Client 0.30.0 Exit Node not working as 0.29.4 #1318

New Issue

saavagebueno · 2025-11-20T05:28:25-05:00

saavagebueno commented

2025-11-20 05:28:25 -05:00

Originally created by @rkleivel on GitHub (Oct 8, 2024).

Problem:
After upgrading clients to 0.30.0, nodes in a exit node distribution group looses internet connection if exit node is restarted

To Reproduce

Create 2 groups is_exit_node and uses_exit_node
Add a node in each group (preferably behind different public IPs for easier testing)
Create a policy that allows the groups to communicate (unless the Default policy All <-> All is active)
Add an exit node under network routes that makes the node in is_exit_node the Exit Node of the node in uses_exit_node
Run curl ipinfo.io on each node and verify that the public IPs are identical
Run netbird down && netbird up on the exit node
Wait a minute to allow settings to be updated
Run curl ipinfo.io on each node

Expected behavior
Each node should still appear to be behind the same public IP.

With 0.30.0 I mostly experience that the node in uses_exit_node does not regain internet access.
Downgrading both nodes to 0.29.4 the setup behaves as expected.

Are you using NetBird Cloud?
Yes

NetBird version
0.30.0 (failing) and 0.29.4 (working)

Additional info
Both nodes are running Ubuntu 24.04 server

As this has been fairly easy to reproduce, I do not attach any logs at this stage. Please let me know if they will be necessary, and I'll happily provide :)

Originally created by @rkleivel on GitHub (Oct 8, 2024). **Problem:** After upgrading clients to 0.30.0, nodes in a exit node distribution group looses internet connection if exit node is restarted **To Reproduce** 1) Create 2 groups `is_exit_node` and `uses_exit_node` 2) Add a node in each group (preferably behind different public IPs for easier testing) 3) Create a policy that allows the groups to communicate (unless the Default policy `All <-> All` is active) ![image](https://github.com/user-attachments/assets/d288d6cd-3d86-4e23-a7fa-67b3d86dbfbc) 4) Add an exit node under network routes that makes the node in `is_exit_node` the Exit Node of the node in `uses_exit_node` ![image](https://github.com/user-attachments/assets/53a5c4b1-54c2-4083-91d5-a05e0510112e) 5) Run `curl ipinfo.io` on each node and verify that the public IPs are identical 6) Run `netbird down && netbird up` on the exit node 7) Wait a minute to allow settings to be updated 8) Run `curl ipinfo.io` on each node **Expected behavior** Each node should still appear to be behind the same public IP. * With 0.30.0 I mostly experience that the node in `uses_exit_node` does not regain internet access. * Downgrading both nodes to 0.29.4 the setup behaves as expected. **Are you using NetBird Cloud?** Yes **NetBird version** 0.30.0 (failing) and 0.29.4 (working) **Additional info** Both nodes are running Ubuntu 24.04 server As this has been fairly easy to reproduce, I do not attach any logs at this stage. Please let me know if they will be necessary, and I'll happily provide :)

saavagebueno added the triage-needed label 2025-11-20 05:28:25 -05:00

saavagebueno commented

2025-11-20 05:28:25 -05:00

@mlsmaycon commented on GitHub (Oct 9, 2024):

Hello @rkleivel can you please share the output from nft list ruleset from the exit node?

@mlsmaycon commented on GitHub (Oct 9, 2024): Hello @rkleivel can you please share the output from `nft list ruleset` from the exit node?

saavagebueno commented

2025-11-20 05:28:25 -05:00

@rkleivel commented on GitHub (Oct 9, 2024):

Thanks @mlsmaycon!
Here is the ruleset after netbird down / up on the exit node:

table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		oifname "wt0" ct state established,related counter packets 0 bytes 0 accept
		iifname "wt0" counter packets 0 bytes 0 accept
	}
}
table ip nat {
	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
	}
}
table ip netbird {
	set nb0000001 {
		type ipv4_addr
		flags dynamic
		elements = { 100.93.17.98 }
	}

	set nb0000002 {
		type ipv4_addr
		flags dynamic
		elements = { 100.93.17.98 }
	}

	chain netbird-rt-fwd {
		ct state established,related accept
		counter packets 0 bytes 0 accept
	}

	chain netbird-rt-nat {
		type nat hook postrouting priority srcnat - 1; policy accept;
		iifname "wt0" counter packets 1 bytes 176 masquerade
		oifname "wt0" counter packets 0 bytes 0 masquerade
	}

	chain netbird-acl-input-rules {
		ct state established,related accept
		ip saddr @nb0000001 accept
	}

	chain netbird-acl-output-rules {
		ct state established,related accept
		ip daddr @nb0000002 accept
	}

	chain netbird-acl-input-filter {
		type filter hook input priority filter; policy accept;
		iifname "wt0" jump netbird-acl-input-rules
		iifname "wt0" drop
	}

	chain netbird-acl-output-filter {
		type filter hook output priority filter; policy accept;
		oifname "wt0" ip daddr != 100.93.0.0/16 accept
		oifname "wt0" jump netbird-acl-output-rules
		oifname "wt0" drop
	}

	chain netbird-acl-forward-filter {
		type filter hook forward priority filter; policy accept;
		iifname "wt0" jump netbird-rt-fwd
		iifname "wt0" drop
	}
}

The diff from when it was working looks like this does not seem significant:

diff exit_node_working.txt exit_node_not_working.txt 
12,13c12,13
< 		oifname "wt0" ct state established,related counter packets 1048 bytes 2078521 accept
< 		iifname "wt0" counter packets 909 bytes 54393 accept
---
> 		oifname "wt0" ct state established,related counter packets 0 bytes 0 accept
> 		iifname "wt0" counter packets 0 bytes 0 accept
36c36
< 		counter packets 25 bytes 1580 accept
---
> 		counter packets 0 bytes 0 accept
41c41
< 		iifname "wt0" counter packets 18 bytes 1160 masquerade
---
> 		iifname "wt0" counter packets 1 bytes 176 masquerade

@rkleivel commented on GitHub (Oct 9, 2024): Thanks @mlsmaycon! Here is the ruleset after netbird down / up on the exit node: ``` table ip filter { chain INPUT { type filter hook input priority filter; policy accept; } chain OUTPUT { type filter hook output priority filter; policy accept; } chain FORWARD { type filter hook forward priority filter; policy accept; oifname "wt0" ct state established,related counter packets 0 bytes 0 accept iifname "wt0" counter packets 0 bytes 0 accept } } table ip nat { chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; } } table ip netbird { set nb0000001 { type ipv4_addr flags dynamic elements = { 100.93.17.98 } } set nb0000002 { type ipv4_addr flags dynamic elements = { 100.93.17.98 } } chain netbird-rt-fwd { ct state established,related accept counter packets 0 bytes 0 accept } chain netbird-rt-nat { type nat hook postrouting priority srcnat - 1; policy accept; iifname "wt0" counter packets 1 bytes 176 masquerade oifname "wt0" counter packets 0 bytes 0 masquerade } chain netbird-acl-input-rules { ct state established,related accept ip saddr @nb0000001 accept } chain netbird-acl-output-rules { ct state established,related accept ip daddr @nb0000002 accept } chain netbird-acl-input-filter { type filter hook input priority filter; policy accept; iifname "wt0" jump netbird-acl-input-rules iifname "wt0" drop } chain netbird-acl-output-filter { type filter hook output priority filter; policy accept; oifname "wt0" ip daddr != 100.93.0.0/16 accept oifname "wt0" jump netbird-acl-output-rules oifname "wt0" drop } chain netbird-acl-forward-filter { type filter hook forward priority filter; policy accept; iifname "wt0" jump netbird-rt-fwd iifname "wt0" drop } } ``` The diff from when it was working looks like this does not seem significant: ``` diff exit_node_working.txt exit_node_not_working.txt 12,13c12,13 < oifname "wt0" ct state established,related counter packets 1048 bytes 2078521 accept < iifname "wt0" counter packets 909 bytes 54393 accept --- > oifname "wt0" ct state established,related counter packets 0 bytes 0 accept > iifname "wt0" counter packets 0 bytes 0 accept 36c36 < counter packets 25 bytes 1580 accept --- > counter packets 0 bytes 0 accept 41c41 < iifname "wt0" counter packets 18 bytes 1160 masquerade --- > iifname "wt0" counter packets 1 bytes 176 masquerade ```

saavagebueno commented

2025-11-20 05:28:26 -05:00

@mgarces commented on GitHub (Oct 10, 2024):

hi there; can you try our latest release v0.30.1 please?

