Netbird not working on Unifi after Firmware 4.0 #966

@nicdercole commented on GitHub (Jul 9, 2024):

I have the same identical problem, but my version is stuck at 25.5. Any version higher than that does not allow me to connect to the Netbird cloud.

25.5 OK:

Daemon version: 0.25.5
CLI version: 0.25.5
Management: Connected to https://api.netbird.io:443
Signal: Connected to https://signal.netbird.io:443
Relays:
[stun:stun.netbird.io:5555] is Available
[turns:turn.netbird.io:443?transport=tcp] is Available
FQDN: ****.netbird.cloud
NetBird IP: .../16
Interface type: Kernel
Peers count: 4/8 Connected

28.4 NOT WORK:

2024-07-09T13:35:29+02:00 WARN client/cmd/root.go:234: retrying Login to the Management service in 1.299560714s due to error rpc error: code = DeadlineExceeded desc = context deadline exceeded
Error: login backoff cycle failed: rpc error: code = DeadlineExceeded desc = context deadline exceeded
root@****:/persistent/dpkg/bullseye/packages# netbird status -d
Daemon status: LoginFailed

@nicdercole commented on GitHub (Jul 9, 2024): I have the same identical problem, but my version is stuck at 25.5. Any version higher than that does not allow me to connect to the Netbird cloud. 25.5 **OK**: Daemon version: 0.25.5 CLI version: 0.25.5 Management: Connected to https://api.netbird.io:443 Signal: Connected to https://signal.netbird.io:443 Relays: [stun:stun.netbird.io:5555] is Available [turns:turn.netbird.io:443?transport=tcp] is Available FQDN: *******.netbird.cloud NetBird IP: ***.**.***.*/16 Interface type: Kernel Peers count: 4/8 Connected ____________________________________ 28.4 **NOT WORK**: 2024-07-09T13:35:29+02:00 WARN client/cmd/root.go:234: retrying Login to the Management service in 1.299560714s due to error rpc error: code = DeadlineExceeded desc = context deadline exceeded Error: login backoff cycle failed: rpc error: code = DeadlineExceeded desc = context deadline exceeded root@****:/persistent/dpkg/bullseye/packages# netbird status -d Daemon status: LoginFailed

saavagebueno commented

@Llamrei80 commented on GitHub (Jul 9, 2024):

Just tried downgrading and testet a few versions:

0.26.3 is the last one that works for me. Everything after that gets the same error as in my first post.

Daemon version: 0.26.3
CLI version: 0.26.3
Management: Connected to https://api.netbird.io:443
Signal: Connected to https://signal.netbird.io:443
Relays:
[stun:stun.netbird.io:5555] is Available
[turns:turn.netbird.io:443?transport=tcp] is Available
Nameservers:
[192.168.0.1:53] for [domain.tld] is Available
FQDN: ---.netbird.cloud
NetBird IP: ---/16
Interface type: Kernel
Quantum resistance: false
Routes: -
Peers count: 2/5 Connected

@Llamrei80 commented on GitHub (Jul 9, 2024): Just tried downgrading and testet a few versions: 0.26.3 is the last one that works for me. Everything after that gets the same error as in my first post. Daemon version: 0.26.3 CLI version: 0.26.3 Management: Connected to https://api.netbird.io:443 Signal: Connected to https://signal.netbird.io:443 Relays: [stun:stun.netbird.io:5555] is Available [turns:turn.netbird.io:443?transport=tcp] is Available Nameservers: [192.168.0.1:53] for [domain.tld] is Available FQDN: ---.netbird.cloud NetBird IP: ---/16 Interface type: Kernel Quantum resistance: false Routes: - Peers count: 2/5 Connected

saavagebueno commented

@NightSkySK commented on GitHub (Jul 30, 2024):

The same for me at Unifi Cloud Gateway Ultra. Netbird 0.28.6 doesn't work. Following above suggestion after downgrade to 0.26.3 everything start working

@NightSkySK commented on GitHub (Jul 30, 2024): The same for me at Unifi Cloud Gateway Ultra. Netbird 0.28.6 doesn't work. Following above suggestion after downgrade to 0.26.3 everything start working

saavagebueno commented

@zhangnew commented on GitHub (Aug 24, 2024):

same issue on openwrt, Netbird 0.26.3 works for me

@zhangnew commented on GitHub (Aug 24, 2024): same issue on openwrt, Netbird 0.26.3 works for me

saavagebueno commented

@nazarewk commented on GitHub (Sep 3, 2024):

