NC
NetBird: Community3w ago
Wookimonsta

Netbird connectivity on relay

Hi, I'm having the following issue: All peers can connect just fine, but anyone using relay peer cannot connect to ONE of the wired peers. So I have 4 Machines 1 - netbird host 2 - mobile phone (set to force relay mode, when I am in the home wlan with p2p I get no issues, on mobile internet it always uses relay) 3 - local machine NOT working 4 - local machine from the mobile phone, I can run ping machine4 and it works, but not machine 3, when I am using relay. DNS resolve works fine, but I just get a timeout, so I assume packets are being dropped. I also have a tailscale connected, on BOTH machines and it works just fine on 4. Machine3 does have a few dockers running. wg show on machine 4 (working) 
peer: dDzBQI8XXycVO6K8imqMzRIjgnUpdR0NQjMb+68pJTc=
  endpoint: 127.0.0.1:2
  allowed ips: 10.101.16.217/32
  latest handshake: Thu, 02 Oct 2025 16:54:49 CEST
  transfer: 1756 B received, 1844 B sent
peer: dDzBQI8XXycVO6K8imqMzRIjgnUpdR0NQjMb+68pJTc=
  endpoint: 127.0.0.1:2
  allowed ips: 10.101.16.217/32
  latest handshake: Thu, 02 Oct 2025 16:54:49 CEST
  transfer: 1756 B received, 1844 B sent
and on machine 3 
peer: dDzBQI8XXycVO6K8imqMzRIjgnUpdR0NQjMb+68pJTc=
  endpoint: 192.168.178.33:68 <- this ip is the LAN ip of machine3
  allowed ips: 10.101.16.217/32
  transfer: 53.19 KiB received, 36.24 KiB sent
  persistent keepalive: every 25 seconds
peer: dDzBQI8XXycVO6K8imqMzRIjgnUpdR0NQjMb+68pJTc=
  endpoint: 192.168.178.33:68 <- this ip is the LAN ip of machine3
  allowed ips: 10.101.16.217/32
  transfer: 53.19 KiB received, 36.24 KiB sent
  persistent keepalive: every 25 seconds
tcpdump shows packets entering enp5s0 on ping 
   176.9.1.30.33080 > 192.168.178.33.53382: Flags [P.], cksum 0xe6d0 (correct), seq 4180665627:4180665839, ack 1474639125, win 501, options [nop,nop,TS val 2634477326 ecr 1456874150], length 212
17:25:48.328778 IP (tos 0x0, ttl 64, id 8606, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.178.33.53382 > 176.9.1.30.33080: Flags [.], cksum 0x2418 (incorrect -> 0x72d7), seq 1, ack 212, win 3163, options [nop,nop,TS val 1456878292 ecr 2634477326], length 0
   176.9.1.30.33080 > 192.168.178.33.53382: Flags [P.], cksum 0xe6d0 (correct), seq 4180665627:4180665839, ack 1474639125, win 501, options [nop,nop,TS val 2634477326 ecr 1456874150], length 212
17:25:48.328778 IP (tos 0x0, ttl 64, id 8606, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.178.33.53382 > 176.9.1.30.33080: Flags [.], cksum 0x2418 (incorrect -> 0x72d7), seq 1, ack 212, win 3163, options [nop,nop,TS val 1456878292 ecr 2634477326], length 0
but nothing ever shows up on wt0. When I use p2p, stuff gets forwarded just fine to wt0. I recently got rid of ALL iptable settings and had docker create new ones and it still doesn't work. I'm at my wits end.
1 Reply
Wookimonsta
WookimonstaOP3w ago
Ah, before i forget: <redacted>.netbird.selfhosted: NetBird IP: 10.101.16.217 Public key: dDzBQI8XXycVO6K8imqMzRIjgnUpdR0NQjMb+68pJTc= Status: Connected -- detail -- Connection type: Relayed ICE candidate (Local/Remote): -/- ICE candidate endpoints (Local/Remote): -/- Relay server address: rels://netbird.gregorians.net:33080 Last connection update: Now Last WireGuard handshake: - Transfer status (received/sent) 1.7 KiB/1.2 KiB Quantum resistance: false Networks: - Latency: 0s so it IS connected and it IS set as relayed, but nothing arrives so I ran some more tcpdumps, packets definitly arrive from the relay server to the local ethernet, but it never arrives on wt0 When going through the logs, it did complain about ipset: 2025-10-03T17:12:53+02:00 INFO client/internal/debug/debug_linux.go:126: Collecting firewall rules 2025-10-03T17:12:53+02:00 WARN client/internal/debug/debug_linux.go:169: Failed to collect ipset information: ipset command not found: exec: "ipset": executable file not found in $PATH I installed ipset, but that doesn't seem to have helped Okay, I am completely lost. I backed up my iptables. Flushed all iptables and restarted docker, which recreated iptables. Now it works just fine. I compared the files, the new and old iptables are identical... but somehow it works?

Did you find this page helpful?