Access to local ip's when in the same subnet locally

Hi, I’m doing some local testing before considering using this ztna product in other parts of my work infra, and I am running into some issues that I appear not to be smart enough to solve on my own.

I’m using ztna (with arp gateway) to be able to reach a local network (subnet from remote. This was rather easy to setup and works as intended.

However now if I actually am in this local network with the client pc, and have WARP connected, I no longer can reach the local subnet. for example ping is not working. You can clearly see this in the netstat -rn output of this client.

Destination        Gateway            Flags           Netif Expire
0/2                utun3              Ucg             utun3
default             UGScg             en0
default            link#26            UCSIg           utun3        link#26            UHWIig          utun3
10/25              link#14            UCS               en0      !        link#14            UCS               en0      !           56:1:c5:89:ca:3a   UHLWIir           en0   1148          ea:19:4a:9d:dd:eb  UHLWI             en0      !          link#14            UHLWI             en0      !          0:11:32:94:bf:8d   UHLWIi            en0    711          92:2d:d8:6d:df:13  UHLWIi            en0      !          76:42:58:8:d5:20   UHLWI             en0      !          7e:3b:61:91:c5:5e  UHLWI             en0      !          link#14            UHLWI             en0      !          da:ff:fb:8:17:ec   UHLWI             en0      !          link#14            UHLWI             en0      !       link#14            UCS               en0      !          f8:4d:89:76:5e:f6  UHLWI             lo0         98:5d:ad:70:e5:51  UHLWI             en0      !         ff:ff:ff:ff:ff:ff  UHLWbI            en0      !          link#26            UHWIig          utun3       link#26            UHWIig          utun3        link#26            UHWIig          utun3     link#26            UHWIig          utun3

and ifconfig to proof that i am indeed in the same local subnet 10/25:

	ether f8:4d:89:76:5e:f6
	inet6 fe80::18e1:d757:6acf:c8ac%en0 prefixlen 64 secured scopeid 0xe
	inet netmask 0xffffff80 broadcast
	inet6 2003:ed:af10:0000::1f71 prefixlen 128 dynamic
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active
utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
	inet --> netmask 0xffffffff
	inet6 fe80::fa4d:89ff:fe76:5ef6%utun3 prefixlen 64 scopeid 0x1a
	inet6 2606:4700:110:83ee:cadb:1454:1b51:bf46 prefixlen 128
	nd6 options=201<PERFORMNUD,DAD>

And here the cloudflared configured routes:

cloudflared tunnel route ip list
NETWORK      VIRTUAL NET ID                       COMMENT TUNNEL ID                            TUNNEL NAME CREATED              DELETED  xxxxxx-xxx-xxx-xxx-xxxxxxx         xxxxxx-xxx-xxx-xxx-xxxxxxx mytunnel     2023-03-07T18:00:40Z - xxxxxx-xxx-xxx-xxx-xxxxxxx         xxxxxx-xxx-xxx-xxx-xxxxxxx mytunnel     2023-03-08T08:25:34Z -

So both local subnets have been configured in the tunnel (and both work fine from remote) &

However when the client device is located inside the local the addresses inside this network are no longer reachable for this device. As you can see in the netstat output it appears that these are not added to the utun3 route.

In the work environment, I would like to create a situation where employees have WARP installed, and it would be forced to be always on, on their devices. But it should obviously not break stuff if these employees decide to come into the office :smiley:

Anyone any clue? I somehow am stuck staring at this at the moment.