I'm also affected on RutOS (OpenWRT derivative) @ Teltonika RUTX50

@nazarewk commented on GitHub (Sep 3, 2024): I'm also affected on RutOS (OpenWRT derivative) @ Teltonika RUTX50

saavagebueno commented

@nazarewk commented on GitHub (Sep 3, 2024):

looks like somebody made a progress with this or similar issue at https://github.com/netbirdio/netbird/issues/2512 by running stock openwrt.

I would be extremely happy if somebody from Netbird team investigated the cause of this issue, @mlsmaycon

@nazarewk commented on GitHub (Sep 3, 2024): looks like somebody made a progress with this or similar issue at https://github.com/netbirdio/netbird/issues/2512 by running stock openwrt. I would be extremely happy if somebody from Netbird team investigated the cause of this issue, @mlsmaycon

saavagebueno commented

@nazarewk commented on GitHub (Sep 3, 2024):

Thanks to somebody's suggestion on Slack I tried using legacy operation mode using mikrotik guide and it started working.

basically:

mkdir /etc/sysconfig
cat <<'EOF' >/etc/sysconfig/netbird
export NB_LOG_LEVEL=info
export NB_DISABLE_CUSTOM_ROUTING=true
export NB_USE_LEGACY_ROUTING=true
EOF
/etc/init.d/netbird start

@nazarewk commented on GitHub (Sep 3, 2024): Thanks to somebody's suggestion on Slack I tried using legacy operation mode using [mikrotik guide](https://docs.netbird.io/how-to/client-on-mikrotik-router) and it started working. basically: ```shell mkdir /etc/sysconfig cat <<'EOF' >/etc/sysconfig/netbird export NB_LOG_LEVEL=info export NB_DISABLE_CUSTOM_ROUTING=true export NB_USE_LEGACY_ROUTING=true EOF /etc/init.d/netbird start ```

saavagebueno commented

@nazarewk commented on GitHub (Sep 3, 2024):

After some Slack explanation of the legacy mode I have confirmed my router (and probably all other Teltonik/RUTOS routers) does not use nftables, still stuck at the legacy iptables and this (or some other system requirement) might be the reason for the weird error of invalid argument.

export NB_USE_LEGACY_ROUTING=true
this one deactivates the netbird routing table
export NB_DISABLE_CUSTOM_ROUTING=true
this one deactivates the custom dialer that will set up exclusion routes and/or fwmarks for exit nodes etc, it will also deactivate the above.
It must be related to fwmarks, but it doesn't seem to error out on setting it(?). Maybe you can check the logs for entries related to that

This could get documented somewhere as system requirements @mlsmaycon

@nazarewk commented on GitHub (Sep 3, 2024): After some Slack explanation of the legacy mode I have confirmed my router (and probably all other Teltonik/RUTOS routers) does not use `nftables`, still stuck at the legacy `iptables` and this (or some other system requirement) might be the reason for the weird error of `invalid argument`. > `export NB_USE_LEGACY_ROUTING=true` > this one deactivates the netbird routing table > `export NB_DISABLE_CUSTOM_ROUTING=true` > this one deactivates the custom dialer that will set up exclusion routes and/or fwmarks for exit nodes etc, it will also deactivate the above. > It must be related to fwmarks, but it doesn't seem to error out on setting it(?). Maybe you can check the logs for entries related to that This could get documented somewhere as system requirements @mlsmaycon

saavagebueno commented

@nazarewk commented on GitHub (Sep 3, 2024):

FYI: on the Slack we've (with @lixmal) checked for fwmark/SO_MARK support on the system using this Python script (there was 3.9.7 in available on RutOS), which appears to be properly supported:

root@yelk:~# python netbird-socket-test.py 
Successfully set SO_MARK option
OK
root@yelk:~# cat netbird-socket-test.py 
import socket
import sys

def test_fwmark():
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        
        sock.setsockopt(socket.SOL_SOCKET, socket.SO_MARK, 100)
        
        print("Successfully set SO_MARK option")
        return True
    except OSError as e:
        print(f"Failed to set SO_MARK option: {e}")
        return False
    finally:
        sock.close()

if __name__ == "__main__":
    if test_fwmark():
        print('OK')
        sys.exit(0)
    else:
        print('ERROR')
        sys.exit(1)

