Routes
By default, a Mesh node is reachable only by its own Mesh IP. To make other devices on the subnet behind the node reachable — servers, databases, printers, IoT devices that cannot run the Cloudflare One Client — add a route to the node. A Mesh node supports two types of routes:
- CIDR routes — forward traffic for an IP range — private (for example,
10.0.0.0/24) or public — through the node. - Hostname routes — attract traffic for a hostname to the node instead of an IP. This works for a private hostname (for example,
wiki.internal.local), which is useful when the application has an unknown or ephemeral IP, as well as a public hostname (for example,www.example.com), which routes that hostname's traffic through the node and egresses via the node's public IP.
When you add a route, the Mesh node acts as a gateway: traffic destined for the advertised CIDR or hostname is forwarded to the node, which delivers it to the appropriate host on the local network (or egresses it to the public Internet).
Both IPv4 and IPv6 CIDR routes are supported.
- Without routes — Devices on your Mesh can only reach the node itself by its Mesh IP. Services running directly on the node are reachable this way.
- With routes — Devices on your Mesh can reach any host on the subnet behind the node. Use this when you have infrastructure that cannot run the Cloudflare One Client.
flowchart LR
subgraph subnet["Subnet 10.0.0.0/24"]
node["Mesh node <br> 10.0.0.1"]
db["Database <br> 10.0.0.50"]
printer["Printer <br> 10.0.0.100"]
end
client["Client device <br> 100.96.0.10"] --> CF((Cloudflare)) --> node
node --> db
node --> printer
Use CIDR routes to forward traffic from your mesh node to devices on your local network.
-
In the Cloudflare dashboard, go to Networking > Mesh.
Go to Mesh -
Select your Mesh node.
-
Go to the Routes tab.
-
Select Add route.
-
Enter the private CIDR you want to route through this node (for example,
10.0.0.0/24). -
(Optionally) add a description for the route.
-
Select Add route.
Required API token permissions
At least one of the following token permissions
is required:
Cloudflare One Networks WriteCloudflare Tunnel Write
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "network": "10.0.0.0/24", "tunnel_id": "{mesh_node_id}", "comment": "Staging subnet" }'- Go to Networking > Mesh > select your node > Routes tab.
- Select the edit icon next to the route you want to modify.
- Update the CIDR or description.
- Select Save.
Required API token permissions
At least one of the following token permissions
is required:
Cloudflare One Networks WriteCloudflare Tunnel Write
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/$ROUTE_ID" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "network": "10.0.0.0/24", "comment": "Updated description" }'- Go to Networking > Mesh > select your node > Routes tab.
- Select the delete icon next to the route.
- Confirm deletion.
Required API token permissions
At least one of the following token permissions
is required:
Cloudflare One Networks WriteCloudflare Tunnel Write
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/$ROUTE_ID" \ --request DELETE \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"For traffic to reach your advertised CIDR, the range must route through Cloudflare on both the Mesh node and client devices.
In your Mesh node's device profile, ensure the advertised CIDR routes through Cloudflare:
- Include mode (recommended for Mesh nodes): Add the CIDR to your include list.
- Exclude mode: Remove the CIDR (or its parent range) from your exclude list.
For example, if you are advertising 10.0.0.0/24 and your Split Tunnels exclude list contains 10.0.0.0/8, you need to remove 10.0.0.0/8 and re-add the portions of the 10.0.0.0/8 range that you do not want to route through Cloudflare.
Repeat the same Split Tunnel configuration on the device profiles used by your client devices, ensuring the advertised CIDR routes through Cloudflare.
The Mesh node forwards inbound traffic from Cloudflare to devices on the subnet. However, for return traffic (responses from subnet devices back to Mesh clients), the subnet devices need a route back to the Mesh node.
flowchart LR client["Client device <br> 100.96.0.10"] -- request --> CF((Cloudflare)) -- request --> node["Mesh node <br> 10.0.0.1"] node --> db["Database <br> 10.0.0.50"] db -. "response: <br> needs route to node" .-> node -. response .-> CF -. response .-> client
How you configure this depends on where the Mesh node is installed:
If the Mesh node is the subnet's default gateway (or is installed on the router), no additional configuration is needed. All traffic from subnet devices naturally routes through the node.
If the Mesh node is a regular host on the subnet, configure the subnet's router to send Mesh traffic through the node. Add a static route:
- Destination:
100.96.0.0/12(Mesh IP range) - Next hop: The Mesh node's local subnet IP (for example,
10.0.0.1)
This ensures that responses to Mesh clients are forwarded to the Mesh node for delivery through Cloudflare.
When you have Mesh nodes at multiple sites, devices on one subnet can reach devices on another subnet through Cloudflare.
flowchart TD
subgraph siteA["Site A — 10.0.0.0/24"]
serverA["Server <br> 10.0.0.50"] --- nodeA["Mesh node <br> 10.0.0.1"]
end
subgraph siteB["Site B — 192.168.1.0/24"]
serverB["Server <br> 192.168.1.50"] --- nodeB["Mesh node <br> 192.168.1.1"]
end
nodeA <--> CF((Cloudflare))
nodeB <--> CF
For this to work:
- Each Mesh node must advertise the local subnet as a CIDR route so Cloudflare knows which node to forward traffic to.
