+ {`
+flowchart LR
+ subgraph subGraph0["Data center"]
+ direction TB
+ InternalDNS(["Internal DNS"])
+ ResolverPolicies["Resolver policies"]
+ CloudflareGatewayDNSResolver["Gateway DNS resolver"]
+ end
+ ResolverPolicies -- Retain and useSource Internal IP --> InternalDNS
+ CloudflareGatewayDNSResolver --
--> ResolverPolicies
+ WarpConnector["WARP Connector"] -- DHCP/DNS resolver --> IPSecTunnel["IPsec tunnel"]
+ MagicWAN[${props.magicWANName}] -- DHCP/DNS resolver --> IPSecTunnel
+ IPSecTunnel -- Shared IP endpoints --> CloudflareGatewayDNSResolver
+ ResolverPolicies@{ shape: proc}
+ WarpConnector@{ shape: in-out}
+ MagicWAN@{ shape: in-out}
+ `}
+
+
+## Outbound Internet traffic
+
+By default, the following traffic routed through {props.magicWANName} tunnels and destined to public IP addresses is proxied/filtered through Cloudflare Gateway:
+
+- TCP, UDP, and ICMP traffic sourced from [RFC 1918](https://datatracker.ietf.org/doc/html/rfc1918) IPs or WARP devices.
+- TCP and UDP traffic sourced from [BYO](/byoip/) or [Leased IPs](/magic-transit/cloudflare-ips/) and destined to a well-known port (`0`-`1023`).
+
+Traffic destined to public IPs will be routed over the public Internet, unless explicitly specified otherwise. If you want to configure specific public IP ranges to be routed through your Magic WAN tunnels instead of over the public Internet after filtering, contact your account team.
+
+This traffic will egress from Cloudflare according to the egress policies you define in Cloudflare Gateway. By default, it will egress from a shared Cloudflare public IP range.
+
+## Private traffic
+
+By default, TCP, UDP, and ICMP traffic routed through Magic WAN tunnels and destined to routes behind Cloudflare Tunnel will be proxied/filtered through Cloudflare Gateway.
+
+Contact your account team to enable Gateway filtering for traffic destined to routes behind {props.magicWANName} tunnels.
+
+If enabled, by default TCP/UDP traffic meeting **all** the following criteria will be proxied/filtered by Cloudflare Gateway:
+
+- Both source and destination IPs are part of either [RFC1918](https://datatracker.ietf.org/doc/html/rfc1918) space, WARP, [BYO](/byoip/) or [Leased IPs](/magic-transit/cloudflare-ips/)
+- Source port must be a client port strictly higher than `1023`
+- Destination port is a well-known port lower than `1024`
+
+Optionally, more specific matches may be specified to override the default:
+
+- Source IP prefix in a subset of RFC1918 space, or [BYO](/byoip/) or [Leased IPs](/magic-transit/cloudflare-ips/)
+- Destination IP prefix in a subset of RFC1918 space, or [BYO](/byoip/) or [Leased IPs](/magic-transit/cloudflare-ips/)
+- Destination port number anywhere from `0`-`65535`
+
+Source ports are hard-coded to `1024`-`65535` and may not be overridden.
+
+Virtual Magic WAN Connector (Virtual Connector) is a virtual appliance alternative to the hardware based Magic WAN Connector appliance. These two versions of Connector are identical otherwise.
Currently, you can set up Virtual Connector on VMWare ESXi and Proxmox Virtual Environment. Support for Proxmox is in beta.
+{props.productNameVirtual} is a virtual appliance alternative to the hardware based {props.productName}. These two versions of Connector are identical otherwise.
Currently, you can set up {props.productNameVirtual} on VMWare ESXi and Proxmox Virtual Environment. Support for Proxmox is in beta.
) } -In this page you will find instructions on how to configure Magic WAN Connector. This guide provides a step-by-step guide for Magic WAN Connector's initial setup. You can either return here after setting up your Connector, or refer to the [Maintenance](/magic-wan/configuration/connector/maintenance/) section where you will find instructions on how to update your settings. +In this page you will find instructions on how to configure {props.productName}. This guide provides a step-by-step guide for {props.productName} initial setup. You can either return here after setting up your Connector, or refer to the Maintenance section where you will find instructions on how to update your settings. ## Prerequisites { props.magicWord === "hardware" && ( <> -You also need to purchase a {props.productName} before you can start configuring your settings in the Cloudflare dashboard. Contact your account representative to learn more about purchasing options for the Magic WAN Connector device.