@nazarewk commented on GitHub (Sep 3, 2024): FYI: on the Slack we've (with @lixmal) checked for `fwmark`/`SO_MARK` support on the system using this Python script (there was 3.9.7 in available on RutOS), which appears to be properly supported: ``` root@yelk:~# python netbird-socket-test.py Successfully set SO_MARK option OK root@yelk:~# cat netbird-socket-test.py import socket import sys def test_fwmark(): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_MARK, 100) print("Successfully set SO_MARK option") return True except OSError as e: print(f"Failed to set SO_MARK option: {e}") return False finally: sock.close() if __name__ == "__main__": if test_fwmark(): print('OK') sys.exit(0) else: print('ERROR') sys.exit(1) ```

saavagebueno commented

@nazarewk commented on GitHub (Sep 3, 2024):

FYI: after some source code patching and rebuilding, current conclusion by @lixmal is:

I see, so there's some unknown issue with using the fwmark

@nazarewk commented on GitHub (Sep 3, 2024): FYI: after some [source code patching and rebuilding](https://github.com/nazarewk-iac/nix-configs/commit/b716351243bca4a0a57a38f34a8d939d86984bce), current [conclusion by @lixmal](https://netbirdio.slack.com/archives/C02KHAE8VLZ/p1725399479165009?thread_ts=1725351531.376339&cid=C02KHAE8VLZ) is: > I see, so there's some unknown issue with *using* the fwmark

saavagebueno commented

@mlsmaycon commented on GitHub (Sep 3, 2024):

Thanks for validating the solution @nazarewk.

With 0.26.4+, the Linux client uses IP rules and firewall marks to handle routing. The flags NB_DISABLE_CUSTOM_ROUTING and NB_USE_LEGACY_ROUTING disable this behavior and fall back to the previous functionality. The downside of having these enabled is that these devices can't be clients of exit nodes.

I am almost certain, @lixmal can correct me if I am wrong, that only the NB_USE_LEGACY_ROUTING would be enough for your case.

@mlsmaycon commented on GitHub (Sep 3, 2024): Thanks for validating the solution @nazarewk. With 0.26.4+, the Linux client uses IP rules and firewall marks to handle routing. The flags NB_DISABLE_CUSTOM_ROUTING and NB_USE_LEGACY_ROUTING disable this behavior and fall back to the previous functionality. The downside of having these enabled is that these devices can't be clients of exit nodes. I am almost certain, @lixmal can correct me if I am wrong, that only the NB_USE_LEGACY_ROUTING would be enough for your case.

saavagebueno commented

@nazarewk commented on GitHub (Sep 4, 2024):

I am almost certain, @lixmal can correct me if I am wrong, that only the NB_USE_LEGACY_ROUTING would be enough for your case.

Yes it did, let's continue on my specific use case at #2530 , added a lot more informatioin there extracted from the Slack thread.

@nazarewk commented on GitHub (Sep 4, 2024): > I am almost certain, @lixmal can correct me if I am wrong, that only the NB_USE_LEGACY_ROUTING would be enough for your case. Yes it did, let's continue on my specific use case at #2530 , added a lot more informatioin there extracted from the Slack thread.

saavagebueno commented

@saket424 commented on GitHub (Nov 29, 2024):

any further suggestions on this? the NB_USE_LEGACY_ROUTING does not appear to be working for me with v0.33.0

@saket424 commented on GitHub (Nov 29, 2024): any further suggestions on this? the NB_USE_LEGACY_ROUTING does not appear to be working for me with v0.33.0

saavagebueno commented

@NightSkySK commented on GitHub (Feb 26, 2025):

I see that the issue was solved for OpenWRT, however, the originally issue was created for Unifi routers such us Dream Machine Pro, Cloud Gateway, etc.
I still need to use outdated Netbird 0.26.3 to run netbird on unifi devices. Is there any chance to keep netbird compatible with newest versions of uUniFi OS 4 and above?