- The remote subnet CIDRs must route through Cloudflare on each node. In your Mesh node's Split Tunnel configuration, add the remote site's CIDR to the include list (or remove it from the exclude list).
- Each site's router needs static routes pointing remote subnets to the local Mesh node:
Site A router:
- Destination:
192.168.1.0/24→ Next hop:10.0.0.1(local Mesh node) - Destination:
100.96.0.0/12→ Next hop:10.0.0.1
Site B router:
- Destination:
10.0.0.0/24→ Next hop:192.168.1.1(local Mesh node) - Destination:
100.96.0.0/12→ Next hop:192.168.1.1
For production site-to-site deployments, consider enabling high availability on each node. HA provides failover for the CIDR routes advertised by a node — if the active replica goes down, Cloudflare promotes a standby so traffic to the subnet continues to flow.
To filter DNS queries from the subnet using Cloudflare Gateway:
-
Configure DNS on your router: Point your router's DNS to the Gateway resolver IPs:
172.64.36.1172.64.36.2
-
Add IP routes to your router: On your router, add static routes pointing the Gateway resolver IPs to your Mesh node's local IP. This allows DNS traffic to reach Cloudflare through the node.
- Destination:
172.64.36.1→ Next hop:10.0.0.1(local Mesh node) - Destination:
172.64.36.2→ Next hop:10.0.0.1
- Destination:
-
Configure Split Tunnels: Ensure the following IPs route through the Mesh node in your Split Tunnels configuration:
- The subnet's internal DNS resolver IP
- Gateway initial resolved IP range:
100.80.0.0/16(IPv4) and2606:4700:0cf1:4000::/64(IPv6)
Gateway logs DNS queries with the private source IP of the originating device. You can use this to create resolver policies for internal DNS records.
Instead of advertising an IP range, you can attract traffic for a specific hostname to a Mesh node. When a user requests the hostname, Cloudflare Gateway assigns an initial resolved IP and routes the traffic through the node.
- Private hostname (for example,
wiki.internal.local) — the node delivers the traffic to the application's private IP on the local network. Useful when the application has an unknown or ephemeral IP. - Public hostname (for example,
www.example.com) — the node egresses the traffic to the public Internet using its own public IP. This lets you use a Mesh node as a dedicated egress for that hostname.
Hostname routes replace virtual networks as the way to reach resources: because a hostname is globally unique, overlapping hostnames are not supported and a hostname can only be routed to one node or tunnel at a time.
-
Requests
wiki.internal.local - DNS query
-
Returns a token IP, then rewrites the destination to the real private IP.
100.80.0.0/16 - Hostname route
-
Forwards traffic to the host on the local network
- Private host
wiki.internal.local·10.0.0.50
For a deeper look at the packet flow behind hostname routing, refer to the announcement blog post ↗.
-
Run a supported Mesh node version. Hostname routing requires the Mesh node to run Linux Cloudflare One Client version
2026.6.822.0or newer. -
Enable the Gateway proxy with TCP, UDP, and ICMP:
- Go to Traffic policies > Traffic settings.
- In Proxy and inspection, turn on Allow Secure Web Gateway to proxy traffic.
- Select TCP.
- Select UDP (required to proxy traffic to internal DNS resolvers).
- (Recommended) To proxy traffic for diagnostic tools such as
pingandtraceroute, select ICMP. You may also need to update your system to allow ICMP traffic throughcloudflared.
-
Add the following permission to your
cloudflare_api_token↗:Zero Trust Write
-
Turn on the TCP and/or UDP proxy using the
cloudflare_zero_trust_device_settings↗ resource:resource "cloudflare_zero_trust_device_settings "global_warp_settings" {account_id = var.cloudflare_account_idgateway_proxy_enabled = truegateway_udp_proxy_enabled = true}
Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your split tunnel settings. For more information on how Gateway forwards traffic, refer to Gateway proxy.
-
Route all of the following ranges through Cloudflare in the Split Tunnel configuration of both the Mesh node's device profile and your client device profiles. In Include mode, add each range; in Exclude mode, ensure none of them (or their parent ranges) are excluded.
Purpose IPv4 IPv6 Mesh device IP range 100.96.0.0/122606:4700:cf1:1000::/64Cloudflare source IP range 100.64.0.0/122606:4700:cf1:5000::/64Hostname routing (token IPs) 100.80.0.0/162606:4700:0cf1:4000::/64 -
Remove the hostname's top-level domain from Local Domain Fallback on client devices, so the DNS query is sent to Cloudflare Gateway for resolution.
-
In the Cloudflare dashboard, go to Networking > Mesh.
Go to Mesh -
Select your Mesh node.
-
Go to the Routes tab.
-
Select Add route, then select Private hostname.
-
Enter the fully qualified domain name (FQDN) you want to route through this node (for example,
wiki.internal.local).Hostname format restrictions
- Character limit: Must be less than 255 characters.