- You also need to purchase a Magic WAN Connector before you can start configuring your settings in the Cloudflare dashboard. Contact your account representative to learn more about purchasing options for the Magic WAN Connector device. - `} - inline={false} - /> ) } @@ -52,7 +63,7 @@ In this page you will find instructions on how to configure Magic WAN Connector. <>You can use Magic WAN Connector in both DHCP networks and networks that require a static IP configuration. At first boot, however, Magic WAN Connector needs to reach out to Cloudflare to download your settings and go through the activation process. If any of the networks plugged into your Connector are DHCP enabled, does not use a VLAN, and have an Internet connection, that process is handled automatically. However, if all of the networks require more information to utilize, (such as a network with static IPs, or tagged VLAN networks) your Magic WAN Connector might need some more information to proceed.
+You can use {props.productName} in both DHCP networks and networks that require a static IP configuration. At first boot, however, {props.productName} needs to reach out to Cloudflare to download your settings and go through the activation process. If any of the networks plugged into your Connector are DHCP enabled, does not use a VLAN, and have an Internet connection, that process is handled automatically. However, if all of the networks require more information to utilize, (such as a network with static IPs, or tagged VLAN networks) your {props.productName} might need some more information to proceed.
There are couple of ways to provide this information. Choose the one that fits your workflow:
@@ -113,7 +124,7 @@ You cannot enable high availability for an existing Connector on-ramp. To add hiVirtual Connector uses a DHCP connection at first boot to download your settings and go through the activation process. However, if you need to use a static IP in your Virtual Connector, and this is a fresh install:
+{props.productNameVirtual} uses a DHCP connection at first boot to download your settings and go through the activation process. However, if you need to use a static IP in your {props.productNameVirtual}, and this is a fresh install:
Select the appropriate tab below to learn how to configure Virtual Connector on VMWare ESXi or Proxmox Virtual Environment.
+Select the appropriate tab below to learn how to configure {props.productNameVirtual} on VMWare ESXi or Proxmox Virtual Environment.
Null port group, and a **VLAN ID** of 999.
+ 1. When setting up your VMware ESXi, you need to create port groups for ${props.productNameVirtual}. Go to **Networking** > **Port groups**, and prepare your vSwitch port groups and/or VLANs for your desired network topology. For example, a simple deployment typically has:
+ - A WAN port group where the ${props.productNameVirtual} will get an IP address (static or DHCP) that has access to the Internet.
+ - A LAN port group, where the ${props.productNameVirtual} will act as default router, and possibly DHCP server.
+ - A null, or unused, port group for allocating unused virtual interfaces in the ${props.productNameVirtual}. You can, for example, create a null port group with the name of Null port group, and a **VLAN ID** of 999.
`}
inline={false}
/>
@@ -210,7 +221,7 @@ You cannot enable high availability for an existing Connector on-ramp. To add hi
text={`
Take note of the folder where you are extracting the files to, as you will need to refer to that folder when creating the VM.
- 3. Go to **Virtual Machines** > **Create/Register VM** wizard to start deploying the Virtual Connector.
+ 3. Go to **Virtual Machines** > **Create/Register VM** wizard to start deploying the ${props.productNameVirtual}.
4. Select **Deploy a virtual machine from an OVF or OVA file** > **Next**.
@@ -230,7 +241,7 @@ You cannot enable high availability for an existing Connector on-ramp. To add hi
10. Before completing the deployment wizard, disable **Power on automatically**. This is important so that you can configure the license key prior to boot.
11. Configure the virtual machine with the license key your account team provided you:
- 1. Select the Virtual Connector's VM > **Settings**.
+ 1. Select the ${props.productNameVirtual}'s VM > **Settings**.
2. Go to **VM Options** > **Advanced** > **Edit Configuration**.
3. Select **Add parameter** to add your license key. Scroll down to the last entry (this is where VMware adds the new parameter), and add the following two new entries:
- **Key**: guestinfo.cloudflare.identity
@@ -243,7 +254,7 @@ You cannot enable high availability for an existing Connector on-ramp. To add hi
To set up and use Magic WAN Connector, you first need to register it with your account.
-To set up and use {props.productOriginalName}, you first need to register it with your account.
+There are several deployment options for Magic WAN Connector. Connector can act like a DHCP server for your local network, or integrate with your local setup and have static IP addresses assigned to it.
-When Connector acts like the WAN router for your site, deployment will be something like this:
+There are several deployment options for {props.productName}. {props.productName} can act like a DHCP server for your local network, or integrate with your local setup and have static IP addresses assigned to it.
+When {props.productName} acts like the WAN router for your site, deployment will be something like this:
{`flowchart LR
@@ -459,7 +473,7 @@ After finishing your Connector configuration, you need to add it to a site.
- In the example below, the Connector sits behind the WAN router in your site, and on-ramps only some of the existing LANs to Cloudflare.
