SVI/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-06-11 09:52:11 -04:00
Code Issues 3.0k Packages Projects Releases 10 Wiki Activity

ACLs have no effects on Network Routes #561

New Issue
Closed
opened 2025-11-20 05:13:49 -05:00 by saavagebueno · 20 comments
saavagebueno commented 2025-11-20 05:13:49 -05:00
Owner
Copy Link

Originally created by @benjvfr on GitHub (Dec 28, 2023).

Describe the problem
When adding a network route with a routing peer, the ACL do not seems to apply. See below for the complete use case.
(NetBird 0.25.2)

To Reproduce
Steps to reproduce the behavior:

  1. Add a routing peer named "edge-gw" (Docker) which is placed in the DMZ of the private network. The underlying network is configured to let this routing peer being able to route to a service (my-private-service) hosted in the private network at 10.50.0.4/32 (web service on TCP 443).

  2. Tag the "edge-gw" routing peer with "Edge" tag.

  3. In "Network Routes", click "Add route" :

  • Network Identifier > my-private-service
  • Network Range > 10.50.0.4/32
  • Routing Peer > Select "edge-gw"
  • Distribution groups > "Developers"
  • Enabled > True
  • Masquerade > True
  1. In "Access Control" :
  • All rules are disabled, except for DNS forwarding (which is routed through the same "edge-gw" routing peer).
  1. On a "dev-peer" machine, which belongs to the 'Developers" group :
  • "netstat -nr" show the route 10.50.0.4/32 being distributed (which seems right)
  • curl https://my-private-service.<redacted-domain> (10.50.0.4) returns the web HTML page, which seems wrong as no ACL rules are setup to allow traffic for TCP 443 in NetBird ACL. Same for pinging 10.50.0.4.

Expected behavior
If no ACL are enabled, traffic should not be forwarded to the private network via routing peer (even if route is distributed). As no ACL route exists for "Developers > Edge" on TCP 443, traffic should be dropped. This is not the case.

Screenshots

  1. Routing peer "edge-gw" :
    Capture d’écran 2023-12-28 à 11 24 49
Capture d’écran 2023-12-28 à 11 27 03

  1. Network routes
    Capture d’écran 2023-12-28 à 11 29 45

  2. ACL
    Capture d’écran 2023-12-28 à 11 33 28

  3. Dev peer
    Capture d’écran 2023-12-28 à 11 32 52

routes curl

Is this the normal behavior ? Or I misconfigured something ?

