[MWAN] Config source ip range (#26588)

marciocloudflare · stevewww · deadlypants1973 · web-flow · commit ce0d3ab2214b · 2025-11-25T17:44:26.000Z
* added config ips partial

* refined content

* added pages

* corrected file path

* corrected file path

* refined text

* refined text

* added mk3

* refined text

* unified routing

* Apply suggestions from code review

Co-authored-by: Steve Welham &lt;5891996+stevewww@users.noreply.github.com&gt;

* refined text

* Apply suggestions from code review

Co-authored-by: Kate Tungusova &lt;70746074+deadlypants1973@users.noreply.github.com&gt;

---------

Co-authored-by: Steve Welham &lt;5891996+stevewww@users.noreply.github.com&gt;
Co-authored-by: Kate Tungusova &lt;70746074+deadlypants1973@users.noreply.github.com&gt;
diff --git a/src/content/docs/cloudflare-one/networks/connectors/wan-tunnels/configuration/manually/how-to/configure-cloudflare-source-ips.mdx b/src/content/docs/cloudflare-one/networks/connectors/wan-tunnels/configuration/manually/how-to/configure-cloudflare-source-ips.mdx
@@ -0,0 +1,14 @@
+---
+title: Configure Cloudflare source IPs
+pcx_content_type: how-to
+sidebar:
+  order: 3
+description: Configure the Cloudflare source IP range used when you receive traffic from Cloudflare services sent to your Cloudflare One private networks.
+---
+
+import { Render } from "~/components";
+
+<Render
+  file="routing/configure-cloudflare-source-ips"
+  product="networking-services"
+/>
diff --git a/src/content/docs/magic-wan/configuration/manually/how-to/configure-cloudflare-source-ips.mdx b/src/content/docs/magic-wan/configuration/manually/how-to/configure-cloudflare-source-ips.mdx
@@ -0,0 +1,14 @@
+---
+title: Configure Cloudflare source IPs
+pcx_content_type: how-to
+sidebar:
+  order: 3
+description: Configure the Cloudflare source IP range used when you receive traffic from Cloudflare services sent to your Cloudflare One private networks.
+---
+
+import { Render } from "~/components";
+
+<Render
+  file="routing/configure-cloudflare-source-ips"
+  product="networking-services"
+/>
diff --git a/src/content/partials/networking-services/routing/configure-cloudflare-source-ips.mdx b/src/content/partials/networking-services/routing/configure-cloudflare-source-ips.mdx
@@ -0,0 +1,54 @@
+---
+{}
+---
+
+import { APIRequest } from "~/components";
+
+You can configure the source IP address range used by Cloudflare whenever a Cloudflare service, such as Cloudflare Load Balancing, sends traffic to a Cloudflare One private network. This address range is referred to as the Proxy Source IP Prefix (or `cloudflare_source` subnet type in the API).
+- IPv4 traffic is sourced from `100.64.0.0/12`. This range is configurable.
+- IPv6 traffic is sourced from `2606:4700:cf1:5000::/64`. This range is not configurable.
+
+Customers may wish to change the default allocated range to avoid IP conflicts or fit with an existing IP Address Management plan.
+
+You must configure routes in your network so that response traffic for these source ranges is sent back to Cloudflare over your Cloudflare One connections.
+
+## Prerequisites
+
+Before you begin, ensure that:
+- You have Cloudflare One Unified Routing. If your account is not yet on Unified Routing, contact your account team to discuss migration and availability.
+- You have [Cloudflare One Networks Write](/fundamentals/api/reference/permissions/) permission.
+- Your desired new network range meets the following requirements:
+  - Your network must be defined as a single CIDR with a prefix length of `/12`.
+  - Cloudflare One subnets in the same account cannot overlap. Default allocations include:
+    - Proxy Source IPs (`100.64.0.0/12`)
+    - Hostname Route Token IPs (`100.80.0.0/16`)
+    - WARP Clients (`100.96.0.0/12`)
+    - Private Load Balancers (`100.112.0.0/16`)
+  - The source subnet cannot match or contain any existing route in your Cloudflare One routing table. The source subnet can be within a supernet route.
+
+## Affected Connectors
+
+Except for Cloudflare Tunnel, all Cloudflare One Connectors (network offramps) see the `cloudflare_source` subnet (default `100.64.0.0/12`) as the source of traffic from a Cloudflare service, such as Cloudflare Load Balancing, to a private network.
+
+The following Connectors are affected:
+- GRE
+- IPsec
+- CNI
+- WARP Connector
+- WARP Client
+
+## Configure source IPs via API
+
+Currently, you must use the Cloudflare API to configure this setting. To set up your source IPs, send a `PATCH` request to the [Update Cloudflare Source Subnet endpoint](/api/resources/zero_trust/subresources/networks/subresources/subnets/subresources/cloudflare_source/) with your desired network range. The payload must include the network (your new `/12` range), and may include a name and comment.
+
+Example:
+
+<APIRequest
+	path="/accounts/{account_id}/zerotrust/subnets/cloudflare_source/{address_family}"
+	method="PATCH"
+	json={{
+		"comment": "example_comment",
+		"name": "IPv4 Cloudflare Source IPs",
+		"network": "100.64.0.0/12"
+	}}
+/>