@mgarces commented on GitHub (Oct 10, 2024): hi there; can you try our latest release `v0.30.1` please?

saavagebueno commented

2025-11-20 05:28:26 -05:00

@rkleivel commented on GitHub (Oct 11, 2024):

hi there; can you try our latest release v0.30.1 please?

Sure! Unfortunately I cannot see any improvement since 0.30.0

@rkleivel commented on GitHub (Oct 11, 2024): > hi there; can you try our latest release `v0.30.1` please? Sure! Unfortunately I cannot see any improvement since 0.30.0

saavagebueno commented

2025-11-20 05:28:26 -05:00

@mlsmaycon commented on GitHub (Oct 11, 2024):

Hello @rkleivel can you please run the following commands?

On exit node:

sysctl net.ipv4.ip_forward
sudo tcpdump -i any -nn host 1.1.1.1 and port 443 # keep this running while testing on client

On client:

ip route get 1.1.1.1
nc -vw 5 -z 1.1.1.1 443

Then, share the output with us.

@mlsmaycon commented on GitHub (Oct 11, 2024): Hello @rkleivel can you please run the following commands? On exit node: ```shell sysctl net.ipv4.ip_forward sudo tcpdump -i any -nn host 1.1.1.1 and port 443 # keep this running while testing on client ``` On client: ```shell ip route get 1.1.1.1 nc -vw 5 -z 1.1.1.1 443 ``` Then, share the output with us.

saavagebueno commented

2025-11-20 05:28:26 -05:00

@rkleivel commented on GitHub (Oct 14, 2024):

Hi @mlsmaycon,

As opposed to my comment Oct 11 at 10.11 GMT, I am currently not able to reproduce the issue. Below I will provide the output from your commands.

However, High Availability with 2 exit nodes still does not seem to work. I did not mention that earlier because I did not get time to test it thoroughly, but noticed it last week while debugging the issue of this thread, and have a feeling it might be related. I will provide similar outputs in another comment.

Here the logging for only one exit node that goes down and up, showing that the it now works as expected. (I did add some timestamps to make it easier to relate the two). Both nodes on 0.30.1:

Exit node:

admin@exit1:~$ date && sudo tcpdump -i any -nn host 1.1.1.1 and port 443
Mon Oct 14 07:46:36 UTC 2024
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
07:46:48.250437 wt0   In  IP 100.93.158.105.32836 > 1.1.1.1.443: Flags [S], seq 1080105978, win 64480, options [mss 1240,sackOK,TS val 4127900581 ecr 0,nop,wscale 7], length 0
07:46:48.250465 ens18 Out IP 192.168.7.26.32836 > 1.1.1.1.443: Flags [S], seq 1080105978, win 64480, options [mss 1240,sackOK,TS val 4127900581 ecr 0,nop,wscale 7], length 0
07:46:48.259774 ens18 In  IP 1.1.1.1.443 > 192.168.7.26.32836: Flags [S.], seq 3227839981, ack 1080105979, win 65535, options [mss 1460,sackOK,TS val 2170826905 ecr 4127900581,nop,wscale 13], length 0
07:46:48.259793 wt0   Out IP 1.1.1.1.443 > 100.93.158.105.32836: Flags [S.], seq 3227839981, ack 1080105979, win 65535, options [mss 1460,sackOK,TS val 2170826905 ecr 4127900581,nop,wscale 13], length 0
07:46:48.321426 wt0   In  IP 100.93.158.105.32836 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4127900651 ecr 2170826905], length 0
07:46:48.321442 ens18 Out IP 192.168.7.26.32836 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4127900651 ecr 2170826905], length 0
07:46:48.322012 wt0   In  IP 100.93.158.105.32836 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4127900651 ecr 2170826905], length 0
07:46:48.322025 ens18 Out IP 192.168.7.26.32836 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4127900651 ecr 2170826905], length 0
07:46:48.331567 ens18 In  IP 1.1.1.1.443 > 192.168.7.26.32836: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 2170826977 ecr 4127900651], length 0
07:46:48.331598 wt0   Out IP 1.1.1.1.443 > 100.93.158.105.32836: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 2170826977 ecr 4127900651], length 0
07:46:48.377526 wt0   In  IP 100.93.158.105.32836 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4127900708 ecr 2170826977], length 0
07:46:48.377546 ens18 Out IP 192.168.7.26.32836 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4127900708 ecr 2170826977], length 0
^C
12 packets captured
14 packets received by filter
0 packets dropped by kernel
admin@exit1:~$ netbird down && netbird up
Disconnected
Connected
admin@exit1:~$ date && sudo tcpdump -i any -nn host 1.1.1.1 and port 443
Mon Oct 14 07:47:47 UTC 2024
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
07:47:51.625745 wt0   In  IP 100.93.158.105.56110 > 1.1.1.1.443: Flags [S], seq 2392515285, win 64480, options [mss 1240,sackOK,TS val 4127963956 ecr 0,nop,wscale 7], length 0
07:47:51.625771 ens18 Out IP 192.168.7.26.56110 > 1.1.1.1.443: Flags [S], seq 2392515285, win 64480, options [mss 1240,sackOK,TS val 4127963956 ecr 0,nop,wscale 7], length 0
07:47:51.635630 ens18 In  IP 1.1.1.1.443 > 192.168.7.26.56110: Flags [S.], seq 1033369258, ack 2392515286, win 65535, options [mss 1460,sackOK,TS val 3968834669 ecr 4127963956,nop,wscale 13], length 0
07:47:51.635670 wt0   Out IP 1.1.1.1.443 > 100.93.158.105.56110: Flags [S.], seq 1033369258, ack 2392515286, win 65535, options [mss 1460,sackOK,TS val 3968834669 ecr 4127963956,nop,wscale 13], length 0
07:47:51.680578 wt0   In  IP 100.93.158.105.56110 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4127964011 ecr 3968834669], length 0
07:47:51.680599 ens18 Out IP 192.168.7.26.56110 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4127964011 ecr 3968834669], length 0
07:47:51.680832 wt0   In  IP 100.93.158.105.56110 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4127964011 ecr 3968834669], length 0
07:47:51.680852 ens18 Out IP 192.168.7.26.56110 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4127964011 ecr 3968834669], length 0
07:47:51.691850 ens18 In  IP 1.1.1.1.443 > 192.168.7.26.56110: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 3968834725 ecr 4127964011], length 0
07:47:51.691877 wt0   Out IP 1.1.1.1.443 > 100.93.158.105.56110: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 3968834725 ecr 4127964011], length 0
07:47:51.738217 wt0   In  IP 100.93.158.105.56110 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4127964069 ecr 3968834725], length 0
07:47:51.738254 ens18 Out IP 192.168.7.26.56110 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4127964069 ecr 3968834725], length 0
^C
12 packets captured
13 packets received by filter
0 packets dropped by kernel
admin@exit1:~$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
admin@exit1:~$

Client:

admin@client:~$ date && ip route get 1.1.1.1
Mon Oct 14 07:46:38 UTC 2024
1.1.1.1 dev wt0 table netbird src 100.93.158.105 uid 1000 
    cache 
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 07:46:48 UTC 2024
Connection to 1.1.1.1 443 port [tcp/https] succeeded!
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 07:47:07 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && ip route get 1.1.1.1
Mon Oct 14 07:47:13 UTC 2024
1.1.1.1 dev wt0 table netbird src 100.93.158.105 uid 1000 
    cache 
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 07:47:16 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 07:47:22 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 07:47:29 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 07:47:35 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 07:47:42 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 07:47:51 UTC 2024
Connection to 1.1.1.1 443 port [tcp/https] succeeded!
admin@client:~$

