Open collse opened 2 months ago
collse
commented
1 month ago I did some further digging on this and it shows, the phone has the actual public.P of my firewall, while the other devices on the same network have either their internal.IP or the firewalls internal.IP which seems odd as all devices are NAT'd at the firewall
the question as such is, what mechanism is used netbird internally to derive the public.ip
collse
commented
3 weeks ago latest versions, issue still exists
mlsmaycon
commented
3 weeks ago @collse it seems like your nodes in the same network as the management service are reaching it with the local address. Is common that some firewalls/routers forward traffic directly when one internal node tries to access its public address.
You can confirm that by checking the address listed as Public IP-Address in the peer view.
collse
commented
3 weeks ago @mlsmaycon thanks for your reply, I have just run a check by using hotspot and it returned the region on connect as well as retained the region when re-connecting via the local wifi. So this could prove your theory. The question then leads to the point, how can I add a device to an access control policy to participate that includes a posture check that includes region if it never retrieves a region? Wouldn't it make sense to allowing this field being specified and updated when it changes?
edit use-case being fully meshed overlay network
mlsmaycon
commented
3 weeks ago It would fail to match as intended. However, you can work with another policy that allows connections from a private network range for those nodes that match that.
Also, it is possible to disable this behavior on the firewall. You can check your solution's NAT configuration.
collse
commented
3 weeks ago It would fail to match as intended. However, you can work with another policy that allows connections from a private network range for those nodes that match that.
Also, it is possible to disable this behavior on the firewall. You can check your solution's NAT configuration.
@mlsmaycon I have tried to think this through as my firewall does not allow to change the NAT behaviour and I am unable to verify if it is potentially the proxy, anyhow, my understanding is:
posture checks are evaluated on each member of the access policy:
if I had: 1) All <--> All - posture checked (netbird version and region (US/GB/FR) as an example
the hosts currently not having a region won't be able to participate in that rule 1)
if I then create a rule 2) (hosts_without_region) <--> All - posture check (netbird_version, subnet(local_subnets) wouldn't the members in All who aren't on (local_subnets) be denied to participate?
wouldn't this create a race condition of deny/allow by 2 different rules?
Describe the problem
I have a few devices which are all residing on the same network, out of them only 1 resolves to the location geolocation the remaining devices show as "unknown" region. They are also part of the same group.
The device that is properly identified is an iOS 18.0 device with v028.7. The other devices are a variety of linux flavours (all 0.29.4), iOS 18.0 tablet (v0.28.7) as well as apple devices on Ventura, Sequoia (0.29.4)
To Reproduce
good question
Expected behavior
Geolocation to resolve or allowing to manually add for known devices.
Are you using NetBird Cloud?
Self-host NetBird's control plane - latest
NetBird version
netbird version 0.29.4
NetBird status -dA output:
N/A
Do you face any (non-mobile) client issues?
happens on mobile as well as other devices as stated
Screenshots
Additional context
the workload in France is on a public IP, I have tried enabling airplane mode and re-adding the phone, geolocation still got resolved after a period of time. All of the non-resolved devices reside on the same network, maybe on another VLAN as the iOS device that resolves - at least 2 devices are on the exact same network.
obviously this prevents access control policies in combination with location to work correctly.