[CF1] SWG w/o DNS filtering mode IPv6 limitation #23415
Conversation
|
Howdy and thanks for contributing to our repo. The Cloudflare team reviews new, external PRs within two (2) weeks. If it's been two weeks or longer without any movement, please tag the PR Assignees in a comment. We review internal PRs within 1 week. If it's something urgent or has been sitting without a comment, start a thread in the Developer Docs space internally. PR Change SummaryUpdated documentation for the Secure Web Gateway without DNS filtering mode to clarify IPv6 limitations and enhance user understanding.
Modified Files
How can I customize these reviews?Check out the Hyperlint AI Reviewer docs for more information on how to customize the review. If you just want to ignore it on this PR, you can add the Note specifically for link checks, we only check the first 30 links in a file and we cache the results for several hours (for instance, if you just added a page, you might experience this). Our recommendation is to add |
|
This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:
|
| In [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) mode, after the WARP tunnel is established, WARP checks connectivity by resolving `connectivity.cloudflareclient.com` using the DNS server configured on the device. | ||
|
|
||
| Sometimes this check fails because the DNS server—often assigned by DHCP and accessible only on the local network—becomes unreachable when traffic is routed through the WARP tunnel. | ||
|
|
||
| For IPv4, failure is uncommon because DHCP-assigned DNS servers typically use private (RFC 1918) addresses, which WARP excludes from the tunnel by default. | ||
|
|
||
| However, in an IPv6 environment, there is no automatic exclusion. If your DNS server uses an IPv6 address, you must manually exclude it from WARP’s tunnel using [split tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) settings for Secure Web Gateway without DNS filtering mode to work properly. |
There was a problem hiding this comment.
I think we can probably skip on some of the implementation details. How about something like:
In Secure Web Gateway without DNS filtering mode, devices using IPv6 DNS servers may experience connectivity issues if these servers are not manually excluded from the WARP tunnel. Unlike common IPv4 DHCP configurations where DNS servers often fall within automatically excluded private address ranges, IPv6 environments typically require manual exclusion of DNS server addresses via split tunnel settings for proper operation.
| In [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) mode, after the WARP tunnel is established, WARP checks connectivity by resolving `connectivity.cloudflareclient.com` using the DNS server configured on the device. | ||
|
|
||
| Sometimes this check fails because the DNS server—often assigned by DHCP and accessible only on the local network—becomes unreachable when traffic is routed through the WARP tunnel. | ||
|
|
||
| For IPv4, failure is uncommon because DHCP-assigned DNS servers typically use private (RFC 1918) addresses, which WARP excludes from the tunnel by default. | ||
|
|
||
| However, in an IPv6 environment, there is no automatic exclusion. If your DNS server uses an IPv6 address, you must manually exclude it from WARP’s tunnel using [split tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) settings for Secure Web Gateway without DNS filtering mode to work properly. |
There was a problem hiding this comment.
| In [Secure Web Gateway without DNS filtering](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering) mode, after the WARP tunnel is established, WARP checks connectivity by resolving `connectivity.cloudflareclient.com` using the DNS server configured on the device. | |
| Sometimes this check fails because the DNS server—often assigned by DHCP and accessible only on the local network—becomes unreachable when traffic is routed through the WARP tunnel. | |
| For IPv4, failure is uncommon because DHCP-assigned DNS servers typically use private (RFC 1918) addresses, which WARP excludes from the tunnel by default. | |
| However, in an IPv6 environment, there is no automatic exclusion. If your DNS server uses an IPv6 address, you must manually exclude it from WARP’s tunnel using [split tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) settings for Secure Web Gateway without DNS filtering mode to work properly. | |
| In [Secure Web Gateway without DNS filtering mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/#secure-web-gateway-without-dns-filtering), WARP checks connectivity by using the DNS server configured on the device. | |
| IPv4 environments rarely encounter issues because DHCP-assigned DNS servers typically use private (RFC 1918) addresses that WARP excludes from the tunnel by default. Devices using IPv6 DNS servers may experience connectivity failures if these addresses are not manually excluded. | |
| If your DNS server uses an IPv6 address, you must manually exclude it using [split tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) settings for Secure Web Gateway without DNS filtering mode to work properly. |
Summary
PCX-18090
Screenshots (optional)
Documentation checklist