@rkleivel commented on GitHub (Oct 14, 2024): Hi @mlsmaycon, As opposed to my comment Oct 11 at 10.11 GMT, I am currently not able to reproduce the issue. Below I will provide the output from your commands. **However**, High Availability with 2 exit nodes still does not seem to work. I did not mention that earlier because I did not get time to test it thoroughly, but noticed it last week while debugging the issue of this thread, and have a feeling it might be related. I will provide similar outputs in another comment. Here the logging for only one exit node that goes down and up, showing that the it now works as expected. (I did add some timestamps to make it easier to relate the two). Both nodes on 0.30.1: Exit node: ``` admin@exit1:~$ date && sudo tcpdump -i any -nn host 1.1.1.1 and port 443 Mon Oct 14 07:46:36 UTC 2024 tcpdump: data link type LINUX_SLL2 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 07:46:48.250437 wt0 In IP 100.93.158.105.32836 > 1.1.1.1.443: Flags [S], seq 1080105978, win 64480, options [mss 1240,sackOK,TS val 4127900581 ecr 0,nop,wscale 7], length 0 07:46:48.250465 ens18 Out IP 192.168.7.26.32836 > 1.1.1.1.443: Flags [S], seq 1080105978, win 64480, options [mss 1240,sackOK,TS val 4127900581 ecr 0,nop,wscale 7], length 0 07:46:48.259774 ens18 In IP 1.1.1.1.443 > 192.168.7.26.32836: Flags [S.], seq 3227839981, ack 1080105979, win 65535, options [mss 1460,sackOK,TS val 2170826905 ecr 4127900581,nop,wscale 13], length 0 07:46:48.259793 wt0 Out IP 1.1.1.1.443 > 100.93.158.105.32836: Flags [S.], seq 3227839981, ack 1080105979, win 65535, options [mss 1460,sackOK,TS val 2170826905 ecr 4127900581,nop,wscale 13], length 0 07:46:48.321426 wt0 In IP 100.93.158.105.32836 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4127900651 ecr 2170826905], length 0 07:46:48.321442 ens18 Out IP 192.168.7.26.32836 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4127900651 ecr 2170826905], length 0 07:46:48.322012 wt0 In IP 100.93.158.105.32836 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4127900651 ecr 2170826905], length 0 07:46:48.322025 ens18 Out IP 192.168.7.26.32836 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4127900651 ecr 2170826905], length 0 07:46:48.331567 ens18 In IP 1.1.1.1.443 > 192.168.7.26.32836: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 2170826977 ecr 4127900651], length 0 07:46:48.331598 wt0 Out IP 1.1.1.1.443 > 100.93.158.105.32836: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 2170826977 ecr 4127900651], length 0 07:46:48.377526 wt0 In IP 100.93.158.105.32836 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4127900708 ecr 2170826977], length 0 07:46:48.377546 ens18 Out IP 192.168.7.26.32836 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4127900708 ecr 2170826977], length 0 ^C 12 packets captured 14 packets received by filter 0 packets dropped by kernel admin@exit1:~$ netbird down && netbird up Disconnected Connected admin@exit1:~$ date && sudo tcpdump -i any -nn host 1.1.1.1 and port 443 Mon Oct 14 07:47:47 UTC 2024 tcpdump: data link type LINUX_SLL2 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 07:47:51.625745 wt0 In IP 100.93.158.105.56110 > 1.1.1.1.443: Flags [S], seq 2392515285, win 64480, options [mss 1240,sackOK,TS val 4127963956 ecr 0,nop,wscale 7], length 0 07:47:51.625771 ens18 Out IP 192.168.7.26.56110 > 1.1.1.1.443: Flags [S], seq 2392515285, win 64480, options [mss 1240,sackOK,TS val 4127963956 ecr 0,nop,wscale 7], length 0 07:47:51.635630 ens18 In IP 1.1.1.1.443 > 192.168.7.26.56110: Flags [S.], seq 1033369258, ack 2392515286, win 65535, options [mss 1460,sackOK,TS val 3968834669 ecr 4127963956,nop,wscale 13], length 0 07:47:51.635670 wt0 Out IP 1.1.1.1.443 > 100.93.158.105.56110: Flags [S.], seq 1033369258, ack 2392515286, win 65535, options [mss 1460,sackOK,TS val 3968834669 ecr 4127963956,nop,wscale 13], length 0 07:47:51.680578 wt0 In IP 100.93.158.105.56110 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4127964011 ecr 3968834669], length 0 07:47:51.680599 ens18 Out IP 192.168.7.26.56110 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4127964011 ecr 3968834669], length 0 07:47:51.680832 wt0 In IP 100.93.158.105.56110 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4127964011 ecr 3968834669], length 0 07:47:51.680852 ens18 Out IP 192.168.7.26.56110 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4127964011 ecr 3968834669], length 0 07:47:51.691850 ens18 In IP 1.1.1.1.443 > 192.168.7.26.56110: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 3968834725 ecr 4127964011], length 0 07:47:51.691877 wt0 Out IP 1.1.1.1.443 > 100.93.158.105.56110: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 3968834725 ecr 4127964011], length 0 07:47:51.738217 wt0 In IP 100.93.158.105.56110 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4127964069 ecr 3968834725], length 0 07:47:51.738254 ens18 Out IP 192.168.7.26.56110 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4127964069 ecr 3968834725], length 0 ^C 12 packets captured 13 packets received by filter 0 packets dropped by kernel admin@exit1:~$ sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 admin@exit1:~$ ``` Client: ``` admin@client:~$ date && ip route get 1.1.1.1 Mon Oct 14 07:46:38 UTC 2024 1.1.1.1 dev wt0 table netbird src 100.93.158.105 uid 1000 cache admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 07:46:48 UTC 2024 Connection to 1.1.1.1 443 port [tcp/https] succeeded! admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 07:47:07 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && ip route get 1.1.1.1 Mon Oct 14 07:47:13 UTC 2024 1.1.1.1 dev wt0 table netbird src 100.93.158.105 uid 1000 cache admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 07:47:16 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 07:47:22 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 07:47:29 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 07:47:35 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 07:47:42 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 07:47:51 UTC 2024 Connection to 1.1.1.1 443 port [tcp/https] succeeded! admin@client:~$ ```

saavagebueno commented

2025-11-20 05:28:26 -05:00

@mlsmaycon commented on GitHub (Oct 14, 2024):

Thanks, @rkleivel, for sharing the outputs.

Ok, to confirm what we see in with the timestamps, the failure was after you restarted the connection and is probably related to the time it took for the peers to connect. Right?

With the previous release, we fixed an issue with forwarding rules caused by the number of peers in an access control rule, which shouldn't affect nodes with exit nodes and no access control groups set in any of the routing peer routes. So it may not have affected you unless you had an access control group for a network route.

We will wait for your check with HA as well.

@mlsmaycon commented on GitHub (Oct 14, 2024): Thanks, @rkleivel, for sharing the outputs. Ok, to confirm what we see in with the timestamps, the failure was after you restarted the connection and is probably related to the time it took for the peers to connect. Right? With the previous release, we fixed an issue with forwarding rules caused by the number of peers in an access control rule, which shouldn't affect nodes with exit nodes and no access control groups set in any of the routing peer routes. So it may not have affected you unless you had an access control group for a network route. We will wait for your check with HA as well.

saavagebueno commented

2025-11-20 05:28:26 -05:00

@rkleivel commented on GitHub (Oct 14, 2024):

As promised, here follows the outputs for 1 client with 2 exit nodes. Initially both exit nodes are up. I confirm that routing through exit node 1 is OK, then I take exit node 1 down. Routing does not switch to exit node 2 until I manually deactivate and activate the exit node entry in the web GUI.

