Traffic flows both ways with one group but not another. #1708

Open
opened 2025-11-20 06:05:09 -05:00 by saavagebueno · 0 comments
Owner

Originally created by @KingSteve032 on GitHub (Mar 13, 2025).

Describe the problem

I have one policy that for admins that give them full subnet network access to each site. The admins sit in a group called Admins and each site route peer sit in a group called All Sites. The servers at each site are able to ping the users machine fine. On another policy to limit access to traffic to one site, the servers on that site can no longer ping the client. The client can reach the servers still. This policy has Shack Radio Only for the Source and Shack as the destination. The direction is set to for traffic to flow both directions, and the protocol is set to all. MASQ is turned off and I have a static route for 100.103.0.0/16 pointed at the routing peers IP address.

Steps to reproduce the behavior:

Create policies for the same network but with different groups.

A clear and concise description of what you expected to happen.

I expect for the traffic to flow the same for both policies. The server should be able to reach the client without the client reaching out to it first.

Are you using NetBird Cloud? No

Please specify whether you use NetBird Cloud or self-host NetBird's control plane. Self-hosted

NetBird version

0.38

NetBird status -d output:

If applicable, add the netbird status -d command output. Netbird version 0.27.4 and newer can use netbird status -dA for anonymized output.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

Image
Image

Originally created by @KingSteve032 on GitHub (Mar 13, 2025). Describe the problem I have one policy that for admins that give them full subnet network access to each site. The admins sit in a group called Admins and each site route peer sit in a group called All Sites. The servers at each site are able to ping the users machine fine. On another policy to limit access to traffic to one site, the servers on that site can no longer ping the client. The client can reach the servers still. This policy has Shack Radio Only for the Source and Shack as the destination. The direction is set to for traffic to flow both directions, and the protocol is set to all. MASQ is turned off and I have a static route for 100.103.0.0/16 pointed at the routing peers IP address. Steps to reproduce the behavior: Create policies for the same network but with different groups. A clear and concise description of what you expected to happen. I expect for the traffic to flow the same for both policies. The server should be able to reach the client without the client reaching out to it first. Are you using NetBird Cloud? No Please specify whether you use NetBird Cloud or self-host NetBird's control plane. Self-hosted NetBird version 0.38 NetBird status -d output: If applicable, add the netbird status -d command output. Netbird version 0.27.4 and newer can use netbird status -dA for anonymized output. Screenshots If applicable, add screenshots to help explain your problem. Additional context Add any other context about the problem here. ![Image](https://github.com/user-attachments/assets/b246d6e0-3d8b-4654-b7d8-14fe96a29777) ![Image](https://github.com/user-attachments/assets/92008eff-6919-4f5c-b8d7-c89edf0d42b9)
saavagebueno added the triage-needed label 2025-11-20 06:05:10 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#1708