Originally created by @benjvfr on GitHub (Dec 28, 2023). **Describe the problem** When adding a network route with a routing peer, the ACL do not seems to apply. See below for the complete use case. (NetBird 0.25.2) **To Reproduce** Steps to reproduce the behavior: 1. Add a routing peer named "edge-gw" (Docker) which is placed in the DMZ of the private network. The underlying network is configured to let this routing peer being able to route to a service (my-private-service) hosted in the private network at 10.50.0.4/32 (web service on TCP 443). 3. Tag the "edge-gw" routing peer with "Edge" tag. 4. In "Network Routes", click "Add route" : - Network Identifier > my-private-service - Network Range > 10.50.0.4/32 - Routing Peer > Select "edge-gw" - Distribution groups > "Developers" - Enabled > True - Masquerade > True 5. In "Access Control" : - All rules are disabled, except for DNS forwarding (which is routed through the same "edge-gw" routing peer). 7. On a "dev-peer" machine, which belongs to the 'Developers" group : - "netstat -nr" show the route 10.50.0.4/32 being distributed (which seems right) - **curl https://my-private-service.<redacted-domain\> (10.50.0.4) returns the web HTML page, which seems wrong as no ACL rules are setup to allow traffic for TCP 443 in NetBird ACL. Same for pinging 10.50.0.4.** **Expected behavior** If no ACL are enabled, traffic should not be forwarded to the private network via routing peer (even if route is distributed). As no ACL route exists for "Developers > Edge" on TCP 443, traffic should be dropped. This is not the case. **Screenshots** 1. Routing peer "edge-gw" : <img width="1244" alt="Capture d’écran 2023-12-28 à 11 24 49" src="https://github.com/netbirdio/netbird/assets/39627260/8c4a9f3f-db60-440c-aeed-f6bb8db52efb"> <img width="1137" alt="Capture d’écran 2023-12-28 à 11 27 03" src="https://github.com/netbirdio/netbird/assets/39627260/5272ed80-1dbf-4961-aa34-bd42d52a85e6"> 2. Network routes <img width="1220" alt="Capture d’écran 2023-12-28 à 11 29 45" src="https://github.com/netbirdio/netbird/assets/39627260/1d12ea5f-a5c0-4765-bd32-9eb4916ddc19"> 3. ACL <img width="1216" alt="Capture d’écran 2023-12-28 à 11 33 28" src="https://github.com/netbirdio/netbird/assets/39627260/9eb36880-a717-4b86-8b66-921b6c91b8df"> 4. Dev peer <img width="1237" alt="Capture d’écran 2023-12-28 à 11 32 52" src="https://github.com/netbirdio/netbird/assets/39627260/5b73132c-063a-40a2-b6b1-d4643579716a"> <img width="1396" alt="routes" src="https://github.com/netbirdio/netbird/assets/39627260/c1746315-105d-4747-af06-85369456c617"> <img width="1396" alt="curl" src="https://github.com/netbirdio/netbird/assets/39627260/e5649504-991a-4516-ad8f-bcc3b3696656"> Is this the normal behavior ? Or I misconfigured something ?
saavagebueno added the routesagent labels 2025-11-20 05:13:49 -05:00
saavagebueno commented 2025-11-20 05:13:50 -05:00
Author
Owner
Copy Link

@benjvfr commented on GitHub (Dec 28, 2023):

After further troubleshooting, here is what I found :

  • If there is at least on ACL allowing traffic to "Edge" (here "All to Edge DNS" ; UDP/53), all type of connections related to the connected Network Routes are allowed (even if the ACL specified UDP/53).
  • This explain why the TCP/443 or ICMP are forwarded to private network through the Edge routing peer.

So for my use case :

  • Disabling the ACL "All to Edge DNS" restrict pinging 10.50.0.4 (intended) => The route 10.50.0.4/32 is not pushed to clients ; therefore pinging 10.50.0.4 is not working (intended).
  • Enabling the ACL "All to Edge DNS" pushes route 10.50.0.4 to clients => All type of connections to 10.50.0.4 are allowed, even if the ACL specified UDP/53 ; ping to 10.50.0.4 is working... bug ?

It seems to be a bug.

@benjvfr commented on GitHub (Dec 28, 2023): After further troubleshooting, here is what I found : - If there is at least on ACL allowing traffic to "Edge" (here "All to Edge DNS" ; UDP/53), all type of connections related to the connected Network Routes are allowed (even if the ACL specified UDP/53). - This explain why the TCP/443 or ICMP are forwarded to private network through the Edge routing peer. So for my use case : - Disabling the ACL "All to Edge DNS" restrict pinging 10.50.0.4 (intended) => The route 10.50.0.4/32 is not pushed to clients ; therefore pinging 10.50.0.4 is not working (intended). - Enabling the ACL "All to Edge DNS" pushes route 10.50.0.4 to clients => All type of connections to 10.50.0.4 are allowed, even if the ACL specified UDP/53 ; ping to 10.50.0.4 is working... bug ? It seems to be a bug.
saavagebueno commented 2025-11-20 05:13:50 -05:00
Author
Owner
Copy Link

@mlsmaycon commented on GitHub (Jan 3, 2024):

Hello @benjvfr, this is the current behavior of network routes; there is no access control for routed networks.

The access control rule you created only affects traffic targeting the edge node.

We have plans to add support to access control for routed networks this quarter.