Client:

admin@client:~$ date && ip route get 1.1.1.1
Mon Oct 14 07:58:39 UTC 2024
1.1.1.1 dev wt0 table netbird src 100.93.158.105 uid 1000 
    cache 
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 07:59:10 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 07:59:19 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 07:59:35 UTC 2024
Connection to 1.1.1.1 443 port [tcp/https] succeeded!
admin@client:~$ 
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 08:00:11 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 08:00:27 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 08:00:44 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 08:01:10 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 08:01:41 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 08:03:04 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && ip route get 1.1.1.1
Mon Oct 14 08:04:25 UTC 2024
1.1.1.1 dev wt0 table netbird src 100.93.158.105 uid 1000 
    cache 
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 08:04:42 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 08:04:56 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 08:05:12 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 08:05:35 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 08:06:00 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 08:06:26 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ 
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 08:06:57 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 08:07:32 UTC 2024
nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress
admin@client:~$ date && ip route get 1.1.1.1
Mon Oct 14 08:08:28 UTC 2024
1.1.1.1 dev wt0 table netbird src 100.93.158.105 uid 1000 
    cache 
admin@client:~$

EXIT Node deactivated and activated in GUI at this point

admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443
Mon Oct 14 08:08:30 UTC 2024
Connection to 1.1.1.1 443 port [tcp/https] succeeded!
admin@client:~$ date
Mon Oct 14 08:08:54 UTC 2024
admin@client:~$

Exit Node 1:

admin@exit1:~$ date && sysctl net.ipv4.ip_forward
Mon Oct 14 07:58:46 UTC 2024
net.ipv4.ip_forward = 1
admin@exit1:~$ date && sudo tcpdump -i any -nn host 1.1.1.1 and port 443 
Mon Oct 14 07:59:01 UTC 2024
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
07:59:39.508343 wt0   In  IP 100.93.158.105.47854 > 1.1.1.1.443: Flags [S], seq 2382693363, win 64480, options [mss 1240,sackOK,TS val 4128671838 ecr 0,nop,wscale 7], length 0
07:59:39.508381 ens18 Out IP 192.168.7.26.47854 > 1.1.1.1.443: Flags [S], seq 2382693363, win 64480, options [mss 1240,sackOK,TS val 4128671838 ecr 0,nop,wscale 7], length 0
07:59:39.517940 ens18 In  IP 1.1.1.1.443 > 192.168.7.26.47854: Flags [S.], seq 2277416614, ack 2382693364, win 65535, options [mss 1460,sackOK,TS val 1861873 ecr 4128671838,nop,wscale 13], length 0
07:59:39.517982 wt0   Out IP 1.1.1.1.443 > 100.93.158.105.47854: Flags [S.], seq 2277416614, ack 2382693364, win 65535, options [mss 1460,sackOK,TS val 1861873 ecr 4128671838,nop,wscale 13], length 0
07:59:39.563320 wt0   In  IP 100.93.158.105.47854 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4128671893 ecr 1861873], length 0
07:59:39.563339 ens18 Out IP 192.168.7.26.47854 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4128671893 ecr 1861873], length 0
07:59:39.564156 wt0   In  IP 100.93.158.105.47854 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4128671893 ecr 1861873], length 0
07:59:39.564175 ens18 Out IP 192.168.7.26.47854 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4128671893 ecr 1861873], length 0
07:59:39.573752 ens18 In  IP 1.1.1.1.443 > 192.168.7.26.47854: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 1861929 ecr 4128671893], length 0
07:59:39.573792 wt0   Out IP 1.1.1.1.443 > 100.93.158.105.47854: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 1861929 ecr 4128671893], length 0
07:59:39.618865 wt0   In  IP 100.93.158.105.47854 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4128671948 ecr 1861929], length 0
07:59:39.618890 ens18 Out IP 192.168.7.26.47854 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4128671948 ecr 1861929], length 0
^C
12 packets captured
14 packets received by filter
0 packets dropped by kernel
admin@exit1:~$ date && netbird down
Mon Oct 14 08:00:03 UTC 2024
Disconnected
admin@exit1:~$ date && sudo tcpdump -i any -nn host 1.1.1.1 and port 443 
Mon Oct 14 08:04:40 UTC 2024
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
^C
0 packets captured
2 packets received by filter
0 packets dropped by kernel
admin@exit1:~$ date
Mon Oct 14 08:08:58 UTC 2024
admin@exit1:~$

Exit Node 2:

admin@exit2:~$ date && sysctl net.ipv4.ip_forward
Mon Oct 14 07:58:49 UTC 2024
net.ipv4.ip_forward = 1
admin@exit2:~$ date && sudo tcpdump -i any -nn host 1.1.1.1 and port 443 
Mon Oct 14 07:59:02 UTC 2024
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
08:08:30.973700 wt0   In  IP 100.93.158.105.35580 > 1.1.1.1.443: Flags [S], seq 1509625333, win 64480, options [mss 1240,sackOK,TS val 4129203321 ecr 0,nop,wscale 7], length 0
08:08:30.973717 eth0  Out IP 172.17.0.4.35580 > 1.1.1.1.443: Flags [S], seq 1509625333, win 64480, options [mss 1240,sackOK,TS val 4129203321 ecr 0,nop,wscale 7], length 0
08:08:30.985416 eth0  In  IP 1.1.1.1.443 > 172.17.0.4.35580: Flags [S.], seq 1235011614, ack 1509625334, win 65535, options [mss 1460,sackOK,TS val 560577716 ecr 4129203321,nop,wscale 13], length 0
08:08:30.985430 wt0   Out IP 1.1.1.1.443 > 100.93.158.105.35580: Flags [S.], seq 1235011614, ack 1509625334, win 65535, options [mss 1460,sackOK,TS val 560577716 ecr 4129203321,nop,wscale 13], length 0
08:08:30.996615 wt0   In  IP 100.93.158.105.35580 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4129203343 ecr 560577716], length 0
08:08:30.996627 eth0  Out IP 172.17.0.4.35580 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4129203343 ecr 560577716], length 0
08:08:30.996632 wt0   In  IP 100.93.158.105.35580 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4129203344 ecr 560577716], length 0
08:08:30.996636 eth0  Out IP 172.17.0.4.35580 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4129203344 ecr 560577716], length 0
08:08:31.009041 eth0  In  IP 1.1.1.1.443 > 172.17.0.4.35580: Flags [.], ack 2, win 8, options [nop,nop,TS val 560577740 ecr 4129203344], length 0
08:08:31.009041 eth0  In  IP 1.1.1.1.443 > 172.17.0.4.35580: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 560577740 ecr 4129203344], length 0
08:08:31.009062 wt0   Out IP 1.1.1.1.443 > 100.93.158.105.35580: Flags [.], ack 2, win 8, options [nop,nop,TS val 560577740 ecr 4129203344], length 0
08:08:31.009081 wt0   Out IP 1.1.1.1.443 > 100.93.158.105.35580: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 560577740 ecr 4129203344], length 0
08:08:31.030793 wt0   In  IP 100.93.158.105.35580 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4129203377 ecr 560577740], length 0
08:08:31.030800 eth0  Out IP 172.17.0.4.35580 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4129203377 ecr 560577740], length 0
^C
14 packets captured
16 packets received by filter
0 packets dropped by kernel
admin@exit2:~$ date
Mon Oct 14 08:08:50 UTC 2024
admin@exit2:~$

