diff --git a/public/docs-static/img/how-to-guides/wifi-inside-office-subnet.png b/public/docs-static/img/how-to-guides/wifi-inside-office-subnet.png index 4ad7765c..64649867 100644 Binary files a/public/docs-static/img/how-to-guides/wifi-inside-office-subnet.png and b/public/docs-static/img/how-to-guides/wifi-inside-office-subnet.png differ diff --git a/src/pages/how-to/manage-posture-checks.mdx b/src/pages/how-to/manage-posture-checks.mdx index 8ba4935e..01440fab 100644 --- a/src/pages/how-to/manage-posture-checks.mdx +++ b/src/pages/how-to/manage-posture-checks.mdx @@ -148,6 +148,8 @@ The `NetBird Version` check will be assigned to the policy. Click `Save Changes` ### Example use case for local office network A common scenario our users have is to allow theirs peers to externally access their local office network subnet. Having the hability to easily connect to locally exposed services from anywhere in the world, using NetBird is a trivial task, but you don't want to route your traffic via NetBird when you are in the office. To solve this, you can create a policy that will allow connection to the routing peers group, only if they are outside the office, using **Block Peer Network Range** Posture Check. +A common scenario our users have is to allow their peers to externally access their local office network subnet. Having the ability to easily connect to locally exposed services from anywhere in the world, using NetBird, is a trivial task. Still, you don't want to route your traffic via NetBird when you are in the office. To solve this, you can create a policy that will allow connection to the routing peers group, only if they are outside the office, using **Block Peer Network Range** Posture Check. +

high-level-dia

@@ -157,26 +159,26 @@ A common scenario our users have is to allow theirs peers to externally access t After you save and give this **Posture Check** a name, you can assign it to a policy. (let's assume the name you gave was "Exclude Office subnet") -In this example, our office network is on the subnet `192.168.1.0/24`. You will need a policy that allows access to the routing peers; this can be any protocol and port, you just need to be able to connect to your routing peer in some way. Let's assume all users will be part of group `route-users` and the routing peer for our office will be inside the group `route-nodes`. -With this in mind, create a policy that allows access to the routing peer group, and assign the posture check `Exclude Office subnet` to it. +In this example, our office network is on the subnet `192.168.1.0/24`. You will need a policy that allows access to the routing peers; this can be any protocol and port, you just need to be able to connect to your routing peer in some way. Let's assume all users will be part of the group `route-users` and the routing peer for our office will be inside the group `route-nodes`. +With this in mind, create a policy that allows access to the routing peer group and assign the posture check `Exclude Office subnet` to it.

high-level-dia

-Now, let's create a **Network Route** that will expose local office subnet `192.168.1.0/24` which gets distributed to all peers inside the group `route-users`. +Now, let's create a **Network Route** that will expose the local office subnet `192.168.1.0/24`, which gets distributed to all peers inside the group `route-users`.

high-level-dia

-In this example, our routing peer is called `router-01` and sits inside the `route-nodes` group, this way the policy we just created go into effect, and all peers inside `route-users` will be able to reach `router-01` only if they are not in the office network, due to our posture check. +In this example, our routing peer is called `router-01` and sits inside the `route-nodes` group this way, the policy we just created goes into effect, and all peers inside `route-users` will be able to reach `router-01` only if they are not in the office network, due to our posture check. From inside our office:

high-level-dia

-And on the command line you can observe: +And on the command line, you can observe:

high-level-dia

@@ -193,6 +195,6 @@ When we are connected somewhere outside the office, we can observe:

high-level-dia

-Notice that the subnet `192.168.1.0/24` is routed through our Wireguard interface (`untu100`). +Notice that the subnet `192.168.1.0/24` is routed through our Wireguard interface (`utun100`). This concludes this Posture Check example.