- Supported wildcards: A single wildcard (
*) is allowed, and it must represent a full DNS label. Example:*.internal.local - Unsupported wildcards: The following wildcard formats are not supported:
- Partial wildcards such as
*-dev.internal.localordev-*.internal.local. - Wildcards in the middle, such as
foo*bar.internal.localorfoo.*.internal.local. - Multiple wildcards in the hostname, such as
*.*.internal.local.
- Partial wildcards such as
- Wildcard trimming: Leading wildcards (
*) are trimmed off and an implicit dot (.) is assumed. For example,*.internal.localis saved asinternal.localbut will match all subdomains at the wildcard level (coversfoo.internal.localbut notfoo.bar.internal.local). - Dot trimming: Leading and ending dots (
.) are allowed but trimmed off.
-
(Optionally) add a description for the route.
-
Select Add hostname.
Required API token permissions
At least one of the following token permissions
is required:
Cloudflare One Networks WriteCloudflare Tunnel Write
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/routes/hostname" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "hostname": "wiki.internal.local", "tunnel_id": "{mesh_node_id}", "comment": "Internal wiki" }'For a private hostname, Gateway must be able to resolve the hostname to its private IP. How you configure this depends on whether DNS resolution and application traffic use the same connector or different connectors.
By default, the Mesh node resolves the hostname using the DNS resolver configured on its host machine (for example, in /etc/resolv.conf on Linux) — the same way cloudflared does. If the node can already resolve the hostname to its private IP through that resolver, no further configuration is required.
If the node cannot resolve the hostname on its own, the simplest option is to add an entry to the node's hosts file (for example, /etc/hosts on Linux) mapping the hostname to its private IP. Unlike a Cloudflare Tunnel, a Mesh node does not require you to run a dedicated DNS server:
10.0.0.50 wiki.internal.localYou only need a Gateway resolver policy when the DNS query must be sent to a different connector than the application traffic — for example, the internal DNS server sits behind one Mesh node or Cloudflare Tunnel, while the application is reached through another. In that case:
- Add a CIDR route for the DNS server's IP so Gateway can reach it through the connector where the DNS server lives (a Mesh node or a Cloudflare Tunnel).
- Create a resolver policy that sends DNS queries for the hostname (or its domain) to that internal DNS server.
For a public hostname, the Mesh node handles resolution: Gateway sends the DNS query to the node, the node resolves it through its upstream DNS provider, and then routes the packet to the destination and egresses using its own public IP. No internal DNS server or resolver policy is required.
After adding a hostname route, secure it with either an Access self-hosted application or Gateway network policies. For details and examples, refer to Connect a private hostname.
Starting with Chrome 142 ↗, the browser restricts requests from websites to local IP addresses, including the Gateway initial resolved IP CGNAT range (100.80.0.0/16). Because this range falls within 100.64.0.0/10, Chrome categorizes these addresses as belonging to a local network. When a website loaded from a public IP makes subrequests to a domain resolved through an initial resolved IP, Chrome treats this as a public-to-local network request and displays a prompt asking the user to allow access to devices on the local network. Chrome will block requests to these domains until the user accepts this prompt.
This commonly occurs when an Egress policy matches broadly used domains (such as cloudfront.net or github.com), causing subrequests from public pages to resolve to the 100.80.0.0/16 range.
If the affected request originates from within an iframe (for example, an application embedded in a third-party portal), the iframe must declare the local-network-access permission for the browser prompt to appear in the parent frame:
- Chrome 142-144: Use the
allow="local-network-access"attribute on the iframe element. - Chrome 145+: The permission was split into
allow="local-network"andallow="loopback-network".
If iframes are nested, every iframe in the chain must include the appropriate attribute. Since third-party applications control their own iframe attributes, this may not be configurable by the end user.
To avoid this issue, choose one of the following options:
- Override IP address space classification (Chrome 146+): Use the
LocalNetworkAccessIpAddressSpaceOverrides↗ Chrome Enterprise policy to reclassify the100.80.0.0/16range as public. This is the most targeted fix because it only changes the classification for the initial resolved IP range rather than disabling security checks entirely. - Allow specific URLs (Chrome 140+): Use the
LocalNetworkAccessAllowedForUrls↗ Chrome Enterprise policy to exempt specific websites from Local Network Access checks. Note thathttps://*is a valid entry to disable checks for all URLs. - Allow specific URLs (Chrome 146+): Use the
LocalNetworkAllowedForUrls↗ Chrome Enterprise policy, which replacesLocalNetworkAccessAllowedForUrlsstarting in Chrome 146. - Opt out of Local Network Access restrictions (Chrome 142-152): Use the
LocalNetworkAccessRestrictionsTemporaryOptOut↗ Chrome Enterprise policy to completely opt out of Local Network Access restrictions. This is a temporary policy and will be removed after Chrome 152. - Disable the Chrome feature flag: Go to
chrome://flagsand set the Local Network Access Checks flag to Disabled. This approach is suitable for individual users but not for enterprise-wide deployment.