@rkleivel commented on GitHub (Oct 14, 2024): As promised, here follows the outputs for 1 client with 2 exit nodes. Initially both exit nodes are up. I confirm that routing through exit node 1 is OK, then I take exit node 1 down. Routing does not switch to exit node 2 until I manually deactivate and activate the exit node entry in the web GUI. **Client:** ``` admin@client:~$ date && ip route get 1.1.1.1 Mon Oct 14 07:58:39 UTC 2024 1.1.1.1 dev wt0 table netbird src 100.93.158.105 uid 1000 cache admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 07:59:10 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 07:59:19 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 07:59:35 UTC 2024 Connection to 1.1.1.1 443 port [tcp/https] succeeded! admin@client:~$ admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 08:00:11 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 08:00:27 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 08:00:44 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 08:01:10 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 08:01:41 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 08:03:04 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && ip route get 1.1.1.1 Mon Oct 14 08:04:25 UTC 2024 1.1.1.1 dev wt0 table netbird src 100.93.158.105 uid 1000 cache admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 08:04:42 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 08:04:56 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 08:05:12 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 08:05:35 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 08:06:00 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 08:06:26 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 08:06:57 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 08:07:32 UTC 2024 nc: connect to 1.1.1.1 port 443 (tcp) timed out: Operation now in progress admin@client:~$ date && ip route get 1.1.1.1 Mon Oct 14 08:08:28 UTC 2024 1.1.1.1 dev wt0 table netbird src 100.93.158.105 uid 1000 cache admin@client:~$ ``` **EXIT Node deactivated and activated in GUI at this point** ``` admin@client:~$ date && nc -vw 5 -z 1.1.1.1 443 Mon Oct 14 08:08:30 UTC 2024 Connection to 1.1.1.1 443 port [tcp/https] succeeded! admin@client:~$ date Mon Oct 14 08:08:54 UTC 2024 admin@client:~$ ``` **Exit Node 1:** ``` admin@exit1:~$ date && sysctl net.ipv4.ip_forward Mon Oct 14 07:58:46 UTC 2024 net.ipv4.ip_forward = 1 admin@exit1:~$ date && sudo tcpdump -i any -nn host 1.1.1.1 and port 443 Mon Oct 14 07:59:01 UTC 2024 tcpdump: data link type LINUX_SLL2 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 07:59:39.508343 wt0 In IP 100.93.158.105.47854 > 1.1.1.1.443: Flags [S], seq 2382693363, win 64480, options [mss 1240,sackOK,TS val 4128671838 ecr 0,nop,wscale 7], length 0 07:59:39.508381 ens18 Out IP 192.168.7.26.47854 > 1.1.1.1.443: Flags [S], seq 2382693363, win 64480, options [mss 1240,sackOK,TS val 4128671838 ecr 0,nop,wscale 7], length 0 07:59:39.517940 ens18 In IP 1.1.1.1.443 > 192.168.7.26.47854: Flags [S.], seq 2277416614, ack 2382693364, win 65535, options [mss 1460,sackOK,TS val 1861873 ecr 4128671838,nop,wscale 13], length 0 07:59:39.517982 wt0 Out IP 1.1.1.1.443 > 100.93.158.105.47854: Flags [S.], seq 2277416614, ack 2382693364, win 65535, options [mss 1460,sackOK,TS val 1861873 ecr 4128671838,nop,wscale 13], length 0 07:59:39.563320 wt0 In IP 100.93.158.105.47854 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4128671893 ecr 1861873], length 0 07:59:39.563339 ens18 Out IP 192.168.7.26.47854 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4128671893 ecr 1861873], length 0 07:59:39.564156 wt0 In IP 100.93.158.105.47854 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4128671893 ecr 1861873], length 0 07:59:39.564175 ens18 Out IP 192.168.7.26.47854 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4128671893 ecr 1861873], length 0 07:59:39.573752 ens18 In IP 1.1.1.1.443 > 192.168.7.26.47854: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 1861929 ecr 4128671893], length 0 07:59:39.573792 wt0 Out IP 1.1.1.1.443 > 100.93.158.105.47854: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 1861929 ecr 4128671893], length 0 07:59:39.618865 wt0 In IP 100.93.158.105.47854 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4128671948 ecr 1861929], length 0 07:59:39.618890 ens18 Out IP 192.168.7.26.47854 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4128671948 ecr 1861929], length 0 ^C 12 packets captured 14 packets received by filter 0 packets dropped by kernel admin@exit1:~$ date && netbird down Mon Oct 14 08:00:03 UTC 2024 Disconnected admin@exit1:~$ date && sudo tcpdump -i any -nn host 1.1.1.1 and port 443 Mon Oct 14 08:04:40 UTC 2024 tcpdump: data link type LINUX_SLL2 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes ^C 0 packets captured 2 packets received by filter 0 packets dropped by kernel admin@exit1:~$ date Mon Oct 14 08:08:58 UTC 2024 admin@exit1:~$ ``` **Exit Node 2:** ``` admin@exit2:~$ date && sysctl net.ipv4.ip_forward Mon Oct 14 07:58:49 UTC 2024 net.ipv4.ip_forward = 1 admin@exit2:~$ date && sudo tcpdump -i any -nn host 1.1.1.1 and port 443 Mon Oct 14 07:59:02 UTC 2024 tcpdump: data link type LINUX_SLL2 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 08:08:30.973700 wt0 In IP 100.93.158.105.35580 > 1.1.1.1.443: Flags [S], seq 1509625333, win 64480, options [mss 1240,sackOK,TS val 4129203321 ecr 0,nop,wscale 7], length 0 08:08:30.973717 eth0 Out IP 172.17.0.4.35580 > 1.1.1.1.443: Flags [S], seq 1509625333, win 64480, options [mss 1240,sackOK,TS val 4129203321 ecr 0,nop,wscale 7], length 0 08:08:30.985416 eth0 In IP 1.1.1.1.443 > 172.17.0.4.35580: Flags [S.], seq 1235011614, ack 1509625334, win 65535, options [mss 1460,sackOK,TS val 560577716 ecr 4129203321,nop,wscale 13], length 0 08:08:30.985430 wt0 Out IP 1.1.1.1.443 > 100.93.158.105.35580: Flags [S.], seq 1235011614, ack 1509625334, win 65535, options [mss 1460,sackOK,TS val 560577716 ecr 4129203321,nop,wscale 13], length 0 08:08:30.996615 wt0 In IP 100.93.158.105.35580 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4129203343 ecr 560577716], length 0 08:08:30.996627 eth0 Out IP 172.17.0.4.35580 > 1.1.1.1.443: Flags [.], ack 1, win 504, options [nop,nop,TS val 4129203343 ecr 560577716], length 0 08:08:30.996632 wt0 In IP 100.93.158.105.35580 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4129203344 ecr 560577716], length 0 08:08:30.996636 eth0 Out IP 172.17.0.4.35580 > 1.1.1.1.443: Flags [F.], seq 1, ack 1, win 504, options [nop,nop,TS val 4129203344 ecr 560577716], length 0 08:08:31.009041 eth0 In IP 1.1.1.1.443 > 172.17.0.4.35580: Flags [.], ack 2, win 8, options [nop,nop,TS val 560577740 ecr 4129203344], length 0 08:08:31.009041 eth0 In IP 1.1.1.1.443 > 172.17.0.4.35580: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 560577740 ecr 4129203344], length 0 08:08:31.009062 wt0 Out IP 1.1.1.1.443 > 100.93.158.105.35580: Flags [.], ack 2, win 8, options [nop,nop,TS val 560577740 ecr 4129203344], length 0 08:08:31.009081 wt0 Out IP 1.1.1.1.443 > 100.93.158.105.35580: Flags [F.], seq 1, ack 2, win 8, options [nop,nop,TS val 560577740 ecr 4129203344], length 0 08:08:31.030793 wt0 In IP 100.93.158.105.35580 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4129203377 ecr 560577740], length 0 08:08:31.030800 eth0 Out IP 172.17.0.4.35580 > 1.1.1.1.443: Flags [.], ack 2, win 504, options [nop,nop,TS val 4129203377 ecr 560577740], length 0 ^C 14 packets captured 16 packets received by filter 0 packets dropped by kernel admin@exit2:~$ date Mon Oct 14 08:08:50 UTC 2024 admin@exit2:~$ ```

saavagebueno commented

2025-11-20 05:28:27 -05:00

@rkleivel commented on GitHub (Oct 14, 2024):

Thanks, @rkleivel, for sharing the outputs.

Ok, to confirm what we see in with the timestamps, the failure was after you restarted the connection and is probably related to the time it took for the peers to connect. Right?

With the previous release, we fixed an issue with forwarding rules caused by the number of peers in an access control rule, which shouldn't affect nodes with exit nodes and no access control groups set in any of the routing peer routes. So it may not have affected you unless you had an access control group for a network route.

We will wait for your check with HA as well.

