diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp.mdx
index 2d24c8ee195e2b0..0f01e4322e81114 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp.mdx
@@ -8,7 +8,7 @@ head:
content: Create private networks with WARP-to-WARP
---
-import { Render, GlossaryTooltip } from "~/components";
+import { Render, GlossaryTooltip, Tabs, TabItem } from "~/components";
With Cloudflare Zero Trust, you can create a private network between any two or more devices running Cloudflare WARP. This means that you can have a private network between your phone and laptop without ever needing to be connected to the same physical network. If you already have an existing Zero Trust deployment, you can also enable this feature to add device-to-device connectivity to your private network with the press of a button. This will allow you to connect to any service that relies on TCP, UDP, or ICMP-based protocols through Cloudflare's network.
@@ -34,16 +34,26 @@ This guide covers how to:
3. Enable **Allow WARP to WARP connection**. This allows Cloudflare to route traffic to the CGNAT IP space.
4. In your [Split Tunnel configuration](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/), ensure that traffic to `100.96.0.0/12` is going through WARP:
-- If using **Exclude** mode, delete `100.64.0.0/10` from the list and add the following IP addresses:
-
- - `100.64.0.0/12`
- - `100.81.0.0/16`
- - `100.82.0.0/15`
- - `100.84.0.0/14`
- - `100.88.0.0/13`
- - `100.112.0.0/12`
+
+ If using Split Tunnels in **Exclude** mode:
+ 1. Delete `100.64.0.0/10` from the list.
+ 2. We recommend [adding back the IPs](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used for Zero Trust services. For example, if you are using WARP-to-WARP alongside [Gateway host selectors](/cloudflare-one/traffic-policies/egress-policies/host-selectors/) or [private hostname routing](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/), add routes to exclude the following IP addresses:
+
+ - `100.64.0.0/12`
+ - `100.81.0.0/16`
+ - `100.82.0.0/15`
+ - `100.84.0.0/14`
+ - `100.88.0.0/13`
+ - `100.112.0.0/12`
+
+
+ If using Split Tunnels in **Include** mode:
+
+ 1. Add the required [Zero Trust domains](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list.
+ 2. [Add a route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include `100.96.0.0/12`.
+
+
-- If using **Include** mode, add `100.96.0.0/12` and `100.80.0.0/16` to your list.
This will instruct WARP to begin proxying any traffic destined for a `100.96.0.0/12` IP address to Cloudflare for routing and policy enforcement.
diff --git a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx
index b7494459360a30c..c094ebd287936bb 100644
--- a/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx
+++ b/src/content/docs/cloudflare-one/traffic-policies/egress-policies/host-selectors.mdx
@@ -5,7 +5,7 @@ sidebar:
order: 2
---
-import { Tabs, TabItem, Details, APIRequest } from "~/components";
+import { Tabs, TabItem, Details, APIRequest} from "~/components";
@@ -92,23 +92,21 @@ To configure your Zero Trust organization to use Host selectors with Egress poli
{/* prettier-ignore-start */}
-2. In your WARP [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/), configure your [Split Tunnel](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/) depending on the mode:
+2. In your WARP [device profile](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/), configure [Split Tunnels](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/) depending on the mode:
- 1. [Remove the route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel exclude list.
- 2. [Add routes](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to exclude the following IP addresses:
+ 1. [Remove the route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) to the IP address `100.64.0.0/10` from your Split Tunnel exclude list.
+ 2. We recommend [adding back the IPs](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used for Zero Trust services. For example, if you are using Gateway host selectors alongside [WARP-to-WARP connectivity](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp/) add routes to exclude the following IP addresses:
- `100.64.0.0/12`
- `100.81.0.0/16`
- `100.82.0.0/15`
- `100.84.0.0/14`
- `100.88.0.0/13`
- `100.112.0.0/12`
-
- And remove `100.64.0.0/10` IP address.
- 1. Add the required [Zero Trust domains](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list.
- 2. [Add a route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include `100.80.0.0/16` and `100.96.0.0/12` IP addresses.
+ 1. Add the required [Zero Trust domains](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains) or [IP addresses](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-ip-addresses) to your Split Tunnel include list.
+ 2. [Add a route](/cloudflare-one/team-and-resources/devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) to include `100.80.0.0/16`.
diff --git a/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx b/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx
index 1337d051624ee15..6591206f8f00039 100644
--- a/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx
+++ b/src/content/docs/load-balancing/private-network/warp-to-tunnel.mdx
@@ -133,6 +133,7 @@ In order for WARP clients to connect to your load balancer, the load balancer's
- **Exclude mode**: Delete the IP range that contains your load balancer IP. For example, if your load balancer has a Cloudflare-assigned CGNAT IP, delete `100.64.0.0/10`. We recommend [adding back the IPs](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/#3-route-private-network-ips-through-warp) that are not being used by your load balancer.
:::note
Some IPs in the `100.64.0.0/10` range may be reserved for other Zero Trust services such as Gateway initial resolved IPs or WARP CGNAT IPs. These IPs should remain deleted from the Exclude list.
+ :::
- **Include mode**: Add your load balancer IP.
WARP traffic can now reach your private load balancer. For example, if your load balancer points to a web application, you can test by running `curl ` from the WARP device. This traffic will be distributed over Cloudflare Tunnel to your private endpoints according to your configured steering method.