@NightSkySK commented on GitHub (Feb 26, 2025): I see that the issue was solved for OpenWRT, however, the originally issue was created for Unifi routers such us Dream Machine Pro, Cloud Gateway, etc. I still need to use outdated Netbird 0.26.3 to run netbird on unifi devices. Is there any chance to keep netbird compatible with newest versions of uUniFi OS 4 and above?

saavagebueno commented

https://git.shivering-isles.com/-/snippets/22

@SISheogorath commented on GitHub (Feb 26, 2025):

I do run a current netbird version on my UDM using the following scripts:

@SISheogorath commented on GitHub (Feb 26, 2025): I do run a current netbird version on my UDM using the following scripts: https://git.shivering-isles.com/-/snippets/22

saavagebueno commented

@lixmal commented on GitHub (Apr 26, 2025):

Can you try with stock NetBird, latest version? There is some auto detection for fwmark/ip rule support

@lixmal commented on GitHub (Apr 26, 2025): Can you try with stock NetBird, latest version? There is some auto detection for fwmark/ip rule support

saavagebueno commented

@kwhelchel commented on GitHub (May 23, 2025):

IS there anyone that can help me get this setup and running?
Site A is udm pro Site B udr7 I want site to site to have site B ping as site A wan

@kwhelchel commented on GitHub (May 23, 2025): IS there anyone that can help me get this setup and running? Site A is udm pro Site B udr7 I want site to site to have site B ping as site A wan

saavagebueno commented

@donovan-esterhuizen commented on GitHub (Jul 19, 2025):

We have the same problem with Unifi Cloud Gateway running firmware 4.,x

@donovan-esterhuizen commented on GitHub (Jul 19, 2025): We have the same problem with Unifi Cloud Gateway running firmware 4.,x

saavagebueno commented

@Homie13 commented on GitHub (Aug 11, 2025):

SISheogorath has updated the instruction for using his script. It is actual working with firmware 4.,x ...
Many thanks to SISheogorath. I have a UCG Ultra with UniFi OS 4.3.9 and the script is running perfectly.
Many Thanks to SISheogorath.

@Homie13 commented on GitHub (Aug 11, 2025): SISheogorath has updated the instruction for using his script. It is actual working with firmware 4.,x ... Many thanks to SISheogorath. I have a UCG Ultra with UniFi OS 4.3.9 and the script is running perfectly. Many Thanks to SISheogorath.

saavagebueno commented

@saket424 commented on GitHub (Aug 12, 2025):

@Homie13
While I managed to get netbird running on the ubiquiti dream machine SE device, I am not able to add the wt0 interface into the zone firewall as a valid interface. I can ping the netbird IP address but can't ssh to it. Any idea how to update the firewall rule to allow inbound ssh on the netbird interface?

@saket424 commented on GitHub (Aug 12, 2025): @Homie13 While I managed to get netbird running on the ubiquiti dream machine SE device, I am not able to add the wt0 interface into the zone firewall as a valid interface. I can ping the netbird IP address but can't ssh to it. Any idea how to update the firewall rule to allow inbound ssh on the netbird interface?

saavagebueno commented

@Homie13 commented on GitHub (Aug 12, 2025):

@saket424
Login in to your Netbird Account. Go to Peers. Identify the relevant peer. On the right side click the three dots and
click on Enable SSH access. Try this, perhaps this could function.

@Homie13 commented on GitHub (Aug 12, 2025): @saket424 Login in to your Netbird Account. Go to Peers. Identify the relevant peer. On the right side click the three dots and click on Enable SSH access. Try this, perhaps this could function.

saavagebueno commented

@saket424 commented on GitHub (Aug 12, 2025):

@Homie13
I am self-hosting the netbird instance. It did not seem to matter whether I enabled ssh in the management portal. I am only able to ping the address but unable to ssh to it because the UDM firewall is probably blocking traffic on the zt0 interface by default. Does inbound ssh over netbird work for you when you are remote? My difficulty is how to add zt0 into a zone that is allowed. I can't seem to add it as a new interface via the zone gui

@saket424 commented on GitHub (Aug 12, 2025): @Homie13 I am self-hosting the netbird instance. It did not seem to matter whether I enabled ssh in the management portal. I am only able to ping the address but unable to ssh to it because the UDM firewall is probably blocking traffic on the zt0 interface by default. Does inbound ssh over netbird work for you when you are remote? My difficulty is how to add zt0 into a zone that is allowed. I can't seem to add it as a new interface via the zone gui

saavagebueno commented