I can confirm that the failure was after netbird down && netbird up on the exit node. Now it just takes up to a couple of minutes till the connection is restored. Last week, when creating this issue, I could easily wait for half an hour and still connection was not restored.
I can also confirm that Access Control Groups (optioinal) in the web GUI Exit node definition is empty during my tests.

@rkleivel commented on GitHub (Oct 14, 2024): > Thanks, @rkleivel, for sharing the outputs. > > Ok, to confirm what we see in with the timestamps, the failure was after you restarted the connection and is probably related to the time it took for the peers to connect. Right? > > With the previous release, we fixed an issue with forwarding rules caused by the number of peers in an access control rule, which shouldn't affect nodes with exit nodes and no access control groups set in any of the routing peer routes. So it may not have affected you unless you had an access control group for a network route. > > We will wait for your check with HA as well. I can confirm that the failure was after `netbird down && netbird up` on the exit node. Now it just takes up to a couple of minutes till the connection is restored. Last week, when creating this issue, I could easily wait for half an hour and still connection was not restored. I can also confirm that `Access Control Groups (optioinal)` in the web GUI Exit node definition is empty during my tests.

saavagebueno commented

2025-11-20 05:28:27 -05:00

@mgarces commented on GitHub (Nov 12, 2024):

hi there, we have released 0.31.1, that addresses some of the issues described here; can you please test it with this version?

@mgarces commented on GitHub (Nov 12, 2024): hi there, we have released [0.31.1](https://github.com/netbirdio/netbird/releases/tag/v0.31.1), that addresses some of the issues described here; can you please test it with this version?

saavagebueno commented

2025-11-20 05:28:27 -05:00

@rkleivel commented on GitHub (Nov 26, 2024):

My apology for late response on this.
I have tested the initial scenario, as well as the high availability aspect on 0.33.0, and all now seems to work as expected. So thanks a lot for that!

I do, however, see some strange effects on docker containers that run inside a netbird node that uses_exit_node (see test system setup in my initial post):

If a process inside the container tries to access some https endpoint
AND
the exit node currently in use is a VM in Azure

the request times out. This does not happen if the exit node in use is hosted elsewhere, or if I do not use an exit node. If I run the same curl https://... on the docker host, it is also always fine no matter where the exit node is hosted. Http endpoints are always OK.
All nodes involved in the test have the same setup of Ubuntu 24.04, with netbird 0.33.0

I do not necessarily expect this to be a netbird issue, but would be very thankful for any thoughts on where Netbird possibly could intersect with a VM in Azure causing such an effect.

@rkleivel commented on GitHub (Nov 26, 2024): My apology for late response on this. I have tested the initial scenario, as well as the high availability aspect on 0.33.0, and all now seems to work as expected. So thanks a lot for that! I do, however, see some strange effects on docker containers that run inside a netbird node that `uses_exit_node` (see test system setup in my initial post): * If a process inside the container tries to access some https endpoint AND * the exit node currently in use is a VM in Azure the request times out. This does not happen if the exit node in use is hosted elsewhere, or if I do not use an exit node. If I run the same curl https://... on the docker host, it is also always fine no matter where the exit node is hosted. Http endpoints are always OK. All nodes involved in the test have the same setup of Ubuntu 24.04, with netbird 0.33.0 I do not necessarily expect this to be a netbird issue, but would be very thankful for any thoughts on where Netbird possibly could intersect with a VM in Azure causing such an effect.

saavagebueno commented

2025-11-20 05:28:27 -05:00

@alexkorotysh commented on GitHub (Apr 28, 2025):

I have the same. Exit nodes started working only with 0.29.4 (I used 0.41-0.43); the last two versions don't work. NAT just doesn't work.

Ruleset 0.29.4

table ip netbird {
        set nb0000001 {
                type ipv4_addr
                flags dynamic
                elements = { 0.0.0.0 }
        }

        set nb0000002 {
                type ipv4_addr
                flags dynamic
                elements = { 0.0.0.0 }
        }

        chain netbird-rt-fwd {
                ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 2870 bytes 2096850 accept
                ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 0 bytes 0 accept
        }

        chain netbird-rt-nat {
                type nat hook postrouting priority srcnat - 1; policy accept;
                oifname "lo" return
                ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 120 bytes 24235 masquerade
                ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 0 bytes 0 masquerade
        }

        chain netbird-acl-input-rules {
                iifname "wt0" accept
        }

        chain netbird-acl-output-rules {
                oifname "wt0" accept
        }

        chain netbird-acl-input-filter {
                type filter hook input priority filter; policy accept;
                iifname "wt0" ip saddr 100.83.0.0/16 ip daddr != 100.83.0.0/16 accept
                iifname "wt0" ip saddr != 100.83.0.0/16 ip daddr 100.83.0.0/16 accept
                iifname "wt0" ip saddr 100.83.0.0/16 ip daddr 100.83.0.0/16 jump netbird-acl-input-rules
                iifname "wt0" drop
        }

        chain netbird-acl-output-filter {
                type filter hook output priority filter; policy accept;
                oifname "wt0" ip saddr != 100.83.0.0/16 ip daddr 100.83.0.0/16 accept
                oifname "wt0" ip saddr 100.83.0.0/16 ip daddr != 100.83.0.0/16 accept
                oifname "wt0" ip saddr 100.83.0.0/16 ip daddr 100.83.0.0/16 jump netbird-acl-output-rules
                oifname "wt0" drop
        }

        chain netbird-acl-forward-filter {
                type filter hook forward priority filter; policy accept;
                iifname "wt0" jump netbird-rt-fwd
                oifname "wt0" jump netbird-rt-fwd
                iifname "wt0" meta mark 0x000007e4 accept
                oifname "wt0" meta mark 0x000007e4 accept
                iifname "wt0" jump netbird-acl-input-rules
                iifname "wt0" drop
        }

        chain netbird-acl-prerouting-filter {
                type filter hook prerouting priority mangle; policy accept;
                iifname "wt0" ip saddr != 100.83.0.0/16 ip daddr 100.83.65.243 meta mark set 0x000007e4
        }
}

Ruleset 0.43

table ip netbird {
        set nb0000001 {
                type ipv4_addr
                flags dynamic
                elements = { 0.0.0.0 }
        }

        chain netbird-rt-fwd {
                ct state established,related counter packets 0 bytes 0 accept
        }

        chain netbird-rt-postrouting {
                type nat hook postrouting priority srcnat - 1; policy accept;
                meta mark 0x0001bd21 oifname != "lo" counter packets 0 bytes 0 masquerade
                meta mark 0x0001bd22 oifname "wt0" counter packets 0 bytes 0 masquerade
        }

        chain netbird-rt-redirect {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain netbird-mangle-postrouting {
                type filter hook postrouting priority mangle; policy accept;
                oifname "wt0" ct state new ct mark set 0x0001bd11
        }

        chain netbird-mangle-prerouting {
                type filter hook prerouting priority mangle; policy accept;
                iifname != "wt0" ct state new meta mark set 0x0001bd22
                iifname "wt0" ct state new meta mark set 0x0001bd21
                iifname "wt0" ct state new ct mark set 0x0001bd10
                iifname "wt0" fib daddr type local meta mark set 0x0001bd20
        }

        chain netbird-acl-input-rules {
                ct state established,related counter packets 0 bytes 0 accept
                accept
        }

        chain netbird-acl-input-filter {
                type filter hook input priority filter; policy accept;
                iifname "wt0" jump netbird-acl-input-rules
                iifname "wt0" drop
        }

        chain netbird-acl-forward-filter {
                type filter hook forward priority filter; policy accept;
                meta mark 0x0001bd20 accept
                iifname "wt0" jump netbird-rt-fwd
                iifname "wt0" drop
        }
}

docker-compose.yml

services:
  netbird:
    image: netbirdio/netbird:0.29.4 
    container_name: netbird-exit-node
    hostname: eu.proxy.XXXX.YYYYY
    restart: unless-stopped
    environment:
      NB_SETUP_KEY: "REDACTED"  
      NB_MANAGEMENT_URL: "https://netbird.XXXX.YYYYY:33073"
    volumes:
      - ./netbird:/etc/netbird
    privileged: true
    network_mode: "host"

