From 6ead42305a39172a90689b65180f3bfa1de5226d Mon Sep 17 00:00:00 2001
From: Jack Carter <128555021+SunsetDrifter@users.noreply.github.com>
Date: Tue, 17 Feb 2026 19:00:11 +0100
Subject: [PATCH] Document that routing peers require a separate policy for
 direct access (#611)

Users commonly run services (Pi-hole, Home Assistant, monitoring) on
routing peer machines but have no guidance that a network resource policy
only grants access to the network behind the peer, not the peer itself.
Add notes to Networks, Network Routes, Access Control, and the Zero
Trust guide clarifying that a peer-to-peer access policy is needed.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/pages/manage/access-control/index.mdx             | 4 ++++
 src/pages/manage/network-routes/index.mdx             | 4 ++++
 src/pages/manage/networks/index.mdx                   | 4 ++++
 src/pages/use-cases/security/implement-zero-trust.mdx | 2 +-
 4 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/pages/manage/access-control/index.mdx b/src/pages/manage/access-control/index.mdx
index f396c9a7..c08159f5 100644
--- a/src/pages/manage/access-control/index.mdx
+++ b/src/pages/manage/access-control/index.mdx
@@ -282,6 +282,10 @@ Think of it this way:
 
 **UI Behavior:** When creating a policy where the destination is a network resource, the bidirectional toggle will either be disabled or attempting to enable it will have no effect, because bidirectional communication is not possible in this scenario.
 
+<Note>
+Policies to network resources control access to the network behind the routing peer, not the routing peer itself. To access services running on the routing peer, create a separate peer-to-peer policy with the routing peer's group as the destination. See [Routing Peers](/manage/networks#routing-peers) for more information.
+</Note>
+
 ### Protocol-Specific Behavior
 
 Policy directionality also depends on the protocol selected:
diff --git a/src/pages/manage/network-routes/index.mdx b/src/pages/manage/network-routes/index.mdx
index 4e42cc0d..d58b8524 100644
--- a/src/pages/manage/network-routes/index.mdx
+++ b/src/pages/manage/network-routes/index.mdx
@@ -33,6 +33,10 @@ A **network identifier** is a name for the network you want to route. A **range*
 
 A routing peer is a NetBird device that forwards traffic between the NetBird network and a private network. It must have network access to the resources you want to reach.
 
+<Note>
+A network route grants access to the network behind the routing peer, not to the routing peer machine itself. If you need to reach services running on the routing peer, create a separate peer-to-peer [access control policy](/manage/access-control) that targets the routing peer's group as the destination.
+</Note>
+
 ### Routing Group
 
 A routing group is a set of routing peers. Each peer in the group routes packets between your routed network and other NetBird peers. Using a routing group provides automatic high availability.
diff --git a/src/pages/manage/networks/index.mdx b/src/pages/manage/networks/index.mdx
index 046ed997..43a64f41 100644
--- a/src/pages/manage/networks/index.mdx
+++ b/src/pages/manage/networks/index.mdx
@@ -34,6 +34,10 @@ You can add multiple routing peers using individual peers or groups to ensure hi
     <img src="/docs-static/img/manage/networks/index/add-routing-peer-1.png" alt="high-level-dia" className="imagewrapper"/>
 </p>
 
+<Note>
+A network resource policy grants access to the network **behind** the routing peer, not to the routing peer machine itself. If you need to access services running on the routing peer (for example, Pi-hole, Home Assistant, or a monitoring dashboard), add the routing peer to a group and create a peer-to-peer [access control policy](/manage/access-control) with that group as the destination.
+</Note>
+
 ### Resources
 
 Resources are the machines, services, or subnets you want to access within your internal network. You can define resources as:
diff --git a/src/pages/use-cases/security/implement-zero-trust.mdx b/src/pages/use-cases/security/implement-zero-trust.mdx
index e3a9b72d..82be209e 100644
--- a/src/pages/use-cases/security/implement-zero-trust.mdx
+++ b/src/pages/use-cases/security/implement-zero-trust.mdx
@@ -521,7 +521,7 @@ NetBird Network access policies are unidirectional. They allow traffic from NetB
 If you need true bidirectional initiation between two endpoints, run NetBird on both machines and create an access policy that allows traffic in both directions.
 
 <Note>
-If you need to access the routing peer itself, there must be an access policy explicitly allowing traffic. You may add the routing peer to a group of resources, or create an entirely new access policy.
+If you need to access the routing peer itself (for example, to reach services like Pi-hole or a monitoring dashboard running on it), create a peer-to-peer access policy with the routing peer's group as the destination. See [Routing Peers](/manage/networks#routing-peers) for details.
 </Note>
 
 ### 5.3 DNS for routed networks