Creating a route fails on 0.46.0 #1951

Closed
opened 2025-11-20 06:10:09 -05:00 by saavagebueno · 4 comments
Owner

Originally created by @cleveHEX on GitHub (Jun 9, 2025).

Describe the problem

After updating to the latest 0.46.0, the DNS stopped working, from log it seems like route issue:

2025-06-09T14:39:53+02:00 ERRO client/internal/engine.go:1011: failed to update routes: 1 error occurred:
	* update system routes: 1 error occurred:
	* add route 10.220.0.53/32: failed to add for key XXXX/32: route not allowed

To Reproduce

Steps to reproduce the behavior:

  1. Have DNS via additional route and update to 0.46.0

Expected behavior
Route should be created with no error

Are you using NetBird Cloud?

Self-hosted

NetBird version

0.46

Is any other VPN software installed?

No

Debug output

1ddeb81b5637b00d27b906270508c117cf46cb4d0b768e79b281a23a281098c8/be5a0a71-0e44-45aa-943e-9c1d8f0e6085

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

Have you tried these troubleshooting steps?

  • Reviewed client troubleshooting (if applicable)
  • Checked for newer NetBird versions
  • Searched for similar issues on GitHub (including closed ones)
  • Restarted the NetBird client
  • Disabled other VPN software
  • Checked firewall settings
Originally created by @cleveHEX on GitHub (Jun 9, 2025). **Describe the problem** After updating to the latest 0.46.0, the DNS stopped working, from log it seems like route issue: ``` 2025-06-09T14:39:53+02:00 ERRO client/internal/engine.go:1011: failed to update routes: 1 error occurred: * update system routes: 1 error occurred: * add route 10.220.0.53/32: failed to add for key XXXX/32: route not allowed ``` **To Reproduce** Steps to reproduce the behavior: 1. Have DNS via additional route and update to 0.46.0 **Expected behavior** Route should be created with no error **Are you using NetBird Cloud?** Self-hosted **NetBird version** 0.46 **Is any other VPN software installed?** No **Debug output** 1ddeb81b5637b00d27b906270508c117cf46cb4d0b768e79b281a23a281098c8/be5a0a71-0e44-45aa-943e-9c1d8f0e6085 **Screenshots** If applicable, add screenshots to help explain your problem. **Additional context** Add any other context about the problem here. **Have you tried these troubleshooting steps?** - [x] Reviewed [client troubleshooting](https://docs.netbird.io/how-to/troubleshooting-client) (if applicable) - [x] Checked for newer NetBird versions - [x] Searched for similar issues on GitHub (including closed ones) - [x] Restarted the NetBird client - [x] Disabled other VPN software - [x] Checked firewall settings
saavagebueno added the management-servicenetworkingconfig-issueself-hosting labels 2025-11-20 06:10:09 -05:00
Author
Owner

@nazarewk commented on GitHub (Jun 9, 2025):

TLDR; you cannot route resources/put static IPs from NetBird's network range, this is expected to contain only Peer's internal IP addresses. This is why we decided to use normally unusable CGNAT range.


So from my notes:

The error happens many times:

2025-06-09T14:44:27+02:00 ERRO client/internal/routemanager/manager.go:405: failed to update system routes during selection: 1 error occurred:
	* add route 10.220.0.53/32: failed to add for key 10.220.0.53/32: route not allowed
2025-06-09T14:44:27+02:00 WARN client/internal/routemanager/manager.go:418: no active handler found for route dns endpoint|10.220.0.53/32

The route seems to be valid in Network Map:

    {
      "ID": "clrm....nvd0",
      "Network": "10.220.0.53/32",
      "NetworkType": "1",
      "Peer": "yWNL.......b4LkM=",
      "Metric": "9999",
      "Masquerade": false,
      "NetID": "dns endpoint",
      "Domains": [],
      "keepRoute": false
    },

BINGO!