@alexkorotysh commented on GitHub (Apr 28, 2025): I have the same. Exit nodes started working only with 0.29.4 (I used 0.41-0.43); the last two versions don't work. NAT just doesn't work. Ruleset 0.29.4 ``` table ip netbird { set nb0000001 { type ipv4_addr flags dynamic elements = { 0.0.0.0 } } set nb0000002 { type ipv4_addr flags dynamic elements = { 0.0.0.0 } } chain netbird-rt-fwd { ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 2870 bytes 2096850 accept ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 0 bytes 0 accept } chain netbird-rt-nat { type nat hook postrouting priority srcnat - 1; policy accept; oifname "lo" return ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 120 bytes 24235 masquerade ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 0 bytes 0 masquerade } chain netbird-acl-input-rules { iifname "wt0" accept } chain netbird-acl-output-rules { oifname "wt0" accept } chain netbird-acl-input-filter { type filter hook input priority filter; policy accept; iifname "wt0" ip saddr 100.83.0.0/16 ip daddr != 100.83.0.0/16 accept iifname "wt0" ip saddr != 100.83.0.0/16 ip daddr 100.83.0.0/16 accept iifname "wt0" ip saddr 100.83.0.0/16 ip daddr 100.83.0.0/16 jump netbird-acl-input-rules iifname "wt0" drop } chain netbird-acl-output-filter { type filter hook output priority filter; policy accept; oifname "wt0" ip saddr != 100.83.0.0/16 ip daddr 100.83.0.0/16 accept oifname "wt0" ip saddr 100.83.0.0/16 ip daddr != 100.83.0.0/16 accept oifname "wt0" ip saddr 100.83.0.0/16 ip daddr 100.83.0.0/16 jump netbird-acl-output-rules oifname "wt0" drop } chain netbird-acl-forward-filter { type filter hook forward priority filter; policy accept; iifname "wt0" jump netbird-rt-fwd oifname "wt0" jump netbird-rt-fwd iifname "wt0" meta mark 0x000007e4 accept oifname "wt0" meta mark 0x000007e4 accept iifname "wt0" jump netbird-acl-input-rules iifname "wt0" drop } chain netbird-acl-prerouting-filter { type filter hook prerouting priority mangle; policy accept; iifname "wt0" ip saddr != 100.83.0.0/16 ip daddr 100.83.65.243 meta mark set 0x000007e4 } } ``` Ruleset 0.43 ``` table ip netbird { set nb0000001 { type ipv4_addr flags dynamic elements = { 0.0.0.0 } } chain netbird-rt-fwd { ct state established,related counter packets 0 bytes 0 accept } chain netbird-rt-postrouting { type nat hook postrouting priority srcnat - 1; policy accept; meta mark 0x0001bd21 oifname != "lo" counter packets 0 bytes 0 masquerade meta mark 0x0001bd22 oifname "wt0" counter packets 0 bytes 0 masquerade } chain netbird-rt-redirect { type nat hook prerouting priority dstnat; policy accept; } chain netbird-mangle-postrouting { type filter hook postrouting priority mangle; policy accept; oifname "wt0" ct state new ct mark set 0x0001bd11 } chain netbird-mangle-prerouting { type filter hook prerouting priority mangle; policy accept; iifname != "wt0" ct state new meta mark set 0x0001bd22 iifname "wt0" ct state new meta mark set 0x0001bd21 iifname "wt0" ct state new ct mark set 0x0001bd10 iifname "wt0" fib daddr type local meta mark set 0x0001bd20 } chain netbird-acl-input-rules { ct state established,related counter packets 0 bytes 0 accept accept } chain netbird-acl-input-filter { type filter hook input priority filter; policy accept; iifname "wt0" jump netbird-acl-input-rules iifname "wt0" drop } chain netbird-acl-forward-filter { type filter hook forward priority filter; policy accept; meta mark 0x0001bd20 accept iifname "wt0" jump netbird-rt-fwd iifname "wt0" drop } } ``` docker-compose.yml ``` services: netbird: image: netbirdio/netbird:0.29.4 container_name: netbird-exit-node hostname: eu.proxy.XXXX.YYYYY restart: unless-stopped environment: NB_SETUP_KEY: "REDACTED" NB_MANAGEMENT_URL: "https://netbird.XXXX.YYYYY:33073" volumes: - ./netbird:/etc/netbird privileged: true network_mode: "host" ```

Sign in to join this conversation.

