Description
The behavior when trying to assign access to one or more exit nodes seems inconsistent and doesn't behave what I would expect.
It's a bit difficult to explain, since I'm not 100% sure what the correct setup would be and also if this is a bug or not.
My setup and what I want to achieve:
I have 5 exit nodes, and I expect to either be able to add a policy on who can access the exit nodes and from what network/office/home.
For example, one peer is a server used for backups that can also be used as an exit node. In order for this server to access other backup servers I added it to the "backup-servers" group. This is the destination group that I want to use in access rules. I then added a group called "backup-admin" and created an access policy: backup-admin --> backup-servers TCP 8007 + posture check.
Unexpectedly my local client peer that have been assigned to the backup-admin group also got access to the server peer as an exit node. My local peer is assigned to one of the distribution groups, but this didn't do anything on its' own.
The way I would assume access would be permitted to an exit node is if the client peer is a member of a group that is assigned as a distribution group and/or access control group. This does seem to be the case but not by itself, there also need to be some kind of (unrelated) access control policy.
In one location I have two exit nodes, I was hoping that I could add a posture check to limit access to the exit nodes if the peers were connecting from the LAN IP subnet, but no amount of manipulating ACLs have made it possible to remove the exit nodes from those peers.
Self-host NetBird's control plane, Netbird client 0.43.3