Disabling Masquerade on Routed network resources does not work. #2313

Open
opened 2025-11-20 07:07:33 -05:00 by saavagebueno · 4 comments
Owner

Originally created by @pquan on GitHub (Sep 25, 2025).

Describe the problem

When exposing network resources via routing peers (using the new Networks feature) AND disabling masquerading, the network resources will still see the routing peer IP on IP traffic and not the remote client IP in the private 100.64.x.x space.

To Reproduce

My setup: PfSense firewalls running Netbird 0.55.1 (this is currently the latest compatible version with the latest 2.8.1 production pfsense).
My clients are windows, running 0.58.1 (latest).

The Firewalls have DMZs and LANs behind them (different subnets, 4 networks total).

Now connect from a client to the network and PING a device on the LAN or DMZ exposed by the firewalls. The device will see the IP coming from the firewall and not from the static IP of the peer.

Note on Natting: Natting not enabled on any but the public IP interfaces of the firewalls. However, PFsense is set up to Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT). In my understanding this setting should only install the NAT rules present on the Nat rules page. There I only have nat rules on the external interfaces and nothing on the internal DMZ and specially not on the LAN. As a proof , if I ping from any other internal resource on these firewalls (which are interconnected via another transport network) I see pure local IP addresses.

Expected behavior

With masquerading disabled, the firewalls should not masquerade the source IP address. The packed should be untouched.

Are you using NetBird Cloud?

No. I'm using self-hosted.

NetBird version

  • Latest docker pulled on the admin.
  • pfsense (freebsd) firewalls running 2.8.1 PfSense and 0.55.1 Netbird (latest compatible and available).

Is any other VPN software installed?

OpenVPN, irrelevant in this setup (no routes etc).

Debug output
n/a
Screenshots
n/a
Additional context
n/a
Have you tried these troubleshooting steps?

  • Reviewed client troubleshooting (if applicable)
  • Checked for newer NetBird versions
  • Searched for similar issues on GitHub (including closed ones)
  • Restarted the NetBird client
  • Disabled other VPN software
  • Checked firewall settings
Originally created by @pquan on GitHub (Sep 25, 2025). **Describe the problem** When exposing network resources via routing peers (using the new Networks feature) AND disabling masquerading, the network resources will still see the routing peer IP on IP traffic and not the remote client IP in the private 100.64.x.x space. **To Reproduce** My setup: PfSense firewalls running Netbird 0.55.1 (this is currently the latest compatible version with the latest 2.8.1 production pfsense). My clients are windows, running 0.58.1 (latest). The Firewalls have DMZs and LANs behind them (different subnets, 4 networks total). Now connect from a client to the network and PING a device on the LAN or DMZ exposed by the firewalls. The device will see the IP coming from the firewall and not from the static IP of the peer. Note on Natting: Natting not enabled on any but the public IP interfaces of the firewalls. However, PFsense is set up to `Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)`. In my understanding this setting should only install the NAT rules present on the Nat rules page. There I only have nat rules on the external interfaces and nothing on the internal DMZ and specially not on the LAN. As a proof , if I ping from any other internal resource on these firewalls (which are interconnected via another transport network) I see pure local IP addresses. **Expected behavior** With masquerading disabled, the firewalls should not masquerade the source IP address. The packed should be untouched. **Are you using NetBird Cloud?** No. I'm using self-hosted. **NetBird version** - Latest docker pulled on the admin. - pfsense (freebsd) firewalls running 2.8.1 PfSense and 0.55.1 Netbird (latest compatible and available). **Is any other VPN software installed?** OpenVPN, irrelevant in this setup (no routes etc). **Debug output** n/a **Screenshots** n/a **Additional context** n/a **Have you tried these troubleshooting steps?** - [x] Reviewed [client troubleshooting](https://docs.netbird.io/how-to/troubleshooting-client) (if applicable) - [x] Checked for newer NetBird versions - [x] Searched for similar issues on GitHub (including closed ones) - [x] Restarted the NetBird client - [x] Disabled other VPN software - [x] Checked firewall settings
saavagebueno added the triage-needed label 2025-11-20 07:07:33 -05:00
Author
Owner

@lixmal commented on GitHub (Sep 25, 2025):

NetBird's userspace routing doesn't support routing without masquerading. You can tick the Disable firewall box to leave routing/filtering/NAT to the operating system

@lixmal commented on GitHub (Sep 25, 2025): NetBird's userspace routing doesn't support routing without masquerading. You can tick the `Disable firewall` box to leave routing/filtering/NAT to the operating system
Author
Owner

@pquan commented on GitHub (Sep 26, 2025):

Well, this does not seem to be reflected in the documentation. In the network resources, you also have a Masquerade toggle. What is it's purpose ?

Image
@pquan commented on GitHub (Sep 26, 2025): Well, this does not seem to be reflected in the documentation. In the network resources, you also have a Masquerade toggle. What is it's purpose ? <img width="1164" height="258" alt="Image" src="https://github.com/user-attachments/assets/16ab2c9a-108e-4bf8-a73b-ab56b9ec068b" />
Author
Owner

@lixmal commented on GitHub (Sep 26, 2025):

What is your dashboard version? This switch should be disabled (as in, you cannot change its state) for non-Linux peers

@lixmal commented on GitHub (Sep 26, 2025): What is your dashboard version? This switch should be disabled (as in, you cannot change its state) for non-Linux peers
Author
Owner

@pquan commented on GitHub (Sep 26, 2025):

Using the latest "docker pull" from yesterday (2025-09-26). These routing peers are FreeBSD, i.e. the two PfSense firewalls above. They expose the networks behind and I can definitely toggle that masquerade switches. It makes sense to me to have them "disabled" so the logs on any internal servers exposed to the vpn will contain the real IP address of the peer that accessed them and not the anonymized address of the firewall.

Just to be clear: 2 FreeBsd firewalls (pfsense) act as gateways for the networks behind them. They also act as routing peers for those networks in Netbird. The external peers (say road warriors) connect to Netbird from their remote locations and access the resources behind the 2 firewall (which are also interconnected hence the redundant setup above). I don't need/want to filter all traffic on the firewall itself, as netbird is much more flexible for this, but I also want/need the resources behind the firewall to log who and how is accessing them, i.e. the static VPN address of the remote peer. Hence, masquerading shall be disabled (or at least this is what I would expect to happen on the routing side of things).

@pquan commented on GitHub (Sep 26, 2025): Using the latest "docker pull" from yesterday (2025-09-26). These routing peers are FreeBSD, i.e. the two PfSense firewalls above. They expose the networks behind and I can definitely toggle that masquerade switches. It makes sense to me to have them "disabled" so the logs on any internal servers exposed to the vpn will contain the real IP address of the peer that accessed them and not the anonymized address of the firewall. Just to be clear: 2 FreeBsd firewalls (pfsense) act as gateways for the networks behind them. They also act as routing peers for those networks in Netbird. The external peers (say road warriors) connect to Netbird from their remote locations and access the resources behind the 2 firewall (which are also interconnected hence the redundant setup above). I don't need/want to filter all traffic on the firewall itself, as netbird is much more flexible for this, but I also want/need the resources behind the firewall to log who and how is accessing them, i.e. the static VPN address of the remote peer. Hence, masquerading shall be disabled (or at least this is what I would expect to happen on the routing side of things).
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#2313