Branches Tags

main

fix/owner-role-update

ui-refactor

feature/affected-peers

nmap/components-impl

feat/dev_version_commit_sha

embedded-vnc

dns-fwd-respect-block-inbound

refactor/mgmt-bootstrap

worktree-accept-ra-forwarding

sha-pinning

fix/bundle-logrotate

nmap/combined-deploy

task/align_protobuff_toolset

fix/statemanager_dlock

feature/session-extend

add-json-yaml-flags

feature/session-extend-mgm

refactor/ephemeral-cleanup

fix/wireguard-port-zero

pcp-android-gw

fix-dns-fallback-self-loop

claude/webtransport-relay-wasm-mUjY9

claude/vnc-udp-feasibility-6KB1U

client/capture-dns-forwarder-port

fix-ssh-authorized-users-multi-rule

windows-dns-firewall

fix/wgport-config

fix/rosenpass

drop-candidateviaroutes-filter

e2e-windows-dns-combined

refactor-combined

wasm-websocket-dial

dependabot/go_modules/github.com/Azure/go-ntlmssp-0.1.1

debug-logs

dependabot/go_modules/github.com/jackc/pgx/v5-5.9.2

fix/login-cmd-root-flags

feat/reseller-openapi-spec

github-issue-resolver

add-steamos-support

fix-darwin-uninstaller

flutter-test

dependabot/npm_and_yarn/proxy/web/postcss-8.5.12

ci/freebsd-pkg-bootstrap

cached-serial-check-on-sync

fix-mgmt-cache-bypass-overlay

revert-easyjson-5938

revert-ice-5820

revert-firewalld-5928

refactor/permissions-manager

revert-dns-5935-systemd-resolved

revert-dns-5935-5945

revert-dns-5945-mgmt-cache

feature/log-most-busy-peers

prototype/ui-wails

coderabbitai/utg/8ae8f20

feature/use-peer-fqdn-on-https

dependabot/go_modules/golang.org/x/image-0.38.0

feature/metrics-push-management-control

release/0.68.3

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream-1.7.8

dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/s3-1.97.3

add-slack-channel

claude/rdp-token-passthrough-eNcqW

transparent-proxy

fix/macos-stale-route-eexist

crowdsec-selfhosted

fix/remove-otel-units

entire/checkpoints/v1

dependabot/go_modules/github.com/go-jose/go-jose/v4-4.1.4

fix/getting-started

feat/static-connectors-combined-server

feature/use-local-keys-embedded

feature/fleetdm

set-env-only-if-not-fork

feature/expose-has-channel

fix/connection-status-race

fix/filter-cgnat-cni-ice-candidates

feature/check-cert-locker-before-acme

test/proxy-fixes

test/proxy-mtu

prototype/ui-tauri

test/proxy-speed

fix-reused-ports

feat/migrate-to-embedded-idp

feature/add-serial-to-proxy-merged

deploy/proxy-serial

test/connection

feature/disable-legacy-port

feature/flag-to-disable-legacy-port

test/perftest

dependabot/go_modules/github.com/pion/dtls/v3-3.0.11

fix/http-redirect

poc-token-command

dn-reverse-proxy

prototype/reverse-proxy-rename

prototype/reverse-proxy-logs-pagination

feature/client-metrics

prototype/reverse-proxy-clusters

debug-dns-route

fix/win-dns-batch

add-extra-route-logs

job-stream-notify-disconnection-eof

deploy/secrets-manager

trigger-proxy-update

bug/update-ios-client-code-build-tags

sync-client-netmap-serial

log/conn-disconn

nmap/compaction-deploy

ci-win-test

feature/disk-encryption-check

wasm-debug

swap-dns-prio

fix/dex-config

feature/migrate-auto-groups-to-table

dependabot/go_modules/github.com/quic-go/quic-go-0.57.0

nmap/compaction

dex-nocgo-stub

feature/exclude-terraform-from-rate-limiting

test-freebsd

retries-refactor

coderabbitai/docstrings/b7e98ac

feat/integrate-zitadel

bug/ios-hanging-reconection

zitadel-idp

feat/network-map-serial

refactor/get-account-no-users

feat/auto-upgrade

feature/report-high-pat-id

feature/temporary-access-for-resource

fix/nmap-fwrules

dont-restart-dns

prototype/ui

update-gomobile

go-dns-for-ice

wasm-ldflags

test-ldflags

wasmbuild-test

feature/networks-s2s

vk/compare-nmaps

dbg/bothmaps

feature/changeset

reorder-dns-shutdown

fix/relay-reconnection-race

fix/nmap-exitnodes

vk/debug/nmap-both

move-licensed-code

feat/better-daemon-connection-lost-message

feat/auto-update-2

test/timings

refactor/getaccount-raw

tests/nmap-getaccount

refactor/nmap

refactor/nmap-limit-buffer

feature/detect-mac-wakeup

feature/extract-modules

quick-setings

feat/sync-limiter

feature/store-cache-impl

fix-install-version

feature/store-metrics

feature/metrics-on-store

feature/use-gorm-cache

loadtest-signal

unsymmetrical-squash

refactor/reducate-signaling

test/update-reduce

feature/store-cache

feature/remote-debug

cli-ws-proxy-backend-addr

feat/mgmt-map-serial

snyk-fix-d9d0081a4c7f9137bdb59d0d50a141a2

snyk-fix-7415cea5a11acd66753540ca2c598c63

job-yml-update

feature/android-allow-selecting-routes

fix/up-sequence

fix/dns-hash-update

snyk-fix-967adae9863f17f108ce8948d9117b8d

log/getaccount-by-peer

signal-suppressor

dns-exit-node

feature/auto-updates

feature/cache-srv-key

merged-fixes

fix/missed-offers-and-debug

debug-and-fixes

poc-wasm-clean-backend-s2s

test/remote-debug

debug-api

dependabot/go_modules/github.com/docker/docker-28.0.0incompatible

fix/remove-gpo-if-empty

fix/test-freebsd

fix/mysql-setup

fix/remove-logout-btn

handle-existing-domain-user

chore/unify-domain-validation

snyk-fix-c5fafc8a50ce1f29046e25a1fc346185

feat/profile-edit-btn

snyk-fix-a54966211e18d4cf67e5a2757cc006d1

log-short-id

feat/logout-ephemeral

log-checks

batch-wg-ops

nb-interface-default

feat/aws-integration

add/race-test

feature/relay-feature-versioning

fix/systemd-service-logs

poc/preprocessed-map

add-account-onboarding

bind-ipv6

fix/merge-main

logs/peerlogs-addpeer

feature/net-297-network-migration

feature/support-skip-auto-apply-exit-node-routes

set-cmd

set-command-with-cursor

feature/limit-update-channel

stop-using-locking-share

feature/poc-lazy-detection

feature/net-248-removal-of-sync-mutex-locks

test/multiple-peer-logging

preresolve

add-ns-punnycode-support

apply-routes-early

windows-search-domains

fix/connecting-route-filter

feature/management/rest-client/impersonate

debug-local-records

resource-fields-snake-case

test/grpc-rate-limit

traffic-correlation-policy

feature/rest-client-options

feat/events-metrics

feature/buf-cli

test/add-ratelimiter

test/remove-write-lock-on-add-peer

fix/add-peer-semaphore

feature/users-roles-endpoint

mlsmaycon-patch-1

debug-user-role

chore/primary-key-on-networks

feature/update-account-peers-buffer-startup

remove-ubuntu2004-runners

refactor/permissions-no-pat-allowed

ref/logrus-factory

use-conntrack-zone

deploy/permissions-account

feature/lazy-connection-idle

ref/improve-test-cov

restore-pr-3440

test/increase-grpc-timeouts

feat/buffer-account-peers-update

test/networkmapgeneration-changes

feature/base-manager

feature/flow-receiver

chore/benchmark-with-large-runner

refactor/handshake-initiator

client/ui-update-systray-icons

userspace-router

wgwatcher-test

output-if-key-already-exists

fix/relay-reconnection

feature/port-forwarding-client-codecleaning

detached2

test/callbacks-nil-iceconninfo

refactor/optimize-peer-expiration

enable-udp-port-for-docker-template

fix/relay-update

feature/apply-posture-netmap

fix/group-update-existing-resource

conntrack-stats

upgrade-okta-sdk

multi-price

test/conn-stat

set-min-parallel-tests-for-management

dns-interceptor

debug-dns

router-dns

add-static-system-info

debug-0.29.4

debug-0.33.0

account-refactoring

relay/2800_quic

route-get-account-refactoring

test/seed-random-routes

feature/get-account-refactoring

test/reconnect-race-condition

refactor/get-account-usage

feature/add-session-id-to-update-channel

improve-ipv4conn

fix/async-pion-event-handling

debug

add-offload

feature/validate-group-association-debug

fix/limit-conn-for-sqlite

test/engine-iface

test/transaction-for-jwt-sync

fix/engine-stop-in-foreground

feature/add-mysql-support

test-migration

refactor/header-size-values

relay/eliminate-gob

test/signal-dispatcher-with-relay

relay/debug

validate-icon

feature/ipv6-support

use-pre-expanded-peers-map

feature/use-signal-dispatcher

validate/peer-status

add-read-write-times

fix/sync-peer-race

feature/relay-status

netmap

evaluate/network-map-hash

fix/lower-dns-resolve-interval-on-fail

feature/relay

fix/go-mod-version

upgrade-nftables

synology-userspace-mode

fix/use-ip-for-default-routes-on-darwin

fix/proxy_close

enable-release-workflow-on-pr

deploy/peer-performance

feature/permanent-turn

feature/permanent-turn-proxy

deploy/posture-check-sqlite

feature/optimize_sqlite_save

debug-ios-behavior

fix/delete-route-only-after-adding

tshoot/windows-logger

remove-new-routing

refactor/eliminate-repo-dependency

add-arm-to-ci

refactor-demo-account-object

test/abc2

test/abc

send-ssh-rosenpass-config-meta

refactor-demo

ensure-schedule-never-runs-non-positive

feature/peer-validator-groupmgm

feature/peer-validator-fix

fix/include-active-dashboard-users

fix/handle-canceling-schedule

fix/geo-download

debug-google-workspace

yury/resolve-ip-to-location

feature/extend-sysinfo

sqlite-async-peer-status

yury/add-postgresql-store

fix/route

test-build

posture-checks-poc

debug-keycloak-idp

poc/netstack

for-pascal-tmp

peer-logout-management

manual-peer-logout

detached

chore/refactor-management

test/dns-bind

fix/enforce-acl-for-containers

yury/use-sync-map-in-updatechannel

fix/events-key-handling

filter-cache-on-load-account

fix/user-expiration

handle-user-context-cancellation

nb-client-k8s-statefulset

fake-addr

fix/iptables_in_docker

ebpf-debug

update-getting-started-flow-use-postgres

fix/peer_list_notification

feature/device-authentication-with-client-secret

feature/keep_alive

feat-groups-from-jwt

separate_proxy_from_wgconfig

fix/wg_conn

wg_conn_fix

wg_bind_parallel_processing

fix-rollback-get-acls

proxy_cfg_cleanup

performance-improvement-rego

update-lock-log-level

feat-client-side-acl

refactor/move_grpcserver_logic_to_account_manager

feature/event-storage

feature/update-idp-redeeming-invite

feature/api-peer-info

return-groupminimum-setupkey

feature/interface-bind

documentation_enhancement

fix-peer-registration

ssh

users_cache

pass-client-caller

client_caller_type

revert-283-feat-fix-windows-installer

periodic-peer-updates

ebpf

braginini/wasm

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: SVI/netbird#1318