Netbird Doesn't Route External Network > Netbird Network Traffic #5273
Description
Describe the problem
When either using the Networks or Network Route feature of Netbird, agentless devices are unable to initiate connections to Netbird peers, only the other way around. Traffic will flow both directions IF the Netbird peer initiates the connection with the agentless device.
After observing the traffic, I have narrowed the issue down to the netbird routing peer. The netbird routing peer will see the ICMP pings on the external network interface, but never pass them to the wt0 interface for other peers on the Netbird network.
Even after creating a linux route to accept the traffic and pass it to the wt0 interface, traffic will leave the wt0 interface but never get to the netbird peer.
To Reproduce
Steps to reproduce the behavior:
- Setup a routing peer with a network route or add a route as a resource WITHOUT masquerade.
- Setup a static route on the external network side and point the netbird subnet range to the routing peer.
- Join the Netbird network with a device (Windows was tested).
- Ping a node on the Netbird network (no response)
Expected behavior
With Masquerading disabled, clients on the Netbird network should be accessible by the external network so long as a route on the external network has been set up.
Are you using NetBird Cloud?
Self-Hosted
NetBird version
Management v0.64.5
Dashboard v2.31.0
Client 0.64.5
Is any other VPN software installed?
No
Debug output
To help us resolve the problem, please attach the following anonymized status output
netbird status -dA
Peers detail:
win11-2.netbird-vpn.anon-0P1MV.domain:
NetBird IP: 10.131.241.241
Public key: mCffSoEg2PG664vnNYzZYRLLGsLe+3XFtYJmO3SXOH8=
Status: Connected
-- detail --
Connection type: P2P
ICE candidate (Local/Remote): host/host
ICE candidate endpoints (Local/Remote): 10.131.194.5:51820/10.130.90.71:51820
Relay server address: rels://netbird.anon-0P1MV.domain:443
Last connection update: 15 seconds ago
Last WireGuard handshake: 10 seconds ago
Transfer status (received/sent) 303.9 KiB/766.4 KiB
Quantum resistance: false
Networks: -
Latency: 236.608µs
win11-1.netbird-vpn.anon-0P1MV.domain:
NetBird IP: 10.131.242.68
Public key: Fab/T8ZqHngN+ll1DsphpUFfoY7AEkS9mexlO0Pw9Fk=
Status: Connecting
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 12 minutes, 52 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
dellxps15-wh.netbird-vpn.anon-0P1MV.domain:
NetBird IP: 10.131.251.176
Public key: vz9i2BB4fGLY79yggP4I4laUJG74uwiOdFqhvyoZ4iU=
Status: Connecting
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 51 minutes, 20 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
desktop-fg403fr.netbird-vpn.anon-0P1MV.domain:
NetBird IP: 10.131.253.203
Public key: 0prAbDR9RWf17geuupoHOs0NBPxb3Eq9yrEKH5k0bxc=
Status: Connecting
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 51 minutes, 20 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
evan-fw16.netbird-vpn.anon-0P1MV.domain:
NetBird IP: 10.131.255.113
Public key: AhOD32xCan3a7fWNGZEmR2dAQdBp9iV+ejUeh2i75hg=
Status: Connecting
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 51 minutes, 20 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
Events:
[INFO] SYSTEM (36eec242-a26f-4e71-b238-188535d916ac)
Message: Network map updated
Time: 17 minutes, 20 seconds ago
[INFO] SYSTEM (3ccbe5a6-7127-44fb-9926-7a31a9103d07)
Message: Network map updated
Time: 17 minutes, 7 seconds ago
[INFO] SYSTEM (22000aae-adc8-4e95-ac4a-285dffe32158)
Message: Network map updated
Time: 16 minutes, 54 seconds ago
[INFO] SYSTEM (f3429a96-5370-4464-ad68-5793d9464e12)
Message: Network map updated
Time: 15 minutes, 42 seconds ago
[INFO] SYSTEM (4045dc57-2af0-4a02-969e-25ff9bfbca2e)
Message: Network map updated
Time: 15 minutes, 23 seconds ago
[INFO] SYSTEM (1b525b2d-0afc-4fa1-bfa0-c92822213fa6)
Message: Network map updated
Time: 15 minutes, 15 seconds ago
[INFO] SYSTEM (40471358-bc64-4c10-9399-3c8c10af2cb7)
Message: Network map updated
Time: 14 minutes, 47 seconds ago
[INFO] SYSTEM (6ea93353-3644-4e48-9611-dfa517d7f261)
Message: Network map updated
Time: 13 minutes, 36 seconds ago
[INFO] SYSTEM (7a0176f8-aec8-43ca-85d5-ceffc0092875)
Message: Network map updated
Time: 13 minutes, 4 seconds ago
[INFO] SYSTEM (8132ee96-90be-473d-a1fe-46c653e5fb27)
Message: Network map updated
Time: 12 minutes, 52 seconds ago
OS: linux/amd64
Daemon version: 0.64.5
CLI version: 0.64.5
Profile: default
Management: Connected to https://netbird.anon-0P1MV.domain:443
Signal: Connected to https://netbird.anon-0P1MV.domain:443
Relays:
[stun:netbird.anon-0P1MV.domain:3478] is Available
[rels://netbird.anon-0P1MV.domain:443] is Available
Nameservers:
FQDN: netbird-r1.netbird-vpn.anon-0P1MV.domain
NetBird IP: 10.131.242.209/20
Interface type: Kernel
Quantum resistance: false
Lazy connection: false
SSH Server: Disabled
Networks: 10.130.150.0/23, 10.130.8.0/24
Peers count: 1/5 Connected
Create and upload a debug bundle, and share the returned file key:
netbird debug for 1m -AS -U
Key
1954ba0b09de76b928b9bc532d2d10f3b3a26883921c5867fb94b94053445f27/4a73a69f-cbcb-4445-ab83-2bd6c576f1e1
Uploaded files are automatically deleted after 30 days.
Alternatively, create the file only and attach it here manually:
netbird debug for 1m -AS
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
Have you tried these troubleshooting steps?
- [Yes] Reviewed client troubleshooting (if applicable)
- [Yes] Checked for newer NetBird versions
- [Yes] Searched for similar issues on GitHub (including closed ones)
- [Yes] Restarted the NetBird client
- [Yes] Disabled other VPN software
- [Yes] Checked firewall settings