Document that routing peers require a separate policy for direct access (#611)

Users commonly run services (Pi-hole, Home Assistant, monitoring) on
routing peer machines but have no guidance that a network resource policy
only grants access to the network behind the peer, not the peer itself.
Add notes to Networks, Network Routes, Access Control, and the Zero
Trust guide clarifying that a peer-to-peer access policy is needed.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

src/pages/manage/access-control/index.mdx

@@ -282,6 +282,10 @@ Think of it this way:
 
 **UI Behavior:** When creating a policy where the destination is a network resource, the bidirectional toggle will either be disabled or attempting to enable it will have no effect, because bidirectional communication is not possible in this scenario.
 
+<Note>
+Policies to network resources control access to the network behind the routing peer, not the routing peer itself. To access services running on the routing peer, create a separate peer-to-peer policy with the routing peer's group as the destination. See [Routing Peers](/manage/networks#routing-peers) for more information.
+</Note>
+
 ### Protocol-Specific Behavior
 
 Policy directionality also depends on the protocol selected:

src/pages/manage/network-routes/index.mdx

@@ -33,6 +33,10 @@ A **network identifier** is a name for the network you want to route. A **range*
 
 A routing peer is a NetBird device that forwards traffic between the NetBird network and a private network. It must have network access to the resources you want to reach.
 
+<Note>
+A network route grants access to the network behind the routing peer, not to the routing peer machine itself. If you need to reach services running on the routing peer, create a separate peer-to-peer [access control policy](/manage/access-control) that targets the routing peer's group as the destination.
+</Note>
+
 ### Routing Group
 
 A routing group is a set of routing peers. Each peer in the group routes packets between your routed network and other NetBird peers. Using a routing group provides automatic high availability.

src/pages/manage/networks/index.mdx

@@ -34,6 +34,10 @@ You can add multiple routing peers using individual peers or groups to ensure hi
     <img src="/docs-static/img/manage/networks/index/add-routing-peer-1.png" alt="high-level-dia" className="imagewrapper"/>
 </p>
 
+<Note>
+A network resource policy grants access to the network **behind** the routing peer, not to the routing peer machine itself. If you need to access services running on the routing peer (for example, Pi-hole, Home Assistant, or a monitoring dashboard), add the routing peer to a group and create a peer-to-peer [access control policy](/manage/access-control) with that group as the destination.
+</Note>
+
 ### Resources
 
 Resources are the machines, services, or subnets you want to access within your internal network. You can define resources as:

src/pages/use-cases/security/implement-zero-trust.mdx

@@ -521,7 +521,7 @@ NetBird Network access policies are unidirectional. They allow traffic from NetB
 If you need true bidirectional initiation between two endpoints, run NetBird on both machines and create an access policy that allows traffic in both directions.
 
 <Note>
-If you need to access the routing peer itself, there must be an access policy explicitly allowing traffic. You may add the routing peer to a group of resources, or create an entirely new access policy.
+If you need to access the routing peer itself (for example, to reach services like Pi-hole or a monitoring dashboard running on it), create a peer-to-peer access policy with the routing peer's group as the destination. See [Routing Peers](/manage/networks#routing-peers) for details.
 </Note>
 
 ### 5.3 DNS for routed networks