From f7156afa2538a96ad0d17ce71431adae5c8b76d6 Mon Sep 17 00:00:00 2001
From: Kate Tungusova <ktungusova@cloudflare.com>
Date: Fri, 8 Aug 2025 18:32:28 +0100
Subject: [PATCH 1/4] [CF1] new warp routing table

---
 .../configure-warp/route-traffic/index.mdx    | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx
index 3a2eaba1f82a4c..9ddbf98ee35ef3 100644
--- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx
@@ -53,6 +53,36 @@ flowchart TD
     n2@{ shape: proc}
 ```
 
+```mermaid
+flowchart TD
+    A["WARP user requests resource"] --> B["WARP Client proxies DNS Traffic"]
+
+    B --> C["WARP checks if domain is listed in Local Domain Fallback (LDF) policies"]
+
+    C -->|Domain exists in LDF policies| F["Split Tunnel processing"]
+    C -->|Domain does not exist in LDF policies<br/>Sent to Gateway for processing| E["Gateway checks Resolver Policies (Enterprise only)"]
+
+    %% LDF branch
+    F -->|Resolver IP included in WARP Tunnel per Split Tunnel configuration| G["Query sent via WARP Tunnel to be resolved"]
+    F -->|Resolver IP not included in WARP Tunnel per Split Tunnel configuration| H["Query sent to resolver IP outside WARP Tunnel"]
+
+    G -->|Allowed by Gateway| I["Evaluated by Cloudflare on-ramp routes"]
+
+    I -->|Onramp routes do not include resolver IP| J["Gateway proxies query to resolver IP via normal WARP egress route"]
+    I -->|Onramp routes include resolver IP| K["Cloudflare onramps advertise route that includes Resolver IP"]
+    K --> L["Private resolver returns IP address to WARP client"]
+
+    %% Gateway resolver policies branch
+    E -->|Resolver policy is not matched| M["1.1.1.1"]
+
+    E -->|Resolver policy is matched| N["Internal DNS"]
+    E -->|Resolver policy is matched| O["1.1.1.1"]
+    E -->|Resolver policy is matched| P["Custom resolver"]
+
+    P --> Q["Private network services (Cloudflare Tunnel, Magic WAN, WARP Connector)"]
+
+```
+
 ## Add a DNS suffix
 
 Support for DNS suffix search lists in WARP is currently in development. You can manually configure DNS suffixes at the device level using the following instructions.

From 3bb99a2719611edb4411479ea8be37dde324d98c Mon Sep 17 00:00:00 2001
From: Kate Tungusova <ktungusova@cloudflare.com>
Date: Mon, 11 Aug 2025 14:33:50 +0100
Subject: [PATCH 2/4] better chart

---
 .../configure-warp/route-traffic/index.mdx    | 37 +++++++++----------
 1 file changed, 17 insertions(+), 20 deletions(-)

diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx
index 9ddbf98ee35ef3..189d9016c5068e 100644
--- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx
@@ -55,32 +55,29 @@ flowchart TD
 
 ```mermaid
 flowchart TD
-    A["WARP user requests resource"] --> B["WARP Client proxies DNS Traffic"]
+    A["WARP user requests resource"] --> B["WARP client proxies all DNS traffic"]
+    B -- WARP checks if domain is listed in Local Domain Fallback policies --> C["Local Domain Fallback"]
 
-    B --> C["WARP checks if domain is listed in Local Domain Fallback (LDF) policies"]
+    %% Left branch (LDF exists)
+    C -- Domain exists in Local Domain Fallback policies --> ST["Split Tunnel processing"]
 
-    C -->|Domain exists in LDF policies| F["Split Tunnel processing"]
-    C -->|Domain does not exist in LDF policies<br/>Sent to Gateway for processing| E["Gateway checks Resolver Policies (Enterprise only)"]
+    ST -- Resolver IP included in WARP Tunnel per Split Tunnel configuration --> QW["Query sent via WARP Tunnel to be resolved"]
+    ST -- Resolver IP not included in WARP Tunnel per Split Tunnel configuration --> QO["Query sent to resolver IP outside WARP Tunnel"]
 
