Can ping all addresses in CIDR block

Community Support Self-Hosted
1

Describe the problem

I’ve created a resource 10.82.4.0/24 for a remote network sitting behind an OPNsense firewall, and I was checking to see if an IP in that block was currently in use, when I realized that all IPs are replying. Tested from two different clients (Win/Mac)

To Reproduce

Steps to reproduce the behavior:

  1. Go to Command Prompt/Terminal
  2. Ping any address within the network block
  3. See output
╰─$ ping 10.82.4.6
PING 10.82.4.6 (10.82.4.6): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
64 bytes from 10.82.4.6: icmp_seq=0 ttl=64 time=5048.990 ms
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
64 bytes from 10.82.4.6: icmp_seq=1 ttl=64 time=9082.407 ms
Request timeout for icmp_seq 11
Request timeout for icmp_seq 12
Request timeout for icmp_seq 13
Request timeout for icmp_seq 14
64 bytes from 10.82.4.6: icmp_seq=2 ttl=64 time=13089.336 ms
Request timeout for icmp_seq 16
Request timeout for icmp_seq 17
Request timeout for icmp_seq 18
Request timeout for icmp_seq 19
64 bytes from 10.82.4.6: icmp_seq=3 ttl=64 time=17096.447 ms
Request timeout for icmp_seq 21
Request timeout for icmp_seq 22
Request timeout for icmp_seq 23
Request timeout for icmp_seq 24
64 bytes from 10.82.4.6: icmp_seq=4 ttl=64 time=21096.514 ms
64 bytes from 10.82.4.6: icmp_seq=5 ttl=64 time=20093.983 ms
64 bytes from 10.82.4.6: icmp_seq=6 ttl=64 time=19099.429 ms
64 bytes from 10.82.4.6: icmp_seq=7 ttl=64 time=18095.092 ms
64 bytes from 10.82.4.6: icmp_seq=8 ttl=64 time=17090.037 ms
64 bytes from 10.82.4.6: icmp_seq=9 ttl=64 time=16084.702 ms
64 bytes from 10.82.4.6: icmp_seq=10 ttl=64 time=15081.961 ms
64 bytes from 10.82.4.6: icmp_seq=11 ttl=64 time=14077.384 ms
64 bytes from 10.82.4.6: icmp_seq=12 ttl=64 time=13076.345 ms
64 bytes from 10.82.4.6: icmp_seq=13 ttl=64 time=12071.886 ms
64 bytes from 10.82.4.6: icmp_seq=14 ttl=64 time=11066.650 ms
64 bytes from 10.82.4.6: icmp_seq=15 ttl=64 time=10064.457 ms
64 bytes from 10.82.4.6: icmp_seq=16 ttl=64 time=9059.240 ms
64 bytes from 10.82.4.6: icmp_seq=17 ttl=64 time=8054.400 ms
64 bytes from 10.82.4.6: icmp_seq=18 ttl=64 time=7049.042 ms
64 bytes from 10.82.4.6: icmp_seq=19 ttl=64 time=6047.654 ms
64 bytes from 10.82.4.6: icmp_seq=20 ttl=64 time=5045.870 ms
64 bytes from 10.82.4.6: icmp_seq=21 ttl=64 time=4040.569 ms
64 bytes from 10.82.4.6: icmp_seq=22 ttl=64 time=3038.799 ms
64 bytes from 10.82.4.6: icmp_seq=23 ttl=64 time=2034.966 ms
64 bytes from 10.82.4.6: icmp_seq=24 ttl=64 time=1029.736 ms
64 bytes from 10.82.4.6: icmp_seq=25 ttl=64 time=45.700 ms
64 bytes from 10.82.4.6: icmp_seq=26 ttl=64 time=22.710 ms
64 bytes from 10.82.4.6: icmp_seq=27 ttl=64 time=26.229 ms

When pinging an active IP, the device replies immediately.

─$ ping 10.82.4.2
PING 10.82.4.2 (10.82.4.2): 56 data bytes
64 bytes from 10.82.4.2: icmp_seq=0 ttl=64 time=26.997 ms
64 bytes from 10.82.4.2: icmp_seq=1 ttl=64 time=25.828 ms
64 bytes from 10.82.4.2: icmp_seq=2 ttl=64 time=24.639 ms
64 bytes from 10.82.4.2: icmp_seq=3 ttl=64 time=31.134 ms
64 bytes from 10.82.4.2: icmp_seq=4 ttl=64 time=25.853 ms

Expected behavior

I expect only the firewall and one other device in the network to reply to ping.

Are you using NetBird Cloud?

Self-hosted.

NetBird version

Tested on Windows and MacOS client. Routing peer is OPNsense.

OPNsense 25.7.9-amd64

Daemon version: 0.59.8
CLI version: 0.59.8

Windows 11

OS: windows/amd64
Daemon version: 0.60.7
CLI version: 0.60.7

MacOS

OS: darwin/arm64
Daemon version: 0.60.7
CLI version: 0.60.7

Is any other VPN software installed?