@mlsmaycon commented on GitHub (Jan 3, 2024): Hello @benjvfr, this is the current behavior of network routes; there is no access control for routed networks. The access control rule you created only affects traffic targeting the edge node. We have plans to add support to access control for routed networks this quarter.
saavagebueno commented 2025-11-20 05:13:50 -05:00
Author
Owner
Copy Link

@benjvfr commented on GitHub (Jan 3, 2024):

Hello, thank you for your answer.

Okay, I asked because in your documentation related to "Manage DNS in your network" it is indicated to add an ACL for UDP/53 to the routing peer, suggesting that ACLs can filter traffic by port/protocol to the private network.

In fact, any ACL can be added here, not specifically UDP/53 to routing peer : there must simply be an ACL authorizing some kind of connection to the routing peer (anything, can be: ICMP, HTTP...).

@benjvfr commented on GitHub (Jan 3, 2024): Hello, thank you for your answer. Okay, I asked because in your documentation related to "[Manage DNS in your network](https://docs.netbird.io/how-to/manage-dns-in-your-network#adding-remote-private-dns-servers)" it is indicated to add an ACL for UDP/53 to the routing peer, suggesting that ACLs can filter traffic by port/protocol to the private network. In fact, any ACL can be added here, not specifically UDP/53 to routing peer : there must simply be an ACL authorizing some kind of connection to the routing peer (anything, can be: ICMP, HTTP...).
saavagebueno commented 2025-11-20 05:13:50 -05:00
Author
Owner
Copy Link

@buzzzo commented on GitHub (Jan 3, 2024):

Hello @benjvfr, this is the current behavior of network routes; there is no access control for routed networks.

The access control rule you created only affects traffic targeting the edge node.

We have plans to add support to access control for routed networks this quarter.

Does it means that we could just do an acl like:
src group_a -> dst 192.168.1.0/20 proto tcp port 22 action allow

where 192.168.1.0/24 is a network route

Could i also have an acl like
src group_a -> dst 192.168.1.1/32 proto tcp port 22 action allow
where 192.168.1.1/32 is only an ip under network route reachable tru network routes.

Thx

@buzzzo commented on GitHub (Jan 3, 2024): > Hello @benjvfr, this is the current behavior of network routes; there is no access control for routed networks. > > The access control rule you created only affects traffic targeting the edge node. > > We have plans to add support to access control for routed networks this quarter. Does it means that we could just do an acl like: src group_a -> dst 192.168.1.0/20 proto tcp port 22 action allow where 192.168.1.0/24 is a network route Could i also have an acl like src group_a -> dst 192.168.1.1/32 proto tcp port 22 action allow where 192.168.1.1/32 is only an ip under network route reachable tru network routes. Thx
saavagebueno commented 2025-11-20 05:13:51 -05:00
Author
Owner
Copy Link

@logan-hcg commented on GitHub (Mar 28, 2024):

We have plans to add support to access control for routed networks this quarter.

Hi @mlsmaycon , any chance there has been progress on this? I really want to start using netbird at my org, but can't until we can lock down routed networks.

@logan-hcg commented on GitHub (Mar 28, 2024): > We have plans to add support to access control for routed networks this quarter. Hi @mlsmaycon , any chance there has been progress on this? I really want to start using netbird at my org, but can't until we can lock down routed networks.
saavagebueno commented 2025-11-20 05:13:51 -05:00
Author
Owner
Copy Link

@logan-hcg commented on GitHub (Mar 29, 2024):

I did some additional experimentation with this. My initial main concern was being able to restrict what ports users could speak to on the routed network when they had access, however I think it is even more critical now.

If a connected peer routes a network, any client that has access to talk to that peer can pass traffic to the routed network, even if that client is not in any of the "distribution groups" for the routed network as long as:

  1. the user knows the CIDR of the routed network; and
  2. which peer(s) are the "routing peer"; and
  3. have at least one ACL which allows them to communicate with that "routing peer"

To "manually" activate access to that routed network:

sudo ip route add <NETWORK/NETMASK> dev wt0 table netbird
sudo wg set wt0 peer <ROUTING_PEER_KEY> allowed-ips <EXISTING_ALLOWED_IPS>,<NETWORK/NETMASK>

This makes sense, because the Netbird documentation talks about "route distribution", and does not make any claims that it is a security boundary. However, I would expect many users would have a similar assumption as I did that there is some security checks preventing traffic being passed if the user's peer is not in the "distribution groups".

