Skip to content

[ZT] CGNAT IPS in local firewall #24876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 3, 2025
Merged

[ZT] CGNAT IPS in local firewall #24876

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3612974
tip to check local firewall
ranbel Sep 3, 2025
84b3955
remove partial
ranbel Sep 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion ...re-one/connections/connect-networks/private-net/warp-connector/user-to-site.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@ This guide covers how to connect WARP client user devices to a private network b
## Prerequisites

- A Linux host [^1] on the subnet.
- Verify that your firewall allows inbound/outbound traffic over the [WARP IP addresses, ports, and domains](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/).
- For WARP Connector to connect to Cloudflare services, your firewall should allow inbound/outbound traffic for the [WARP IP addresses, ports, and domains](/cloudflare-one/connections/connect-devices/warp/deployment/firewall/).
- For WARP clients to connect to your subnet, your firewall should allow inbound traffic from the <GlossaryTooltip term="CGNAT IP">WARP CGNAT IP range</GlossaryTooltip>: `100.96.0.0/12`

## 1. Install a WARP Connector

Expand Down Expand Up @@ -125,3 +126,5 @@ You can now send a request from a WARP client user device to a device behind WAR
file="tunnel/warp-connector-linux-packages"
product="cloudflare-one"
/>


8 changes: 7 additions & 1 deletion ...t/docs/cloudflare-one/connections/connect-networks/private-net/warp-to-warp.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ head:
content: Create private networks with WARP-to-WARP
---

import { GlossaryTooltip } from "~/components";
import { Render, GlossaryTooltip } from "~/components";

With Cloudflare Zero Trust, you can create a private network between any two or more devices running Cloudflare WARP. This means that you can have a private network between your phone and laptop without ever needing to be connected to the same physical network. If you already have an existing Zero Trust deployment, you can also enable this feature to add device-to-device connectivity to your private network with the press of a button. This will allow you to connect to any service that relies on TCP, UDP, or ICMP-based protocols through Cloudflare's network.

Expand Down Expand Up @@ -42,3 +42,9 @@ This will instruct WARP to begin proxying any traffic destined for a `100.96.0.0
## Connect via WARP

Once enrolled, your users and services will be able to connect to the virtual IPs configured for TCP, UDP, or ICMP-based traffic. You can optionally create [Gateway network policies](/cloudflare-one/policies/gateway/network-policies/) to define the users and devices that can access the `100.96.0.0/12` IP space.

## Troubleshooting

### Check your firewall

Verify that your local firewall allows traffic from the <GlossaryTooltip term="CGNAT IP">WARP CGNAT IPs</GlossaryTooltip>. For example, Windows Firewall blocks inbound traffic from `100.96.0.0/12` by default. On Windows devices, you will need to add a firewall rule that allows incoming requests from `100.96.0.0/12` for the desired protocols and/or ports.
Loading