+ In the example below, the {props.productName} sits behind the WAN router in your site, and on-ramps only some of the existing LANs to Cloudflare.
{`flowchart LR
@@ -480,18 +494,18 @@ After finishing your Connector configuration, you need to add it to a site. Refer to Magic WAN Connector deployment options for a high-level explanation of the deployment options that make sense to most environments, as well as a few advanced use cases.
If there is a firewall deployed upstream of the Magic WAN Connector, configure the firewall to allow the following traffic:
+ If there is a firewall deployed upstream of the {props.productName}, configure the firewall to allow the following traffic:
- When the Connector is first activated, you need to have Internet connection. If you chose to set up your Connector with DHCP you will need to have one of the Connector ports connected to the Internet through a device that supports DHCP. This is required so that the Connector can reach the Cloudflare global network and download the required configurations that you set up.
- If you set up your Connector with a static IP through the bootstrap method, you do not need a DHCP port. Refer to DHCP vs static IP connections for more information.
+ When {props.productName} is first activated, you need to have Internet connection. If you chose to set up your {props.productName} with DHCP you will need to have one of the {props.productName} ports connected to the Internet through a device that supports DHCP. This is required so that the {props.productName} can reach the Cloudflare global network and download the required configurations that you set up.
+ If you set up your {props.productName} with a static IP through the bootstrap method, you do not need a DHCP port. Refer to DHCP vs static IP connections for more information.
-
+
)
}
{ props.magicWord === "virtual" && (
<>
- When the Connector is first activated, one of the ports must be connected to the Internet through a device that supports DHCP. This is required so that the Connector can reach the Cloudflare global network and download the required configurations that you set up.
+ When the {props.productNameVirtual} is first activated, one of the ports must be connected to the Internet through a device that supports DHCP. This is required so that the {props.productNameVirtual} can reach the Cloudflare global network and download the required configurations that you set up.
-
+
)
}
-When you are ready to connect your Magic WAN Connector to the Cloudflare network:
+When you are ready to connect your { props.magicWord === "virtual" ? props.productNameVirtual : props.productName } to the Cloudflare network:
1. In the Cloudflare dashboard, go to Magic WAN's **Configuration** page.
@@ -571,22 +585,22 @@ When you are ready to connect your Magic WAN Connector to the Cloudflare network
{ props.magicWord === "hardware" && (
<>
- After activating your Connector, you can use it in a network configuration with the WAN interface set to a static IP address — that is, an Internet configuration that is not automatically set by DHCP. To use your Connector on a network configuration with a static IP, follow the steps below.
+ After activating your {props.productName}, you can use it in a network configuration with the WAN interface set to a static IP address — that is, an Internet configuration that is not automatically set by DHCP. To use your Connector on a network configuration with a static IP, follow the steps below.
-
+
After activating your Virtual Connector, you can use it in a network configuration with the WAN interface set to a static IP address - that is, an Internet configuration that is not automatically set by DHCP. To use your Virtual Connector on a network configuration with a static IP, follow the steps below.
+ After activating your {props.productNameVirtual}, you can use it in a network configuration with the WAN interface set to a static IP address - that is, an Internet configuration that is not automatically set by DHCP. To use your {props.productNameVirtual} on a network configuration with a static IP, follow the steps below.
-
+
Advanced users can locally configure their Magic WAN Connector to work in a static IP configuration. This local method does not require having access to a DHCP Internet connection. However, it does require being comfortable with using tools to access the serial port on Magic WAN Connector as well as using a serial terminal client to access the Connector's environment.
- Below is a detailed description of how to use the serial port to configure your Magic WAN Connector locally.
+ Advanced users can locally configure their {props.productName} to work in a static IP configuration. This local method does not require having access to a DHCP Internet connection. However, it does require being comfortable with using tools to access the serial port on {props.productName} as well as using a serial terminal client to access the {props.productName}'s environment.
+ Below is a detailed description of how to use the serial port to configure your {props.productName} locally.
-
+
Your Connector's default password is the serial number (also known as a Service Tag for Dell devices), all uppercase followed by an ! (for example, A1B2C3D!)
+ Your {props.productName}'s default password is the serial number (also known as a Service Tag for Dell devices), all uppercase followed by an ! (for example, A1B2C3D!)
To access Magic WAN Connector's environment you need a serial terminal client. Follow the instructions below to install one, based on your operating system.
+ To access ${props.productName}'s environment you need a serial terminal client. Follow the instructions below to install one, based on your operating system.
The reset device option in your Connector clears most of the configuration that is locally cached, resets the password to the default, and reboots.
+ The reset device option in your {props.productName} clears most of the configuration that is locally cached, resets the password to the default, and reboots.
10.0.0.2/24).