@logan-hcg commented on GitHub (Mar 29, 2024): I did some additional experimentation with this. My initial main concern was being able to restrict what ports users could speak to on the routed network when they had access, however I think it is even more critical now. If a connected peer routes a network, _any_ client that has access to talk to that peer can pass traffic to the routed network, even if that client is not in any of the "distribution groups" for the routed network as long as: 1. the user knows the CIDR of the routed network; and 2. which peer(s) are the "routing peer"; and 3. have at least one ACL which allows them to communicate with that "routing peer" To "manually" activate access to that routed network: ```bash sudo ip route add <NETWORK/NETMASK> dev wt0 table netbird sudo wg set wt0 peer <ROUTING_PEER_KEY> allowed-ips <EXISTING_ALLOWED_IPS>,<NETWORK/NETMASK> ``` This makes sense, because the Netbird documentation talks about "route distribution", and does _not_ make any claims that it is a security boundary. However, I would expect many users would have a similar assumption as I did that there is some security checks preventing traffic being passed if the user's peer is not in the "distribution groups".
saavagebueno commented 2025-11-20 05:13:51 -05:00
Author
Owner
Copy Link

@florian-obradovic commented on GitHub (May 10, 2024):

I am also affected by this.

From my findings, clients only can access peers behind the routing peer, if you have any ACL which allows some protocol like ICMP to the network group where the advertising node sits:
image
CleanShot 2024-05-10 at 07 27 36@2x
CleanShot 2024-05-10 at 07 19 57@2x

@florian-obradovic commented on GitHub (May 10, 2024): I am also affected by this. From my findings, clients only can access peers behind the routing peer, if you have any ACL which allows some protocol like ICMP to the network group where the advertising node sits: ![image](https://github.com/netbirdio/netbird/assets/57985125/48449a6d-72ea-4663-8305-75758fddfbe6) ![CleanShot 2024-05-10 at 07 27 36@2x](https://github.com/netbirdio/netbird/assets/57985125/907f3ce0-0cb6-4310-b01b-d2545ff94df7) ![CleanShot 2024-05-10 at 07 19 57@2x](https://github.com/netbirdio/netbird/assets/57985125/88993393-2784-4368-9c89-545409ac00a7)
saavagebueno commented 2025-11-20 05:13:51 -05:00
Author
Owner
Copy Link

@marcportabellaclotet-mt commented on GitHub (Jun 13, 2024):

Hello @benjvfr, this is the current behavior of network routes; there is no access control for routed networks.

The access control rule you created only affects traffic targeting the edge node.

We have plans to add support to access control for routed networks this quarter.

I am curious on how you are tackling the routed network filtering. Are there any updates?
Just looking into the current IPTables logic on routers, I understand that these iptable routes need to be updated with a more fine-grained rules.

Ip Tables router rules 

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  -- !100.113.0.0/16       100.113.0.0/16      
ACCEPT     all  --  100.113.0.0/16      !100.113.0.0/16      
NETBIRD-ACL-INPUT  all  --  100.113.0.0/16       100.113.0.0/16      
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
NETBIRD-RT-FWD  all  --  anywhere             anywhere            
NETBIRD-RT-FWD  all  --  anywhere             anywhere            
NETBIRD-RT-FWD  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             mark match 0x7e4
ACCEPT     all  --  anywhere             anywhere             mark match 0x7e4
NETBIRD-ACL-INPUT  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  -- !100.113.0.0/16       100.113.0.0/16      
ACCEPT     all  --  100.113.0.0/16      !100.113.0.0/16      
NETBIRD-ACL-OUTPUT  all  --  100.113.0.0/16       100.113.0.0/16      
DROP       all  --  anywhere             anywhere            

Chain NETBIRD-ACL-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8888
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:8888
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt

Chain NETBIRD-ACL-OUTPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:8888
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8888
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:http-alt

Chain NETBIRD-RT-FWD (3 references)
target     prot opt source               destination         
ACCEPT     all  --  ip-10-170-0-2.eu-west-1.compute.internal  100.113.0.0/16      
ACCEPT     all  --  100.113.0.0/16       ip-10-170-0-2.eu-west-1.compute.internal 
....
Is that correct?

