Cannot ping with 2 routing peers with no masquerade #5286
Description
Describe the problem
Assuming a Network exposing a resource 10.52.0.0/24, 2 routing peers dmz-gk-01 (10.52.0.22) and dmz-gk-02 (10.52.0.23) with DISABLED IP Masquerade, I would expect pinging 10.52.0.22/23/any other to work from a third device.
To Reproduce
Steps to reproduce the behavior:
- Set up a network like I described above: 1 network exposing Resource 10.52.0.0/24 and 2 routing peers WITH NO IP MASQUERADE
- Connect another device via Netbird.
- From this device, ping 10.52.0.22 or 10.52.0.23
- If the routing peer chosen at the time of the ping is the same as the target, it will work, if not, it will fail.
Check the first image below. Red squares is first ping to 10.52.0.22, which fails. 2nd ping is to 10.52.0.23, works (bc routing peer == target ping host)
Expected behavior
Pings should work
Are you using NetBird Cloud?
No, self hosted
NetBird version
Server: v0.64.5
Both hosts: 0.64.5
Is any other VPN software installed?
Yes, wireguard (wg-easy) on dmz-gk-01 (not on dmz-gk-02).
Debug output
To help us resolve the problem, please attach the following anonymized status output
rodrigo@dmz-gk-01:~$ netbird status -dA
Peers detail:
tv-paola.netbird.anon-1wUhO.domain:
NetBird IP: 100.66.4.233
Public key: K/Ym16+C22zT0uecKH6sdSzLkMOitGhGFcOXOn38vUE=
Status: Connecting
-- detail --
Connection type: -
ICE candidate (Local/Remote): -/-
ICE candidate endpoints (Local/Remote): -/-
Relay server address:
Last connection update: 14 minutes, 35 seconds ago
Last WireGuard handshake: -
Transfer status (received/sent) 0 B/0 B
Quantum resistance: false
Networks: -
Latency: 0s
iphone.netbird.anon-1wUhO.domain:
NetBird IP: 100.66.87.157
Public key: 8GApxE5gKD+35R9lWms9++3SxN1/K5oxPQWLkKKJwmA=
Status: Connected
-- detail --
Connection type: P2P
ICE candidate (Local/Remote): srflx/prflx
ICE candidate endpoints (Local/Remote): 198.51.100.0:1496/198.51.100.1:54060
Relay server address: rels://netbird.anon-1wUhO.domain:443/relay
Last connection update: 3 minutes, 58 seconds ago
Last WireGuard handshake: 1 minute, 4 seconds ago
Transfer status (received/sent) 1.9 KiB/81.3 KiB
Quantum resistance: false
Networks: -
Latency: 29.520496ms
Events:
[INFO] SYSTEM (58b8da35-90c3-46a0-bb8b-a43115581eda)
Message: Network map updated
Time: 14 minutes, 35 seconds ago
[INFO] SYSTEM (e11f5806-5c29-4297-ac3b-98faf891cacf)
Message: Network map updated
Time: 13 minutes, 12 seconds ago
[INFO] SYSTEM (1f066346-1be8-4faf-9806-7d032b8eb94b)
Message: Network map updated
Time: 13 minutes, 11 seconds ago
[INFO] SYSTEM (5b4a8685-c960-4674-9bfb-778fb08d01f6)
Message: Network map updated
Time: 13 minutes, 7 seconds ago
[INFO] SYSTEM (f0cf09f6-0f68-4c28-b006-b69f3e86ea6a)
Message: Network map updated
Time: 13 minutes, 6 seconds ago
OS: linux/amd64
Daemon version: 0.64.5
CLI version: 0.64.5
Profile: default
Management: Connected to https://netbird.anon-1wUhO.domain:443
Signal: Connected to https://netbird.anon-1wUhO.domain:443
Relays:
[stun:netbird.anon-1wUhO.domain:3478] is Available
[turn:netbird.anon-1wUhO.domain:3478?transport=udp] is Available
[rels://netbird.anon-1wUhO.domain:443/relay] is Available
Nameservers:
FQDN: dmz-gk-01.netbird.anon-1wUhO.domain
NetBird IP: 100.66.253.5/16
Interface type: Kernel
Quantum resistance: false
Lazy connection: false
SSH Server: Disabled
Networks: 10.52.0.0/24
Peers count: 1/2 Connected
Create and upload a debug bundle, and share the returned file key:
b09a4e286a52477aa3b37eb2d5aa1a3d6720b775add242693bb391190e58c39f/2c29330a-78a4-4ceb-ac18-9a41b8f29ea0
(Ran ping cmd while the debug bundle was being compiled)
Screenshots
Add any other context about the problem here.
Have you tried these troubleshooting steps?
- Reviewed client troubleshooting (if applicable)
- Checked for newer NetBird versions
- Searched for similar issues on GitHub (including closed ones)
- Restarted the NetBird client
- Disabled other VPN software
- Checked firewall settings
I found a fix
Run these to send traffic back to host if src is host itself and target is 100.x.x.x:
sudo ip route add default via 10.52.0.23 dev ens18 table 100
sudo ip rule add from 10.52.0.22 to 100.64.0.0/10 lookup 100
Problem is this won't work in a setup with more than 2 routing peers