7. Enter the IP address of the Internet gateway (this must be in the same subnet as the previous IP address you entered and must not be the same address).
8. Select **Save** and confirm that you want to use the new settings.
- 9. The Connector will download the rest of the settings from Cloudflare. The last heartbeat of the Connector should update once it has made contact with Cloudflare.
+ 9. The ${props.productName} will download the rest of the settings from Cloudflare. The last heartbeat of the Connector should update once it has made contact with Cloudflare.
`}
inline={false}
/>
@@ -743,17 +757,17 @@ When you are ready to connect your Magic WAN Connector to the Cloudflare network
## About high availability configurations
-{props.hardSoftConn} When you set up a site in high availability, the WANs and LANs in your Connectors have the same configuration but are replicated on two nodes. In case of failure of a Connector, the other Connector becomes the active node, taking over configuration of the LAN gateway IP and allowing traffic to continue without disruption.
+{props.hardSoftConn} When you set up a site in high availability, the WANs and LANs in your { props.magicWord === "virtual" ? props.productNameVirtual : props.productName } have the same configuration but are replicated on two nodes. In case of failure of a { props.magicWord === "virtual" ? props.productNameVirtual : props.productName }, the other { props.magicWord === "virtual" ? props.productNameVirtual : props.productName } becomes the active node, taking over configuration of the LAN gateway IP and allowing traffic to continue without disruption.
-Because Connectors in high availability configurations share a single site, you need to set up:
+Because { props.magicWord === "virtual" ? props.productNameVirtual : props.productName }s in high availability configurations share a single site, you need to set up:
- **Static address**: The IP for the primary node in your site.
- **Secondary static address**: The IP for the secondary node in your site.
-- **Virtual static address**: The IP that the LAN south of the Connector will forward traffic to, which is the LAN's gateway IP.
+- **Virtual static address**: The IP that the LAN south of the { props.magicWord === "virtual" ? props.productNameVirtual : props.productName } will forward traffic to, which is the LAN's gateway IP.
Make sure all IPs are part of the same subnet.
-For detailed information about the expected behavior of high availability configurations, refer to [High availability configurations](/magic-wan/configuration/connector/reference/#high-availability-configurations).
+For detailed information about the expected behavior of high availability configurations, refer to High availability configurations.
### Create a high availability configuration
@@ -781,7 +795,7 @@ To set up a high availability configuration:
## IPsec tunnels and static routes
-Magic WAN Connector automatically creates [IPsec tunnels](/magic-wan/reference/gre-ipsec-tunnels/#ipsec-tunnels) and [static routes](/magic-wan/reference/traffic-steering/) for you. You cannot configure these manually.
+Magic WAN Connector automatically creates IPsec tunnels and static routes for you. You cannot configure these manually.
To check the IPsec tunnels and static routes created by your Magic WAN Connector:
@@ -797,7 +811,7 @@ To check the IPsec tunnels and static routes created by your Magic WAN Connector
## Next steps
-- [Network options](/magic-wan/configuration/connector/network-options/)
-- [Maintenance](/magic-wan/configuration/connector/maintenance/)
-- [Reference information](/magic-wan/configuration/connector/reference/)
-- [Troubleshooting](/magic-wan/configuration/connector/troubleshooting/)
+- Network options
+- Maintenance
+- Reference information
+- Troubleshooting
diff --git a/src/content/partials/networking-services/mconn/device-metrics.mdx b/src/content/partials/networking-services/mconn/device-metrics.mdx
new file mode 100644
index 000000000000000..f05317b744036b3
--- /dev/null
+++ b/src/content/partials/networking-services/mconn/device-metrics.mdx
@@ -0,0 +1,79 @@
+---
+params:
+ - productName
+ - troubleshootingURL
+---
+
+Cloudflare customers can inspect metrics for a specific {props.productName} in the Cloudflare dashboard. These metrics help you troubleshoot potential issues with your {props.productName}. Refer to Troubleshooting for more information.
+
+## Query metrics with GraphQL
+
+Customers can query Cloudflare's GraphQL API to fetch their {props.productName} device metrics. The Cloudflare dashboard displays {props.productName} device metrics over the past one hour. Via the GraphQL API, customers can query for up to 30 days of historical {props.productName} device metrics.
+
+For example:
+
+```graphql graphql-api-explorer
+query telemetry(
+ $accountTag: string
+ $snapshotsFilter: AccountMconnTelemetrySnapshotsAdaptiveGroupsFilter_InputObject!
+ $snapshotMountsFilter: AccountMconnTelemetrySnapshotMountsAdaptiveGroupsFilter_InputObject!
+ $snapshotThermalsFilter: AccountMconnTelemetrySnapshotThermalsAdaptiveGroupsFilter_InputObject!