Thanks @mlsmaycon!

@marcportabellaclotet-mt commented on GitHub (Jun 13, 2024): > Hello @benjvfr, this is the current behavior of network routes; there is no access control for routed networks. > > The access control rule you created only affects traffic targeting the edge node. > > We have plans to add support to access control for routed networks this quarter. I am curious on how you are tackling the routed network filtering. Are there any updates? Just looking into the current IPTables logic on routers, I understand that these iptable routes need to be updated with a more fine-grained rules. <details> <summary><i>Ip Tables router rules </i></summary> ``` Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- !100.113.0.0/16 100.113.0.0/16 ACCEPT all -- 100.113.0.0/16 !100.113.0.0/16 NETBIRD-ACL-INPUT all -- 100.113.0.0/16 100.113.0.0/16 DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination NETBIRD-RT-FWD all -- anywhere anywhere NETBIRD-RT-FWD all -- anywhere anywhere NETBIRD-RT-FWD all -- anywhere anywhere ACCEPT all -- anywhere anywhere mark match 0x7e4 ACCEPT all -- anywhere anywhere mark match 0x7e4 NETBIRD-ACL-INPUT all -- anywhere anywhere DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- !100.113.0.0/16 100.113.0.0/16 ACCEPT all -- 100.113.0.0/16 !100.113.0.0/16 NETBIRD-ACL-OUTPUT all -- 100.113.0.0/16 100.113.0.0/16 DROP all -- anywhere anywhere Chain NETBIRD-ACL-INPUT (2 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:8888 ACCEPT tcp -- anywhere anywhere tcp spt:8888 ACCEPT tcp -- anywhere anywhere tcp spt:http-alt ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt Chain NETBIRD-ACL-OUTPUT (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:8888 ACCEPT tcp -- anywhere anywhere tcp dpt:8888 ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt ACCEPT tcp -- anywhere anywhere tcp spt:http-alt Chain NETBIRD-RT-FWD (3 references) target prot opt source destination ACCEPT all -- ip-10-170-0-2.eu-west-1.compute.internal 100.113.0.0/16 ACCEPT all -- 100.113.0.0/16 ip-10-170-0-2.eu-west-1.compute.internal .... ``` </details> Is that correct? Thanks @mlsmaycon!
saavagebueno commented 2025-11-20 05:13:51 -05:00
Author
Owner
Copy Link

@sat-dish commented on GitHub (Jun 21, 2024):

We are also waiting on an update on this as it's kind of a show stopper for us.

@sat-dish commented on GitHub (Jun 21, 2024): We are also waiting on an update on this as it's kind of a show stopper for us.
saavagebueno commented 2025-11-20 05:13:51 -05:00
Author
Owner
Copy Link

@Mntz commented on GitHub (Jul 16, 2024):

Same, we're currently testing Netbird and won't be able to deploy if network routes are not secured.

@Mntz commented on GitHub (Jul 16, 2024): Same, we're currently testing Netbird and won't be able to deploy if network routes are not secured.
saavagebueno commented 2025-11-20 05:13:51 -05:00
Author
Owner
Copy Link

@Lamera commented on GitHub (Sep 18, 2024):

@mlsmaycon @braginini When will this PR https://github.com/netbirdio/netbird/pull/2100 be merged?

@Lamera commented on GitHub (Sep 18, 2024): @mlsmaycon @braginini When will this PR https://github.com/netbirdio/netbird/pull/2100 be merged?
saavagebueno commented 2025-11-20 05:13:52 -05:00
Author
Owner
Copy Link

@mlsmaycon commented on GitHub (Sep 18, 2024):

We plan it for the 0.30 release in the coming weeks.

