Packet forwarding to private network

[emferrandi]

Describe the problem
I've deployed Netbird on a Debian 11 in self-hosted mode, and I'm able to route ICMP traffic but not HTTP/HTTPS requests.
My architecture consists of a Windows source station connected to Netbird, with Debian routing connected to Netbird, and a Debian destination not connected to Netbird.
All nodes are set up with the latest version 0.22.0.
However, I've added the ACL authorizing everything, at firewall level everything is authorized, and the routing is correct, given that the PING goes through.
If I run a TCPDUMP on the interface, I can see ICMP packets end-to-end, but not HTTP requests.

Expected behavior
Packet forward between a Netbird node to a private node

Additional context
After some talking in Slack, @mlsmaycon found the problem :
Message dated : 08/02/2023

table ip filter {
        chain FORWARD {
                type filter hook forward priority filter; policy drop;

Temporary resolution

sudo iptables -I FORWARD -s 100.73.0.0/16 -j ACCEPT
sudo iptables -I FORWARD -d 100.73.0.0/16 -j ACCEPT

[emferrandi]

After some research and diagnosis, the problem seems to be firewalld and the absence of certain rules.
For info, I run netbird with docker and behind haproxy. The routing don't go through haproxy, only public address.

To forwading packets to private network, you need :

1. On iptables, netbird have to add these rules :
   The range is the VPN subnet.

iptables -I FORWARD -s 100.73.0.0/16 -j ACCEPT
iptables -I FORWARD -d 100.73.0.0/16 -j ACCEPT

1. Moreover, when I start firewalld with my rules, traffic can no longer reach the destination range.
   With @mlsmaycon, we don't find why firewalld block traffic.
   Here you can see the iptables rules without firewalld and previous rules added. All (ping, HTTP, DNS ...) is working fine ;

table ip nat {
        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                oifname != "br-7d7f4bd0c16d" ip saddr 172.18.0.0/16 counter packets 2 bytes 192 masquerade
                oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
                oifname != "br-d8612558e3df" ip saddr 172.28.0.0/16 counter packets 0 bytes 0 masquerade
                oifname != "br-fd189d178880" ip saddr 172.20.0.0/16 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.18.0.3 ip daddr 172.18.0.3 tcp dport 8080 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.18.0.4 ip daddr 172.18.0.4 tcp dport 10000 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.18.0.5 ip daddr 172.18.0.5 tcp dport 80 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.18.0.6 ip daddr 172.18.0.6 tcp dport 443 counter packets 0 bytes 0 masquerade
        }

        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                fib daddr type local counter packets 194 bytes 22411 jump DOCKER
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
                ip daddr != 127.0.0.0/8 fib daddr type local counter packets 6 bytes 352 jump DOCKER
        }

        chain DOCKER {
                iifname "br-7d7f4bd0c16d" counter packets 1 bytes 60 return
                iifname "docker0" counter packets 0 bytes 0 return
                iifname "br-d8612558e3df" counter packets 0 bytes 0 return
                iifname != "br-7d7f4bd0c16d" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 8080 counter packets 0 bytes 0 dnat to 172.18.0.3:8080
                iifname != "br-7d7f4bd0c16d" meta l4proto tcp ip daddr IP_PUB tcp dport 10000 counter packets 2 bytes 120 dnat to 172.18.0.4:10000
                iifname != "br-7d7f4bd0c16d" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 80 counter packets 0 bytes 0 dnat to 172.18.0.5:80
                iifname != "br-7d7f4bd0c16d" meta l4proto tcp tcp dport 33073 counter packets 5 bytes 284 dnat to 172.18.0.6:443
        }
}
table ip filter {
        chain FORWARD {
                type filter hook forward priority filter; policy drop;
                ip daddr 100.73.0.0/16 counter packets 21 bytes 4615 accept
                ip saddr 100.73.0.0/16 counter packets 29 bytes 2762 accept
                counter packets 1698 bytes 487102 jump DOCKER-USER
                counter packets 1698 bytes 487102 jump DOCKER-ISOLATION-STAGE-1
                oifname "br-7d7f4bd0c16d" ct state related,established counter packets 1095 bytes 374120 accept
                oifname "br-7d7f4bd0c16d" counter packets 323 bytes 53538 jump DOCKER
                iifname "br-7d7f4bd0c16d" oifname != "br-7d7f4bd0c16d" counter packets 272 bytes 58772 accept
                iifname "br-7d7f4bd0c16d" oifname "br-7d7f4bd0c16d" counter packets 317 bytes 53194 accept
                oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
                oifname "docker0" counter packets 0 bytes 0 jump DOCKER
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
                iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
                oifname "br-d8612558e3df" ct state related,established counter packets 0 bytes 0 accept
                oifname "br-d8612558e3df" counter packets 0 bytes 0 jump DOCKER
                iifname "br-d8612558e3df" oifname != "br-d8612558e3df" counter packets 0 bytes 0 accept
                iifname "br-d8612558e3df" oifname "br-d8612558e3df" counter packets 0 bytes 0 accept
        }