+ $limit: int64!
+) {
+ viewer {
+ accounts(filter: { accountTag: $accountTag }) {
+ snapshots: mconnTelemetrySnapshots(
+ filter: $snapshotsFilter
+ limit: $limit
+ orderBy: [datetimeFiveMinutes_DESC]
+ ) {
+ max {
+ cpuCount
+ loadAverage1m
+ memoryFreeBytes
+ memoryTotalBytes
+ }
+ dimensions {
+ connectorId
+ datetimeFiveMinutes
+ }
+ }
+ snapshotMounts: mconnTelemetrySnapshotMounts(
+ filter: $snapshotMountsFilter
+ limit: $limit
+ orderBy: [datetimeFiveMinutes_DESC]
+ ) {
+ max {
+ availableBytes
+ totalBytes
+ }
+ dimensions {
+ connectorId
+ datetimeFiveMinutes
+ }
+ }
+ snapshotThermals: mconnTelemetrySnapshotThermals(
+ filter: $snapshotThermalsFilter
+ limit: $limit
+ orderBy: [datetimeFiveMinutes_DESC, connectorId_DESC]
+ ) {
+ max {
+ currentCelcius
+ }
+ dimensions {
+ connectorId
+ datetimeFiveMinutes
+ }
+ }
+ }
+ }
+}
+```
+
+### Average CPU load explained
+
+The metric `average CPU load` is unique and distinctly different from `CPU utilization` which is another common CPU metric. The {props.productName} uses a [Unix-style CPU load calculation]().
+
+CPU load is a measure of the number of processes that are currently running and that are waiting to be run on the CPU. Cloudflare collects the one minute load average from the device and converts that into a percentage based on the total number of cores in the CPU. If the {props.productName} CPU has eight cores, and a one minute load average of two, then the average CPU load is 25%. If the average CPU load is above 100%, then there are processes in the queue that are waiting to be executed on the CPU.
+
+Cloudflare is still evaluating the typical CPU load operating range on the MWAN Connector. In general, a healthy range for average CPU load on any device is between 30% and 70%. Customers may experience decreased MWAN Connector performance if the average CPU load is consistently above 100%.
\ No newline at end of file
diff --git a/src/content/partials/networking-services/mconn/maintenance/activate-connectors.mdx b/src/content/partials/networking-services/mconn/maintenance/activate-connectors.mdx
new file mode 100644
index 000000000000000..2058810b72995ec
--- /dev/null
+++ b/src/content/partials/networking-services/mconn/maintenance/activate-connectors.mdx
@@ -0,0 +1,11 @@
+---
+params:
+ - productName
+ - hadwareConnectorURL
+ - virtualConnectorURL
+---
+
+Before you can activate your {props.productName}, you need to follow Cloudflare's instructions regarding DHCP. For full instructions on this, refer to:
+
+- The hardware version of {props.productName}
+- The virtual version of {props.productName}
\ No newline at end of file
diff --git a/src/content/partials/networking-services/mconn/maintenance/add-remove-connectors.mdx b/src/content/partials/networking-services/mconn/maintenance/add-remove-connectors.mdx
new file mode 100644
index 000000000000000..e83a24eba2af959
--- /dev/null
+++ b/src/content/partials/networking-services/mconn/maintenance/add-remove-connectors.mdx
@@ -0,0 +1,13 @@
+---
+params:
+ - productName
+---
+
+To add a new {props.productName} you first need to remove the one associated with the on-ramp. You can only have more than one {props.productName} if you initially enabled high availability on your on-ramp.
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account.
+2. Go to **Magic WAN** > **Connector on-ramps (beta)**.
+3. Find the on-ramp that you want to edit > select the three dots next to it > **Edit**.
+4. In **Connectors**, remove the Connector associated with the on-ramp.
+5. Select **Add Connector** to add a different Connector to your on-ramp.
+6. Select **Save**.
\ No newline at end of file
diff --git a/src/content/partials/networking-services/mconn/maintenance/deactivate-connector.mdx b/src/content/partials/networking-services/mconn/maintenance/deactivate-connector.mdx
new file mode 100644
index 000000000000000..d83e65594a74f75
--- /dev/null
+++ b/src/content/partials/networking-services/mconn/maintenance/deactivate-connector.mdx
@@ -0,0 +1,13 @@
+---
+{}
+---
+
+import { DashButton } from '~/components';
+
+1. In the Cloudflare dash, go to the **Configuration* page.
+
+ IPsec tunneling. The {props.productName} uses ESP-in-UDP with GCM-AES-256 encryption. Cloudflare uses a non-IKE keying protocol built into our control plane, secured with TLS.
+- The {props.productName} does not support fail open.