-    %% LDF branch
-    F -->|Resolver IP included in WARP Tunnel per Split Tunnel configuration| G["Query sent via WARP Tunnel to be resolved"]
-    F -->|Resolver IP not included in WARP Tunnel per Split Tunnel configuration| H["Query sent to resolver IP outside WARP Tunnel"]
+    QW -- Allowed by Gateway --> OR["Evaluated by Cloudflare on-ramp routes"]
+    OR -- Onramp routes do not include resolver IP --> GP["Gateway proxies query to resolver IP via normal WARP egress route"]
+    OR -- Onramp routes include, resolver IP --> ADV["Cloudflare onramps advertises route that includes Resolver IP"]
+    ADV --> PR["Private resolver returns IP address to WARP client"]
 
-    G -->|Allowed by Gateway| I["Evaluated by Cloudflare on-ramp routes"]
+    %% Right branch (no LDF match)
+    C -- Domain does not exist in Local Domain Fallback policies --> GWR["Gateway checks Resolver Policies (Enterprise only)"]
 
-    I -->|Onramp routes do not include resolver IP| J["Gateway proxies query to resolver IP via normal WARP egress route"]
-    I -->|Onramp routes include resolver IP| K["Cloudflare onramps advertise route that includes Resolver IP"]
-    K --> L["Private resolver returns IP address to WARP client"]
-
-    %% Gateway resolver policies branch
-    E -->|Resolver policy is not matched| M["1.1.1.1"]
-
-    E -->|Resolver policy is matched| N["Internal DNS"]
-    E -->|Resolver policy is matched| O["1.1.1.1"]
-    E -->|Resolver policy is matched| P["Custom resolver"]
-
-    P --> Q["Private network services (Cloudflare Tunnel, Magic WAN, WARP Connector)"]
+    GWR -- Resolver policy is not matched --> C1111a["1.1.1.1"]
 