@mlsmaycon commented on GitHub (Sep 18, 2024): We plan it for the 0.30 release in the coming weeks.
saavagebueno commented 2025-11-20 05:13:52 -05:00
Author
Owner
Copy Link

@florian-obradovic commented on GitHub (Sep 18, 2024):

@mlsmaycon ❤️

We currently use a subnet router and a firewall in between.

We announce routes without masquerading so we can use the Netbird static client IPs in firewall rules.

@florian-obradovic commented on GitHub (Sep 18, 2024): @mlsmaycon ❤️ We currently use a subnet router and a firewall in between. We announce routes **without masquerading** so we can use the Netbird static client IPs in firewall rules.
saavagebueno commented 2025-11-20 05:13:52 -05:00
Author
Owner
Copy Link

@mgarces commented on GitHub (Oct 28, 2024):

this has been released since 0.30.0 were you able to test it? You can now assign a Network Route ACL; the name you pic there will need to be in the destination section of the Policy you create.

@mgarces commented on GitHub (Oct 28, 2024): this has been released since `0.30.0` were you able to test it? You can now assign a Network Route ACL; the name you pic there will need to be in the destination section of the Policy you create.
saavagebueno commented 2025-11-20 05:13:52 -05:00
Author
Owner
Copy Link

@buzzzo commented on GitHub (Oct 29, 2024):

this has been released since 0.30.0 were you able to test it? You can now assign a Network Route ACL; the name you pic there will need to be in the destination section of the Policy you create.

I see the network routes now as selectable objects in the policy page. But what happens if i would just create a policy having for example as destination 192.168.1.1/32 and NOT the whole 192.168.1.0/24 of a network routes ?

@buzzzo commented on GitHub (Oct 29, 2024): > this has been released since `0.30.0` were you able to test it? You can now assign a Network Route ACL; the name you pic there will need to be in the destination section of the Policy you create. I see the network routes now as selectable objects in the policy page. But what happens if i would just create a policy having for example as destination 192.168.1.1/32 and NOT the whole 192.168.1.0/24 of a network routes ?
saavagebueno commented 2025-11-20 05:13:52 -05:00
Author
Owner
Copy Link

@jacac commented on GitHub (Oct 29, 2024):

I've upgraded to 0.30.3 but cannot find the group tab to specify the access control group. This is on a self hosted server.

image

@jacac commented on GitHub (Oct 29, 2024): I've upgraded to `0.30.3` but cannot find the group tab to specify the access control group. This is on a self hosted server. ![image](https://github.com/user-attachments/assets/209cc28d-87a3-4f24-b59a-eb456b3095a0)
saavagebueno commented 2025-11-20 05:13:52 -05:00
Author
Owner
Copy Link

@florian-obradovic commented on GitHub (Oct 29, 2024):

Did you also upgrade the dashboard?
You need at least https://github.com/netbirdio/dashboard/releases/tag/v2.6.0

@florian-obradovic commented on GitHub (Oct 29, 2024): Did you also upgrade the dashboard? You need at least https://github.com/netbirdio/dashboard/releases/tag/v2.6.0
saavagebueno commented 2025-11-20 05:13:53 -05:00
Author
Owner
Copy Link

@jacac commented on GitHub (Oct 29, 2024):

The docker compose file has image: netbirdio/dashboard:latest. Should I use a different one?

