Cloudflare Warp Connector Site-to-Site troubleshooting

What is the name of the domain?

na

What is the issue you’re encountering

Client on network B cannot access all services on network A.

What steps have you taken to resolve the issue?

I have deployed a Warp Connector on two networks according to this documentation: Connect two or more private networks · Cloudflare Zero Trust docs

Setup:
Network A: 10.0.0.0/24
Router A: 10.0.0.1
Server A: 10.0.0.2
Warp Connector A: 10.0.0.3
Client A: 10.0.0.100

Network B: 192.168.1.0/24
Router B: 192.168.1.1
Server B: 192.168.1.2
Warp Connector B: 192.168.1.3
Client B: 192.168.1.100

I am able to successfully ping Router A (10.0.0.1) from client B (192.168.1.100), however I cannot ping any other device on Network A, such as Server A 10.0.0.2.

Warp Connectors are deployed in VMs running on the servers.

I have a static route configured on each router:
Router A static route: 192.168.1.0/24 points to Warp Connector at 10.0.0.3
Router B static route: 10.0.0.0/24 points to Warp Connector at 192.168.1.3

What am I missing?

Hi,

Thank you for recahing out to us. Can you please make sure that the WARP connectors have routes configured for the respective remote networks?

WARP connector A should have a route to 192.168.1.0/24 via its internal network interface.

WARP connector B should have a route to 10.0.0.0/24 via its internal network interface.

You can also check this:

Go to Access → Tunnels.

Ensure the 10.0.0.0/24 and 192.168.1.0/24 are included in the routing policy for both connectors.

Go to Settings → Network.

Check if there are any policies blocking traffic between the two networks.

Ensure both WARP connectors have the correct permissions to handle traffic for their respective networks.

Ideally, you should run a traceroute Gathering information for troubleshooting sites · Cloudflare Support docs from client b to server a to identify where the traffic is being dropped and identify what exactly is wrong. Maybe there’s a firewall or something else blocking the traffic.

As mentioned in or docs: Ensure that your routing rules do not forward the WARP ingress IP back to the WARP Connector.

You can always review our documentation here: WARP Connector · Cloudflare Zero Trust docs

Thank you. I did check and confirm those settings, but I found everything was configured correctly.

Fortunately, I finally discovered the solution, which is unique to my network configuration.

In my case, Router A was within Network B. The Network A router was on the LAN of the Network B router. In this configuration, if I am on Client A and I attempt to ping Client B, it is successful even without a tunnel in place because Client B is on the WAN of Router A. However, this was causing the behavior noted in the original post.

This would not have been an issue if the two networks were in fact completely separate, as is common.

I solved this issue by configuring a DMZ on Router B and placing Router A in the DMZ. That should be fine, as it is a fully functional router with firewall.

I know it is strange to set up a network this way. In this case Network A is a mobile application that is sometimes connected to Network B WIFI (when parked at home), and sometimes it is connected to a cellular link when abroad. Cloudflared and Warp Connector allow me to easily handle the network transitions. Awesome!