+    GWR -- Resolver policy is matched --> IDNS["Internal DNS"]
+    GWR -- Resolver policy is matched --> C1111b["1.1.1.1"]
+    GWR -- Resolver policy is matched --> CUST["Custom resolver"]
+    CUST --> PNS["Private network services<br>(Cloudflare Tunnel, Magic WAN, WARP Connector)"]
 ```
 
 ## Add a DNS suffix

From c43a3ad4043441f7c31bbdc2855c1357d1720344 Mon Sep 17 00:00:00 2001
From: Kate Tungusova <ktungusova@cloudflare.com>
Date: Mon, 11 Aug 2025 19:26:38 +0100
Subject: [PATCH 3/4] chart and term

---
 .../configure-warp/route-traffic/index.mdx    | 40 ++++++-------------
 1 file changed, 12 insertions(+), 28 deletions(-)

diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx
index 189d9016c5068e..61c72e8bed3395 100644
--- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx
@@ -25,34 +25,6 @@ Additionally, there are three options you can configure to exclude traffic from
 
 When you use the WARP client together with `cloudflared` Tunnels or third-party VPNs, Cloudflare evaluates each request and routes it according to the following traffic flow:
 
-```mermaid
-flowchart TD
-    D["WARP client proxies DNS traffic to specified fallback server"] -- Resolver IP included in Tunnel per Split Tunnel configuration --> E["Query sent via WARP Tunnel to be resolved"]
-    D -- Resolver IP not included in Tunnel per Split Tunnel configuration --> F["Query sent to resolver IP outside WARP Tunnel"]
-    E -- Blocked by Gateway --> G["Traffic blocked by Cloudflare"]
-    E -- Allowed by Gateway --> H["Evaluated by Cloudflare Tunnel routes"]
-    H -- Tunnel routes do not include resolver IP --> I["Gateway proxies query to resolver IP via normal WARP egress route"]
-    H -- Tunnel routes include resolver IP --> J["Cloudflare Tunnel advertises route that includes Resolver IP"]
-    J --> L["Private resolver returns IP address to WARP client"]
-    n1["Local Domain Fallback"] -- Matches domain --> C["WARP client resolves query according to Gateway policies"]
-    n1 -- Does not match domain --> D
-    A["WARP user requests resource"] --> n2["Gateway resolver policies"]
-    n2 -- Does not match traffic --> n1
-    n2 -- Matches traffic --> C
-
-    D@{ shape: rect}
-    E@{ shape: hex}
-    F@{ shape: terminal}
-    G@{ shape: terminal}
-    H@{ shape: hex}
-    I@{ shape: terminal}
-    L@{ shape: terminal}
-    n1@{ shape: hex}
-    C@{ shape: terminal}
-    A@{ shape: in-out}
-    n2@{ shape: proc}
-```
-
 ```mermaid
 flowchart TD
     A["WARP user requests resource"] --> B["WARP client proxies all DNS traffic"]
@@ -79,6 +51,18 @@ flowchart TD
     GWR -- Resolver policy is matched --> CUST["Custom resolver"]
     CUST --> PNS["Private network services<br>(Cloudflare Tunnel, Magic WAN, WARP Connector)"]
 ```
+Terms mentioned:
+
+- Internal DNS
+- On-ramp
+- Local Domain Fallback
+- Split Tunnels
+- Gateway Resolver Policies
+- Cloudflare Tunnel
+- WARP Connector
+- Magic WAN
+- 1.1.1.1.
+
 
 ## Add a DNS suffix
 

From 156f55b9dc978172668b4489148548abe12e2c41 Mon Sep 17 00:00:00 2001
From: Kate Tungusova <ktungusova@cloudflare.com>
Date: Tue, 12 Aug 2025 11:04:47 +0100
Subject: [PATCH 4/4] final edit

---
 .../configure-warp/route-traffic/index.mdx    | 29 ++++++++++++-------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx
index 61c72e8bed3395..4ce28a8c0f12fe 100644
--- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/index.mdx
@@ -5,6 +5,8 @@ sidebar:
   order: 6
 ---
 
+import { GlossaryTooltip } from "~/components";
+
 When the WARP client is deployed on a device, Cloudflare will process all DNS queries and network traffic by default. However, under certain circumstances, you may need to exclude specific DNS queries or network traffic from WARP. For example, you may need to resolve an internal hostname with a private DNS resolver instead of Cloudflare's [public DNS resolver](/1.1.1.1/).
 
 Cloudflare recommends Enterprise users configure [Gateway resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) to resolve traffic with custom resolvers. WARP will send private DNS queries to Gateway, then Gateway will send the queries to custom resolvers based on matching policies.
@@ -51,17 +53,22 @@ flowchart TD
     GWR -- Resolver policy is matched --> CUST["Custom resolver"]
     CUST --> PNS["Private network services<br>(Cloudflare Tunnel, Magic WAN, WARP Connector)"]
 ```
-Terms mentioned:
-
-- Internal DNS
-- On-ramp
-- Local Domain Fallback
-- Split Tunnels
-- Gateway Resolver Policies
-- Cloudflare Tunnel
-- WARP Connector
-- Magic WAN
-- 1.1.1.1.
+#### Terms mentioned
+####  On-ramps (how traffic gets onto Cloudflare)
+- <GlossaryTooltip term = "on-ramp">On-ramp</GlossaryTooltip>
+- [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/)
+- [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/)
+- [Magic WAN](/magic-wan/)
+
+#### Routing features (how queries are handled)
+- [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/)
+- [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/)
+- [Gateway Resolver Policies](/cloudflare-one/policies/gateway/resolver-policies/)
+
+#### Resolvers (where queries are resolved)
+- [Internal DNS](/dns/internal-dns/)
+- [1.1.1.1](/1.1.1.1/)
+
 
 
 ## Add a DNS suffix