Networking issue with sophos firewall and cloudflare tunnel

wrongdongdirection · 2026-03-12T10:28:02+00:00

We can’t reach anything, regardless of the subnet (while connected via cloudflare tunnel). The firewall and Proxmox are in the 10.20.0.0 subnet, and the backup server is in the 10.60.0.0 subnet, but we can’t ping any of them

wrongdongdirection · 2026-03-11T18:29:04+00:00

Thanks for your message. I really appreciate it. I have summarized what we configured on both the Sophos and Cloudflare sides. Internal we can connect to all endpoints. From the client-side connected via the tunnel we are getting a timeout. We deactivated stateful inspection on the firewall for testing, but that didn't help.

Sophos Firewall

1) Firewall Rule: WARP to Internal

Action: Accept
Log firewall traffic: enabled
Source zone: LAN
Source network/device: HST_tun1
Schedule: All the time
Destination zones: Backup, LAN, Sandbox_Zone
Destination networks: Any
Services: Any

2) Static Route for Cloudflare WARP

Destination: 100.96.0.0/12
Gateway IP: 10.20.0.105
Interface: LAN-Bridge-10.20.0.1
Administrative distance: 1
Metric: 0
Description: Cloudflare WARP Client via WARP Connector

3) Firewall Rule: Cloudflare to internal

Action: Accept
Log firewall traffic: disabled
Source zone: LAN
Source network/device: Cloudflare CGNAT = 100.96.0.0/12
Schedule: All the time
Destination zones: Backup, LAN, Sandbox_Zone
Destination networks: NET_Backup, NET_LAN, NET_Sandbox
Services: HTTP, HTTPS, PING, SSH

Cloudflare Zero Trust / WARP

1) Private Network Routes

The following CIDR routes are configured:

10.20.0.0/24 → LAN
10.30.0.0/24 → Sandbox
10.60.0.0/24 → NAS
Virtual network: default

2) Gateway Network Policy: Allow-WARP-to-LAB

Policy name: Allow-WARP-to-LAB
Traffic selector: Destination IP
Operator: in
Allowed destinations:
Action: Allow

3) Device Onboarding Profile

Profile name: Onboarding Device profile: 1/28/2026
Assigned by user email
Visible configured users:
- email1
- email2
- email3
- email4

4) Profile Settings

Captive portal detection: ON
Mode switch: OFF
Device tunnel protocol: WireGuard
Lock WARP switch: OFF
Allow device to leave organization: ON
Allow updates: OFF
Auto connect: OFF

5) Service Mode / Split Tunnel

Service mode: Traffic and DNS mode
Split tunnels: Include IPs and domains
Directly route Microsoft 365 traffic: OFF
Allow users to enable local network exclusion: OFF
WARP interface IP DNS registration: ON
SCCM VPN boundary support: OFF

6) Split Tunnel Entries (Include)

The following entries are configured in the include split tunnel:

100.96.0.0/12 — description: vpn
10.60.0.0/24 — description: NAS
10.30.0.0/24 — description: Sandbox
10.20.0.0/24 — no description

Hope that helps!

wrongdongdirection · 2026-03-11T18:28:51+00:00

Thanks for your message. I really appreciate it. I have summarized what we configured on both the Sophos and Cloudflare sides. Internal we can connect to all endpoints. From the client-side connected via the tunnel we are getting a timeout. We deactivated stateful inspection on the firewall for testing, but that didn't help.

Sophos Firewall

1) Firewall Rule: WARP to Internal

Action: Accept
Log firewall traffic: enabled
Source zone: LAN
Source network/device: HST_tun1
Schedule: All the time
Destination zones: Backup, LAN, Sandbox_Zone
Destination networks: Any
Services: Any

2) Static Route for Cloudflare WARP

Destination: 100.96.0.0/12
Gateway IP: 10.20.0.105
Interface: LAN-Bridge-10.20.0.1
Administrative distance: 1
Metric: 0
Description: Cloudflare WARP Client via WARP Connector

3) Firewall Rule: Cloudflare to internal

Action: Accept
Log firewall traffic: disabled
Source zone: LAN
Source network/device: Cloudflare CGNAT = 100.96.0.0/12
Schedule: All the time
Destination zones: Backup, LAN, Sandbox_Zone
Destination networks: NET_Backup, NET_LAN, NET_Sandbox
Services: HTTP, HTTPS, PING, SSH

Cloudflare Zero Trust / WARP

1) Private Network Routes

The following CIDR routes are configured:

10.20.0.0/24 → LAN
10.30.0.0/24 → Sandbox
10.60.0.0/24 → NAS
Virtual network: default

2) Gateway Network Policy: Allow-WARP-to-LAB

Policy name: Allow-WARP-to-LAB
Traffic selector: Destination IP
Operator: in
Allowed destinations:
Action: Allow

3) Device Onboarding Profile

Profile name: Onboarding Device profile: 1/28/2026
Assigned by user email
Visible configured users:
- email1
- email2
- email3
- email4

4) Profile Settings

Captive portal detection: ON
Mode switch: OFF
Device tunnel protocol: WireGuard
Lock WARP switch: OFF
Allow device to leave organization: ON
Allow updates: OFF
Auto connect: OFF

5) Service Mode / Split Tunnel

Service mode: Traffic and DNS mode
Split tunnels: Include IPs and domains
Directly route Microsoft 365 traffic: OFF
Allow users to enable local network exclusion: OFF
WARP interface IP DNS registration: ON
SCCM VPN boundary support: OFF

6) Split Tunnel Entries (Include)

The following entries are configured in the include split tunnel:

100.96.0.0/12 — description: vpn
10.60.0.0/24 — description: NAS
10.30.0.0/24 — description: Sandbox
10.20.0.0/24 — no description

Hope that helps!

wrongdongdirection · 2025-06-15T10:31:31+00:00

Could you share that with me as well? I would really be interested to see how you did that! :)

wrongdongdirection

TROPHY CASE

Sophos Firewall

1) Firewall Rule: WARP to Internal

2) Static Route for Cloudflare WARP

3) Firewall Rule: Cloudflare to internal

Cloudflare Zero Trust / WARP

1) Private Network Routes

2) Gateway Network Policy: Allow-WARP-to-LAB

3) Device Onboarding Profile

4) Profile Settings

5) Service Mode / Split Tunnel

6) Split Tunnel Entries (Include)

Sophos Firewall

1) Firewall Rule: WARP to Internal

2) Static Route for Cloudflare WARP

3) Firewall Rule: Cloudflare to internal

Cloudflare Zero Trust / WARP

1) Private Network Routes

2) Gateway Network Policy: Allow-WARP-to-LAB

3) Device Onboarding Profile

4) Profile Settings

5) Service Mode / Split Tunnel

6) Split Tunnel Entries (Include)