  1. Your NetBird tenant's IP range is 10.220.0.0/16 by the looks of it. I have initially assumed this would come from the standard CGNAT range 100.64.0.0/10 and therefore wasn't alarmed at all.
  2. You are trying to route 10.220.0.53/32 which comes from NetBird's range
  3. Validation fails at validateRoute() -> r.wgInterface.Address().Network.Contains(addr)
@nazarewk commented on GitHub (Jun 9, 2025): TLDR; you cannot route resources/put static IPs from NetBird's network range, this is expected to contain only Peer's internal IP addresses. This is why we decided to use normally unusable CGNAT range. --- So from my notes: - the error is reported [here](https://github.com/netbirdio/netbird/blob/de27d6df3650bf085afa1eaa1f6084b65bae683c/client/internal/routemanager/refcounter/refcounter.go#L119-L119), it could be thrown at: - [validateRoute()](https://github.com/netbirdio/netbird/blob/de27d6df3650bf085afa1eaa1f6084b65bae683c/client/internal/routemanager/systemops/systemops.go#L61-L77) - this one seems to be the possible candidate, but I'm not sure which one would fail - [addRouteToNonVPNIntf()](https://github.com/netbirdio/netbird/blob/de27d6df3650bf085afa1eaa1f6084b65bae683c/client/internal/routemanager/systemops/systemops_generic.go#L117-L117) The error happens many times: ``` 2025-06-09T14:44:27+02:00 ERRO client/internal/routemanager/manager.go:405: failed to update system routes during selection: 1 error occurred: * add route 10.220.0.53/32: failed to add for key 10.220.0.53/32: route not allowed 2025-06-09T14:44:27+02:00 WARN client/internal/routemanager/manager.go:418: no active handler found for route dns endpoint|10.220.0.53/32 ``` The route seems to be valid in Network Map: ``` { "ID": "clrm....nvd0", "Network": "10.220.0.53/32", "NetworkType": "1", "Peer": "yWNL.......b4LkM=", "Metric": "9999", "Masquerade": false, "NetID": "dns endpoint", "Domains": [], "keepRoute": false }, ``` --- BINGO! 1. Your NetBird tenant's IP range is `10.220.0.0/16` by the looks of it. I have initially assumed this would come from the standard CGNAT range `100.64.0.0/10` and therefore wasn't alarmed at all. 2. You are trying to route `10.220.0.53/32` which comes from NetBird's range 3. Validation fails at [`validateRoute()` -> `r.wgInterface.Address().Network.Contains(addr)`](https://github.com/netbirdio/netbird/blob/de27d6df3650bf085afa1eaa1f6084b65bae683c/client/internal/routemanager/systemops/systemops.go#L73)
Author
Owner

@nazarewk commented on GitHub (Jun 9, 2025):

Closing this, as the root cause is explicitly and without a doubt identified as a user configuration issue.

The only thing we could improve about it would be adding additional validation in the API to prevent creation of routing rules overlapping with NetBird network range.

@nazarewk commented on GitHub (Jun 9, 2025): Closing this, as the root cause is explicitly and without a doubt identified as a user configuration issue. The only thing we could improve about it would be adding additional validation in the API to prevent creation of routing rules overlapping with NetBird network range.
Author
Owner

@cleveHEX commented on GitHub (Jun 9, 2025):

Thanks for the info! Sadly it was discovered by the update.

@cleveHEX commented on GitHub (Jun 9, 2025): Thanks for the info! Sadly it was discovered by the update.
Author
Owner

@nazarewk commented on GitHub (Jun 10, 2025):

Yeah, sorry it turned out this way. Looks like we have added this piece of validation last week because it was giving issues for others.

@nazarewk commented on GitHub (Jun 10, 2025): Yeah, sorry it turned out this way. Looks like we have added this piece of validation [last week](https://github.com/netbirdio/netbird/commit/ea4d13e96d79665bc0e4b489af5a0d492e104515#diff-3c1d7befea31fc84e65e38c0c4269156bfd94c222796dc8e10b8eda6f6ed9405R61-R77) because it was giving issues for others.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#1951