sendnrw/netbird-docs
2
0
Fork 0
mirror of https://github.com/netbirdio/docs.git synced 2026-04-16 15:36:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Document managing access to routing peer in networks guide (#689)

Browse Source
This commit is contained in:
Maycon Santos
2026-04-08 16:20:45 +02:00
committed by GitHub
parent bd26193053
commit a8b7150ec4
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/pages/manage/networks/index.mdx
View File

@@ -128,6 +128,21 @@ Example policy allowing the `Berlin Office` group to access the internal CRM sys
Policies for domain or wildcard domain resources may unintentionally affect peers with IP range resources, since IP ranges can match any address. We recommend using dedicated networks and routing peers for domain-based resources to prevent unwanted access. A fix for this behavior is planned for an upcoming release.
</Note>
## Manage Access to Routing Peer
A network resource policy grants access to the network **behind** the routing peer — traffic that is forwarded through the peer to reach backend resources. However, firewall rules for routed traffic are processed in the **forward chain**, not the **input chain**. This follows the same pattern as Linux Netfilter (iptables/nftables), where packets destined for the host itself traverse the input chain, while packets being routed to another destination traverse the forward chain. This means that a network resource policy alone does **not** grant access to services running directly on the routing peer itself.
If you need to reach services hosted on the routing peer machine (for example, Pi-hole, Home Assistant, a monitoring dashboard, or any locally bound service), you must create a separate [access control policy](/manage/access-control) with:
- **Source**: the group containing the peers and users that need access
- **Destination**: a group that includes the routing peer
This additional policy ensures that the routing peer's input chain allows inbound connections from your NetBird peers. Without it, traffic destined for the routing peer's own IP will be dropped even if there is a valid network resource policy for the subnet behind it.
<Note>
This is a common pitfall when the routing peer also runs local services. Remember: network resource policies control forwarded traffic (forward chain), while peer-to-peer access control policies control traffic to the peer itself (input chain). You need both if you want to access the routing peer **and** the resources behind it.
</Note>
## Enable DNS Wildcard Routing
To use wildcard domains as resources, you must enable DNS wildcard routing. This setting changes how domains are resolved: instead of the client resolving domains locally, the routing peer performs DNS resolution.