Disabling Masquerding not working

[ndziuba]

Describe the problem

I run a node with multiple advertised routes that were masqueraded using iptabels with an client installed on Rocky 8.
Setting up a routing back into netbird for the 100.24.0.0 adresses works as expected as far as being able to ping Netbird clients from non Netbird clients.

This is not always true for Netbird clients, we can ping through the node with iptables but everything else like ssh or http is not working and stops at the routing node. Using nftables results in not being able to ping all together.
I reproduced this for Debian and a Docker client.

To Reproduce

Steps to reproduce the behavior:

1. Set a route for a node to advertise a subnet
2. Disable masquerading (its important to have no exit node on this node as this enables masqerading for all routes on this node, even when disabled)
3. Testing ping should not work
4. Enable iptabels with echo 'NB_SKIP_NFTABLES_CHECK=true' | sudo tee -a /etc/sysconfig/netbird and restarting netbird
5. Ping should now work but nothing else

We can see from iptables that currently no route advertises masquerading

iptables -t nat -S

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N NETBIRD-RT-NAT
-A POSTROUTING -j NETBIRD-RT-NAT

And ping is working but no ssh or http

ping 10.1.0.1

Ping wird ausgeführt für 10.1.0.1 mit 32 Bytes Daten:
Antwort von 10.1.0.1: Bytes=32 Zeit=38ms TTL=63

For the ease of configuring masquerading i enable an exit node route which results in following ouput

iptables -t nat -S

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N NETBIRD-RT-NAT
-A POSTROUTING -j NETBIRD-RT-NAT
-A NETBIRD-RT-NAT -i wt0 -j MASQUERADE
-A NETBIRD-RT-NAT -o wt0 -j MASQUERADE

And fixing the issues by being able to connect again with the network clients.

Are you using NetBird Cloud?

Self-hosted NetBird

NetBird version

0.30.1