@jacac commented on GitHub (Oct 29, 2024): The docker compose file has `image: netbirdio/dashboard:latest`. Should I use a different one?
saavagebueno commented 2025-11-20 05:13:53 -05:00
Author
Owner
Copy Link

@florian-obradovic commented on GitHub (Oct 29, 2024):

# netbird_version_check.sh
MGMTCID=$(docker ps|grep management|awk '{print $1}')
if [[ -z $MGMTCID ]] ; then
       echo No MGMT container found...
       exit 1
fi
nbversion=$(docker inspect $MGMTCID |grep "org.opencontainers.image.version"|awk -F: '{print $2}')
echo Server is running Netbird MGMT version: $nbversion
DASHBOARDCID=$(docker ps|grep dashboard|awk '{print $1}')
if [[ -z $DASHBOARDCID ]] ; then
       echo No MGMT container found...
       exit 1
fi
nbversion=$(docker inspect $DASHBOARDCID |grep "org.opencontainers.image.version"|awk -F: '{print $2}')
echo Server is running Netbird Dashboard  version: $nbversion
Server is running Netbird MGMT version:  "0.30.3"
Server is running Netbird Dashboard version:  "v2.6.1"

Check your version with this script.

@florian-obradovic commented on GitHub (Oct 29, 2024): ``` # netbird_version_check.sh MGMTCID=$(docker ps|grep management|awk '{print $1}') if [[ -z $MGMTCID ]] ; then echo No MGMT container found... exit 1 fi nbversion=$(docker inspect $MGMTCID |grep "org.opencontainers.image.version"|awk -F: '{print $2}') echo Server is running Netbird MGMT version: $nbversion DASHBOARDCID=$(docker ps|grep dashboard|awk '{print $1}') if [[ -z $DASHBOARDCID ]] ; then echo No MGMT container found... exit 1 fi nbversion=$(docker inspect $DASHBOARDCID |grep "org.opencontainers.image.version"|awk -F: '{print $2}') echo Server is running Netbird Dashboard version: $nbversion Server is running Netbird MGMT version: "0.30.3" Server is running Netbird Dashboard version: "v2.6.1" ``` Check your version with this script.
saavagebueno commented 2025-11-20 05:13:53 -05:00
Author
Owner
Copy Link

@jacac commented on GitHub (Oct 29, 2024):

Thanks for the script. The output was

Server is running Netbird MGMT version: "0.30.1"
Server is running Netbird Dashboard version: "v2.5.0"

Running docker compose pull management dashboard signal and docker compose up -d --force-recreate management dashboard signal upgrade changed it to.

Server is running Netbird MGMT version: "0.30.3"
Server is running Netbird Dashboard version: "v2.6.2"

Now I have the option to specify the Access Control Groups and will test more.

@jacac commented on GitHub (Oct 29, 2024): Thanks for the script. The output was ``` Server is running Netbird MGMT version: "0.30.1" Server is running Netbird Dashboard version: "v2.5.0" ``` Running `docker compose pull management dashboard signal` and `docker compose up -d --force-recreate management dashboard signal` upgrade changed it to. ``` Server is running Netbird MGMT version: "0.30.3" Server is running Netbird Dashboard version: "v2.6.2" ``` Now I have the option to specify the `Access Control Groups` and will test more.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
2021 Q4
2022 Q1
2022 Q1
accessibility
acl
agent
agent
Android
Android
api
authentik
automation
azure
battery-usage
bug
cache
client
client-ui
cloud
cloud-only
cloudflare
community
compatibility
config-idp
config-issue
connection
contribution
coturn
cross-vpn
dashboard
data-usage
distribution
dns
docker
documentation
duplicate
enhancement
enhancement
event-stream
feature-request
freebsd
getting-started
go
good first issue
gui
help wanted
home-assistant
idp
inconsistency
integration
integrations
ios
ipv6
jwt
k8s
keycloak
linux
login
macos
management-service
missing-docs
mobile
moved-internal
needs-review
netbird-ui
networking
new-platform
nginx
notification
okta
openwrt
packaging
peer-management
peer-management
peer-management
performance
postgres
posture-checks
psk
pull-request
Mirrored from GitHub Pull Request
 question
refactor
relay
release
rfc
routes
security
security-related
self-hosting
server
signal
sleep-issue
ssh
ssl
status
store
synology
system-compatibility-issue
test-suite
third-party-integration
triage
triage-needed
troubleshooting
UX
waiting-feedback
windows
wontfix
zitadel
No Label agent routes
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
saavagebueno
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#561
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?