        chain INPUT {
                type filter hook input priority filter; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }

        chain DOCKER {
                iifname != "br-7d7f4bd0c16d" oifname "br-7d7f4bd0c16d" meta l4proto tcp ip daddr 172.18.0.3 tcp dport 8080 counter packets 0 bytes 0 accept
                iifname != "br-7d7f4bd0c16d" oifname "br-7d7f4bd0c16d" meta l4proto tcp ip daddr 172.18.0.4 tcp dport 10000 counter packets 1 bytes 60 accept
                iifname != "br-7d7f4bd0c16d" oifname "br-7d7f4bd0c16d" meta l4proto tcp ip daddr 172.18.0.5 tcp dport 80 counter packets 0 bytes 0 accept
                iifname != "br-7d7f4bd0c16d" oifname "br-7d7f4bd0c16d" meta l4proto tcp ip daddr 172.18.0.6 tcp dport 443 counter packets 5 bytes 284 accept
        }

        chain DOCKER-ISOLATION-STAGE-1 {
                iifname "br-7d7f4bd0c16d" oifname != "br-7d7f4bd0c16d" counter packets 272 bytes 58772 jump DOCKER-ISOLATION-STAGE-2
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
                iifname "br-d8612558e3df" oifname != "br-d8612558e3df" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
                counter packets 1698 bytes 487102 return
        }

        chain DOCKER-ISOLATION-STAGE-2 {
                oifname "br-7d7f4bd0c16d" counter packets 0 bytes 0 drop
                oifname "docker0" counter packets 0 bytes 0 drop
                oifname "br-d8612558e3df" counter packets 0 bytes 0 drop
                counter packets 272 bytes 58772 return
        }

        chain DOCKER-USER {
                counter packets 1698 bytes 487102 return
        }
}
table ip6 filter {
        chain FORWARD {
                type filter hook forward priority filter; policy accept;
        }
}
table ip6 nat {
        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
        }
}
table ip netbird-rt {
        chain netbird-rt-fwd {
                type filter hook forward priority -99; policy accept;
                ip saddr 10.0.0.0/8 ip daddr 100.73.0.0/16 counter packets 588 bytes 56600 accept
                ip saddr 100.73.0.0/16 ip daddr 10.0.0.0/8 counter packets 899 bytes 72320 accept
                ct state & (established | related) == 0x0 counter packets 472364 bytes 53989198 accept
        }

        chain netbird-rt-nat {
                type nat hook postrouting priority srcnat - 1; policy accept;
                ip saddr 10.0.0.0/8 ip daddr 100.73.0.0/16 counter packets 0 bytes 0 masquerade
                ip saddr 100.73.0.0/16 ip daddr 10.0.0.0/8 counter packets 16 bytes 1272 masquerade
        }
}
table ip6 netbird-rt {
        chain netbird-rt-fwd {
                type filter hook forward priority -99; policy accept;
                ct state & (established | related) == 0x0 counter packets 0 bytes 0 accept
        }

        chain netbird-rt-nat {
                type nat hook postrouting priority srcnat - 1; policy accept;
        }
}
table ip netbird-acl {
        set nb0000001 {
                type ipv4_addr
                flags dynamic
                elements = { 0.0.0.0 }
        }

        set nb0000002 {
                type ipv4_addr
                flags dynamic
                elements = { 0.0.0.0 }
        }

        chain netbird-acl-input-filter {
                type filter hook input priority filter; policy accept;
                iifname "wt0" accept
                iifname "wt0" ip saddr != 100.73.0.0/16 accept
                iifname "wt0" drop
        }

        chain netbird-acl-output-filter {
                type filter hook output priority filter; policy accept;
                oifname "wt0" accept
                oifname "wt0" ip daddr != 100.73.0.0/16 accept
                oifname "wt0" drop
        }
}

[nazarewk]

@emferrandi can you confirm this is still an issue on latest versions?

I am leaving it open for now in case it has not been resolved yet.