+- Customers have the ability to layer on additional security features/policies that are enforced at the Cloudflare network.
+
+---
+
+## ICMP traffic
+
+ICMP traffic is routed through the Internet and bypasses Cloudflare Gateway. This enables you to ping resources on the Internet from the {props.productName} directly, which can be useful for debugging.
+
+---
+
+## VLAN ID
+
+This feature allows you to have multiple [virtual LANs](https://www.cloudflare.com/learning/network-layer/what-is-a-lan/) (VLANs) configured over the same physical port on your {props.productName}. VLAN tagging adds an extra header to [packets](https://www.cloudflare.com/learning/network-layer/what-is-a-packet/) in order to identify which VLAN the packet belongs to and to route it appropriately. This effectively allows you to run multiple networks over the same physical port.
+
+A non-zero value set up for the VLAN ID field in your WAN/LAN is used to handle VLAN-tagged traffic. Cloudflare uses the VLAN ID to handle traffic coming into your {props.productName} device, and applies a VLAN tag with the configured VLAN ID for traffic going out of your {props.productName} through WAN/LAN.
+
+You can setup VLAN IDs both for WAN and LAN. Refer to {props.configHardProductName} or {props.configVirtualProductName} to learn where you can set up VLAN IDs.
+
+## High availability configurations
+
+### Terminology
+
+- **Primary/Secondary**: Used to identify the two nodes which are part of a high availability (HA) configuration pair of {props.productName}s. This identity allows the node to identify which configuration is attributed to it — for example, specifying a primary and secondary IP in a LAN configuration. This identity is configured by the user on the Cloudflare dashboard.
+- **Active/Standby**: These are states that the two nodes in a HA pair will dynamically assume based on an election process. Only one node at any time is expected to be active.
+
+### High availability
+
+A site set up in high availability (HA) mode has two {props.productName}s with the same configuration but replicated in two nodes. In case of failure of a {props.productName}, the other {props.productName} becomes the active node, taking over configuration of the LAN gateway IP and allowing traffic to continue without disruption.
+
+### Active/Standby Election
+
+During the LAN configuration, one of the LAN links is configured as a HA link, which is used to exchange heartbeats, resulting in the active / standby election of nodes.
+
+The state election uses a `PRIORITY` parameter where the node with the higher priority becomes active and the other assumes the standby state. If the priority is the same, the state machine automatically picks one of the nodes as active.
+
+The HA pair is configured in non-preemptive mode, meaning that once a node becomes active, it will remain active unless its priority drops below that of the other node.
+
+### Configuration
+
+The two Connectors of a high availability (HA) pair are part of a single site. You designate the connectors as primary and secondary in the Cloudflare dashboard.
+
+:::note
+The HA link cannot be connected back-to-back. It has to be connected over a switch. This is because, in a direct connection, if the link is unplugged on one end, the other end also detects a link failure. Since we have configured the system to enter a `FAULT` state when the HA link goes down, the affected node will be unable to function as the active node.
+:::
+
+### Failure Detection and Failover
+
+The {props.productName}'s health can be in one of three states:
+
+- **Good** : All health parameters are good
+- **Degraded** : One of the following is true:
+ - Health of at least one configured tunnel is `DOWN`
+ - At least one of the LAN links is disconnected (physically unplugged)
+- **Down** : If one of the following is true:
+ - Health of all tunnels is `DOWN`
+ - All LAN interfaces are disconnected
+ - {props.productName}'s software is not healthy
+
+A failover happens when the active node's health declines to a level lower than that of the standby node. For example, from `GOOD` to `DEGRADED`, or from `DEGRADED` to `DOWN`. In the case of a failover where a {props.productName} is acting as a DHCP server, DHCP leases will be synchronized.
+
+When a failover occurs, traffic is moved to the new active node. It could take up to 30 seconds for traffic to be fully restored over the new active node.
+
+## WAN settings
+
+This is where you add and configure your WAN connections. Each configured WAN will create one IPsec tunnel, unless you have more than one anycast IP configured in your account.
+
+
If you are using {props.virtualProductName}, this needs to correspond to the virtual network interface on the {props.virtualProductName} instance you have set up in VMware.
+- **VLAN ID**: Allows you to have multiple virtual WANs configured over the same port on your Magic WAN Connector. Refer to VLAN ID for more information.
+- **Priority**: Assigns a priority to the WAN interface. Lower numbers have higher priority. Refer to Traffic steering to learn more about how Cloudflare calculates priorities.
+- **Health check rate:** Configures the health check frequency for your WAN. Options are low, mid, and high. Refer to Update tunnel health checks frequency for more information.
+- **Addressing:** Configures the {props.productName} to work in a DHCP or static IP environment.
