @@ Use of the WARP client in a Microsoft 365 Windows 10 Cloud PC is not supported. ## IPv6 DNS Resolution in Secure Web Gateway without DNS filtering mode -In [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) mode, after the WARP tunnel is established, WARP checks connectivity by resolving `connectivity.cloudflareclient.com` using the DNS server configured on the device. +In [Secure Web Gateway without DNS filtering mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering, devices using IPv6 DNS servers may experience connectivity issues if these servers are not manually excluded from the WARP tunnel. -Sometimes this check fails because the DNS server—often assigned by DHCP and accessible only on the local network—becomes unreachable when traffic is routed through the WARP tunnel. +Unlike common IPv4 DHCP configurations where DNS servers often fall within automatically excluded private address ranges, IPv6 environments typically require manual exclusion of DNS server addresses via split tunnel settings for proper operation. -For IPv4, failure is uncommon because DHCP-assigned DNS servers typically use private (RFC 1918) addresses, which WARP excludes from the tunnel by default. - -However, in an IPv6 environment, there is no automatic exclusion. If your DNS server uses an IPv6 address, you must manually exclude it from WARP’s tunnel using [split tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) settings for Secure Web Gateway without DNS filtering mode to work properly. +If your DNS server uses an IPv6 address, you must manually exclude it using [split tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) settings for Secure Web Gateway without DNS filtering mode to work properly. ## Troubleshooting From 3ae587e82bad47dcf56b12a7b4afb5218abdc4c9 Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Thu, 10 Jul 2025 14:27:24 +0100 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> --- .../connect-devices/warp/configure-warp/warp-modes/index.mdx | 2 +- .../warp/troubleshooting/known-limitations.mdx | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/index.mdx index 3821fce48e05a00..71351c4dcba1623 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/index.mdx @@ -25,7 +25,7 @@ This mode is best suited for organizations that only want to apply DNS filtering ## Secure Web Gateway without DNS filtering -This mode (sometimes referred to as tunnel only mode) is best suited for organizations that want to proxy network and HTTP traffic but keep their existing DNS filtering software. DNS traffic is handled by the default mechanism on your device. +This mode (sometimes referred to as tunnel-only mode) is best suited for organizations that want to proxy network and HTTP traffic but keep their existing DNS filtering software. DNS traffic is handled by the default mechanism on your device. | DNS filtering | Network filtering | HTTP filtering | Features enabled | | ------------- | ----------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx index 00af6bddc616967..ab192389188ce18 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx @@ -157,9 +157,9 @@ Address: 127.0.2.3 Use of the WARP client in a Microsoft 365 Windows 10 Cloud PC is not supported. To work around this limitation, use Windows 11. -## IPv6 DNS Resolution in Secure Web Gateway without DNS filtering mode +## IPv6 DNS resolution in Secure Web Gateway without DNS filtering mode -In [Secure Web Gateway without DNS filtering mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering, devices using IPv6 DNS servers may experience connectivity issues if these servers are not manually excluded from the WARP tunnel. +In [Secure Web Gateway without DNS filtering mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering), devices using IPv6 DNS servers may experience connectivity issues if these servers are not manually excluded from the WARP tunnel. Unlike common IPv4 DHCP configurations where DNS servers often fall within automatically excluded private address ranges, IPv6 environments typically require manual exclusion of DNS server addresses via split tunnel settings for proper operation. From 7fbcf48bc876f77c6e616468ffc6e612fdd2b914 Mon Sep 17 00:00:00 2001 From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com> Date: Thu, 10 Jul 2025 14:27:53 +0100 Subject: [PATCH 4/4] Update src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> --- .../connect-devices/warp/troubleshooting/known-limitations.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx index ab192389188ce18..4085d090239b4c9 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx @@ -163,7 +163,7 @@ In [Secure Web Gateway without DNS filtering mode](/cloudflare-one/connections/c Unlike common IPv4 DHCP configurations where DNS servers often fall within automatically excluded private address ranges, IPv6 environments typically require manual exclusion of DNS server addresses via split tunnel settings for proper operation. -If your DNS server uses an IPv6 address, you must manually exclude it using [split tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) settings for Secure Web Gateway without DNS filtering mode to work properly. +If your DNS server uses an IPv6 address, you must manually exclude it using [split tunnel settings](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) for Secure Web Gateway without DNS filtering mode to work properly. ## Troubleshooting