I’m using Cloudflare Zero Trust and have set up a block rule under Firewall policies for both DNS and HTTP traffic. However, it’s not blocking any websites. I’ve tested this with both Wi-Fi and mobile data, and the rule isn’t working in either case. I would appreciate any assistance you can provide.
I’m using WARP client both on computer and mobile device. What IP address location are you referring to? Do you mean my ISP IP address? If so, it’s dynamic and it doesn’t change as often.
Somehow, the firewall policies are working fine when using Wi-Fi on both my computer and mobile device. However, when I switch to a data plan on my mobile device, the policies are not being applied.
Does anyone know if it’s by design that the firewall policies don’t work while connected to a data plan?
I’d check to see if another DNS resolve is taking over for those requests. While on the data plan do you see these queries in the logs on Cloudflare? If not that’s a pretty good indication something else (like the browser or a group policy) is handling DNS requests instead of the Warp client.
While connected through my data plan, I checked the Gateway activity logs on Cloudflare. I found logs for Network and HTTP but none for DNS. In the Cloudflare app, under Diagnostics > Debug Logs > DNS Logs, clicking on one of the DNS logs shows my ISP IP address in the “Resolver address,” which explains the absence of DNS logs in the Gateway activity logs. When connected through my Wi-Fi network, the Resolver address is “XXXX.cloudflare-gateway.com.”
I thought that when you’re connected to Warp, it would use the Cloudflare DNS IP address regardless of whether you’re on Wi-Fi or using a data plan.
I am sorry to hear this.
However, I cannot replicate on my mobile data plan network type (A1 Hrvatska).
I tested and using my Android device.
Once I installed the WARP app, I was asked to allow to create/add the “VPN profile” at first.
After succeed, in the “settings” menu I selected “WARP” for the connection.
The returned IP was IPv4 and IPv6 from Cloudflare Zagreb.
If I select 1.1.1.1 instead of WARP in the “settings” menu, then my IP is only from the provider (mobile data) and IPv4 only (since 1.1.1.1 is DNS-only).
If I login to my Zero Trust team, with “Gateway with WARP” I again get IPv4 and IPv6 from Cloudflare Zagreb, otherwise “Gateway with 1.1.1.1” again my provider’s IP shown.
The only thing which I have had to disable for testing was TLS decryption, because I hadn’t had the installed CA certificate on my Android device.
Are you using any of the configured fallback? Or maybe the Resolver policy?
What is your “Service mode” for your “Default” profile under WARP Client at Zero Trust Dashboard?
I have got Firewall policies in place (DNS, Network and HTTP) for testing.
Note: For the testing purpose I’ve used WARP, not WARP+ (paid)
In the Local Domain Fallback and Split Tunnels settings, all IPs and domains are set to their defaults, and no changes were made in this area. However, I was able to get it to work on my mobile device by configuring the private DNS to point to xxxx.cloudflare-gateway.com on my Android device:
To enable private DNS on your Android phone:
Open “Settings.”
Tap “Connections.”
Select “More connection settings.”
Tap “Private DNS.”
Choose “Private DNS provider hostname.”
Enter xxxx.cloudflare-gateway.com as the DNS provider hostname and then tap “Save.”
I’m not sure why this was necessary for it to work.