#Zero Trust application bypass policy not working on local network

Hi there,

I'm trying to setup an application on Zero Trust Access. I created a tunnel, installed the connector on my server, and added a public hostname. That works fine and the status is Healthy. I then added an application in ZT Access using the same hostname. I added two policies: one allow for emails with a particular domain and a bypass policy for my local network (192.168.1.0/24). I left the last settings page with the defaults and I only have a one-time PIN idP. I enabled Protect with Access on the public hostname in the Cloudflare Tunnel and added a config.yaml file on the server that looks something like the following, then restarted cloudflared (I'm not sure if this is even right!):

tunnel: my-tunnel-id
originRequest:
  connectTimeout: 30s
  access:
    required: true
    teamName: my-team-name
    audTag:
      - aud1 my-application-aud-tag

ingress:
  - hostname: myapp.example.com
    service: http://localhost
  - service: http_status:404

When I connect to the domain from another network, I get the App Launcher login page. I can login OK and be taken to the web app. When I connect from the local network using the public hostname (either from the web app server itself or another PC), I also get the login page... I thought the bypass policy would circumvent that and take me directly to the web application itself. If I delete the allow policy, I get a Cloudflare Access HTTP error 403 that shows my public IP. If I add the public IP to the bypass policy, I get a blank HTTP error 403 page. I also tried changing the bypass policy to Service Auth but got a similar result.

Am I missing something?

Thanks!

Here's some screenshots to help clarify things:

1. Tunnel
2. Tunnel public hostname configuration
3. Application
4. Application policies
5. Bypass policy
6. Allow policy
7. Access group based upon email domain
8. Application identity provider
9. Origin IP address
10. Origin config.yaml file

11. What I see when logging in from the origin server network
12. What I see when logging in from an external connection

Hello @radiant yacht, are you able to assist? Thank you!

This bypass policy would never work for two reasons:
1: It needs to be Service Auth, not Bypass. Bypass = bypass access flow and return to zone security. When you have access configured in your tunnel to verify the Access JWTs (That you passed through the application), it needs you to go through the access flow. Service Auth lets you go through the flow and get a jwt without an identity.
2: Local IPs just don't make sense in that. You're connecting to Cloudflare Access, which runs on an external server. The 192.168.0.0/16 IP you get assigned via your router, which uses NAT, is being rewritten to the External IP, which is what Cloudflare sees ith your connection. In other words, allow your external ip (https://whatismyipaddress.com/) to bypass, If you have IPv6 make sure to add it as well
Edit: Opps, I see you provided a bit more info at the end as well

If I delete the allow policy, I get a Cloudflare Access HTTP error 403 that shows my public IP.
you're not matching the conditions for the bypass policy
If I add the public IP to the bypass policy, I get a blank HTTP error 403 page.
Hitting the no JWT/bypass issue
I also tried changing the bypass policy to Service Auth but got a similar result.
Probably didn't whitelist both your IPv4 and your IPv6? That would be more interesting if it's still failing. Keep in mind Access has a bit of cache with these things, I would test in incognito after you change it to Service Auth and allow your IPs.

You also don't need both a config.yaml and to configure it in the dashboard. If your tunnel is set up in the dashboard, you add public hostnames to it and such, that's the source of the configuration, your config.yaml would just be ignored. It's one or the other