+
+## LAN settings
+
+- **Interface number:** When using the hardware version of {props.productName}, this refers to the Ethernet port that you are using for your LAN. If you need a throughput higher than 1 Gbps, you can use one of the SFP+ ports. Refer to SFP+ port information for more information on the hardware supported.
If you are using the {props.virtualProductName}, this needs to correspond to the virtual LAN interface on the {props.virtualProductName} instance you have set up in VMware.
+- **VLAN ID**: Allows you to have multiple virtual LANs configured over the same port on your Magic WAN Connector. Refer to VLAN ID for more information.
+- **Static addressing:** Configures the type of IP addressing for your Connector. Depending on your use case, this is where you configure your LAN interface IP address, or enable DHCP server or DHCP relay. Refer to DHCP options to learn more.
+- **Static NAT prefix**: Enable NAT (network address translation). This is an optional setting.
+- **Routed subnets:** Configures additional subnets behind a layer 3 router. Refer to Routed subnets for more information.
+
+### Restrict traffic to your premises
+
+Depending on your use case, you can define policies in your connector to either allow traffic to flow between your LANs without it leaving your local premises or to forward it via the Cloudflare network where you can add additional security features. The default behavior is to drop all LAN-to-LAN traffic. These policies can be created for specific subnets, and link two LANs.
+
+Refer to Network segmentation for more information.
\ No newline at end of file
diff --git a/src/content/partials/networking-services/mconn/app-aware-policies/breakout-prioritized.mdx b/src/content/partials/networking-services/mconn/network-options/app-aware-policies/breakout-prioritized.mdx
similarity index 86%
rename from src/content/partials/networking-services/mconn/app-aware-policies/breakout-prioritized.mdx
rename to src/content/partials/networking-services/mconn/network-options/app-aware-policies/breakout-prioritized.mdx
index b5e0946f412e78a..05e3fc09dab4370 100644
--- a/src/content/partials/networking-services/mconn/app-aware-policies/breakout-prioritized.mdx
+++ b/src/content/partials/networking-services/mconn/network-options/app-aware-policies/breakout-prioritized.mdx
@@ -1,7 +1,9 @@
---
params:
- magicWord
+ - productName
- featureName
+ - trafficSteeringURL?
- whatHappensApp
---
@@ -9,7 +11,7 @@ import { APIRequest, Aside, AnchorHeading, CURL, Markdown, Render, TabItem, Tabs
{ props.magicWord === "breakout" && (
<>
- Breakout traffic allows you to define which applications should bypass Cloudflare's security filtering, and go directly to the Internet. It works via DNS requests inspection. This means that if your network is caching DNS requests, Breakout traffic will only take effect after you cache entries expire and your client issues a new DNS request that the Magic WAN Connector can detect. This can take several minutes.
+ Breakout traffic allows you to define which applications should bypass Cloudflare's security filtering, and go directly to the Internet. It works via DNS requests inspection. This means that if your network is caching DNS requests, Breakout traffic will only take effect after you cache entries expire and your client issues a new DNS request that the {props.productName} can detect. This can take several minutes.
)
@@ -17,7 +19,7 @@ import { APIRequest, Aside, AnchorHeading, CURL, Markdown, Render, TabItem, Tabs
{ props.magicWord === "prioritized" && (
<>
- Prioritized traffic allows you to define which applications Magic WAN Connector should process first. Applications not in the list will be queued behind prioritized traffic.
+ Prioritized traffic allows you to define which applications {props.productName} should process first. Applications not in the list will be queued behind prioritized traffic.
Similarly to breakout traffic, prioritized traffic also works via DNS requests inspection.
@@ -30,7 +32,7 @@ import { APIRequest, Aside, AnchorHeading, CURL, Markdown, Render, TabItem, Tabs
{`
flowchart LR
accTitle: In this example, the applications go directly to the Internet, skipping Cloudflare's security. filtering
- a(Magic WAN Connector) --> b(Cloudflare) -->|Filtered traffic|c(Internet)
+ a(${props.productName}) --> b(Cloudflare) -->|Filtered traffic|c(Internet)
a-- Breakout traffic ---d(Application1) & e(Application2) --> c
@@ -44,7 +46,7 @@ import { APIRequest, Aside, AnchorHeading, CURL, Markdown, Render, TabItem, Tabs
text={`
We recommend [routing](https://www.cloudflare.com/learning/network-layer/what-is-routing/) all traffic through our global network for comprehensive security filtering and access controls. However, there may be specific cases where you want a subset of traffic to bypass Cloudflare's security filtering and route it directly to the Internet. You can scope this breakout traffic to specific applications from the Cloudflare dashboard.
- Refer to [Traffic steering](/magic-wan/reference/traffic-steering/) to learn how Cloudflare routes traffic.
+ Refer to Traffic steering to learn how Cloudflare routes traffic.
`}
inline={false}
/>
@@ -55,7 +57,7 @@ import { APIRequest, Aside, AnchorHeading, CURL, Markdown, Render, TabItem, Tabs
## Add an application to your account
-Before you can add or remove {props.featureName} applications to your Connector, you need to create an account-level list with the applications that you want to configure. Currently, adding to or modifying this list is only possible via API, through the [`managed_app_id`](/api/resources/magic_transit/subresources/apps/methods/create/) endpoint.
+Before you can add or remove {props.featureName} applications to your {props.productName}, you need to create an account-level list with the applications that you want to configure. Currently, adding to or modifying this list is only possible via API, through the [`managed_app_id`](/api/resources/magic_transit/subresources/apps/methods/create/) endpoint.
To add applications to your account:
@@ -86,7 +88,7 @@ Send a `POST` request to add new apps to your account.
You can now add this new app to the {props.featureName} list in your Connector.
-### Add an application to Connector
+### Add an application to {props.productName}
You need to configure {props.featureName} applications for each of your existing sites, as this is a per-site configuration.
@@ -157,7 +159,7 @@ The traffic for the application you chose {props.whatHappensApp}.
+ {`
+ flowchart LR
+ accTitle: An example of Connector in DHCP Relay mode
+ a(${props.productName}) <--> b(Cloudflare/Magic WAN) <--> c(DHCP server)
+
+ subgraph Site A
+ d[LAN 1] <--> a
+ e[LAN 2] <--> a
+ end
+
+ subgraph Site B
+ c
+ end
+ classDef orange fill:#f48120,color: black
+ class a,b,c orange
+ `}
+
+
+_The above graph shows {props.productName} sending DHCP discover messages to a DHCP server offsite._
+
+:::caution
+DHCP relay will not work if your DHCP server is behind a Cloudflare Tunnel. To enable DHCP relay functionality, use either a {props.cfVsCoreDashNamingMwanCni}.
+:::
+
+To configure DHCP relay:
+
+
+ {`
+ flowchart LR
+ accTitle: In this example, there are LANs where traffic flows between each other, instead of going to Cloudflare first.
+ a(${props.productName}) <---> b(Internet) <---> c(Cloudflare)
+
+ subgraph Customer site
+ d[LAN 1] <---> a
+ e[LAN 2] <---> a
+ g[LAN 3] <---> a
+ h[LAN 4] <---> a
+ end
+ classDef orange fill:#f48120,color: black
+ class a,c orange
+
+ linkStyle 0,1,2,3 stroke:#f48120,stroke-width:3px
+ linkStyle 4,5 stroke:red,stroke-width:3px
+ `}
+
+
+_In the above example, the red path shows traffic that stays in the customer's premises (allowing direct communication between LAN 3 and LAN 4), and the orange path shows traffic that goes to Cloudflare before returning to the customer's premises (processing traffic between LAN 1 and LAN 2 in Cloudflare)._
+
+traceroute]
-Magic WAN clients connecting through [GRE](/magic-wan/configuration/manually/how-to/configure-tunnel-endpoints/), [IPsec](/magic-wan/configuration/manually/how-to/configure-tunnel-endpoints/), [CNI](/network-interconnect/) or [WARP](/cloudflare-one/connections/connect-devices/warp/) that want to perform a `traceroute` to an endpoint behind a [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/) will need to change some settings to make the command useful. Refer to [Run `traceroute`](/magic-wan/configuration/manually/how-to/traceroute/) for more information.
+{props.productName} clients connecting through GRE, IPsec, [CNI](/network-interconnect/) or WARP that want to perform a `traceroute` to an endpoint behind a Cloudflare Tunnel will need to change some settings to make the command useful. Refer to Run `traceroute` for more information.
:::
diff --git a/src/content/partials/networking-services/tunnel-health/mconn-heartbeat-health.mdx b/src/content/partials/networking-services/tunnel-health/mconn-heartbeat-health.mdx
new file mode 100644
index 000000000000000..095b35ecc5a6000
--- /dev/null
+++ b/src/content/partials/networking-services/tunnel-health/mconn-heartbeat-health.mdx
@@ -0,0 +1,9 @@
+---
+params:
+ - productName
+ - heartbeatURL
+---
+
+{props.productName} also includes a heartbeat function, an additional way of communicating its health status which does not depend on successfully setting up any tunnels. The heartbeat function communicates periodically with Cloudflare via HTTPS and lets Cloudflare know that the {props.productName} in question is connected to the Internet and reachable.
+
+Refer to Heartbeat to learn more.
\ No newline at end of file