OpenVPN client is installed on OPNsense firewall, but I’ve tested it while connected and disconnected. No change. No other VPN client on clients.

Debug output

To help us resolve the problem, please attach the following anonymized status output

netbird status -dA

─$ netbird status -dA
Peers detail:
 fw-clc.nb.anon-LxI9t.domain:
  NetBird IP: 10.15.1.92
  Public key: DJ+F7zb1D99p3iTgQUDisFrf8uC5uHHgnCKg88h3rhw=
  Status: Idle
  -- detail --
  Connection type: -
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address:
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Networks: 10.34.0.1/32, 10.34.4.0/24, 10.34.5.0/24
  Latency: 0s

 fw-02-1-134.nb.anon-LxI9t.domain:
  NetBird IP: 10.15.1.134
  Public key: r0QSP2I0hLi9TD3GNcNhpevWjZG78f2WTjVzyS8pkTo=
  Status: Idle
  -- detail --
  Connection type: -
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address:
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Networks: -
  Latency: 0s

 fw-01.nb.anon-LxI9t.domain:
  NetBird IP: 10.15.1.164
  Public key: ZwqRfsjxso1NydcKg7S2sFfM2rLJc5CG+v6LZe2yyz4=
  Status: Idle
  -- detail --
  Connection type: -
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address:
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Networks: 10.25.0.1/32, 10.25.1.0/24, 10.25.2.0/24, 10.25.3.0/24, 10.25.4.0/24, 10.25.5.0/24, 10.27.0.1/32, 10.27.1.0/24, 10.27.2.0/24, 10.27.4.0/24, 10.27.5.0/24, 10.33.0.1/32, 10.33.1.0/24, 10.33.2.0/24, 10.33.3.0/24, 10.33.3.5/32, 10.33.4.0/24, 10.33.5.0/24
  Latency: 0s

 fw-01-1-217.nb.anon-LxI9t.domain:
  NetBird IP: 10.15.1.217
  Public key: eClQGCQMGtPDkW0Jj/LZLYDKSAmCSu2h9sSj/KhFchM=
  Status: Connected
  -- detail --
  Connection type: P2P
  ICE candidate (Local/Remote): host/host
  ICE candidate endpoints (Local/Remote): 192.168.8.107:53403/198.51.100.0:51820
  Relay server address: rel://netbird.anon-LxI9t.domain:33080
  Last connection update: 23 minutes, 58 seconds ago
  Last WireGuard handshake: 1 minute, 49 seconds ago
  Transfer status (received/sent) 50.0 KiB/30.1 KiB
  Quantum resistance: false
  Networks: 10.19.0.1/32, 10.19.1.0/24, 10.19.2.0/24, 10.19.4.0/24, 10.19.5.0/24, 10.20.0.0/28, 10.20.0.4/32, 10.20.0.5/32, 10.20.0.6/32, 10.20.1.0/24, 10.20.1.198/32, 10.20.14.0/24, 10.20.15.0/24, 10.20.16.0/24, 10.20.2.0/24, 10.20.3.0/24, 10.20.3.2/32, 10.20.3.34/32, 10.20.4.0/24, 10.20.5.0/24, 10.20.8.0/24, 10.21.0.1/32, 10.21.1.0/24, 10.21.2.0/24, 10.21.3.0/24, 10.21.4.0/24, 10.21.5.0/24, 10.22.1.0/24, 10.22.2.0/24, 10.22.4.0/24, 10.22.5.0/24, 10.23.0.1/32, 10.23.1.0/24, 10.23.2.0/24, 10.23.3.0/24, 10.23.4.0/24, 10.23.5.0/24, brick.anon-WPMFg.domain, creemore.anon-WPMFg.domain, epad.md.bonnyville.anon-Mm4oy.domain, lakeland.anon-WPMFg.domain, nas-sr-r1u30.mo.anon-LxI9t.domain, nwt.anon-WPMFg.domain, partake.anon-WPMFg.domain, postmark.anon-WPMFg.domain, propeller.anon-WPMFg.domain
  Latency: 17.79775ms

 fw-1-242.nb.anon-LxI9t.domain:
  NetBird IP: 10.15.1.242
  Public key: jeG8b0PMtAU+K6eWQlVMd0Z9pXeE+0cobESi+da5nns=
  Status: Connected
  -- detail --
  Connection type: P2P
  ICE candidate (Local/Remote): srflx/host
  ICE candidate endpoints (Local/Remote): 198.51.100.1:53403/198.51.100.2:51820
  Relay server address: rel://netbird.anon-LxI9t.domain:33080
  Last connection update: 23 minutes, 57 seconds ago
  Last WireGuard handshake: 1 minute, 11 seconds ago
  Transfer status (received/sent) 2.6 MiB/344.6 KiB
  Quantum resistance: false
  Networks: 10.82.0.1/32, 10.82.4.0/24
  Latency: 22.416958ms

Events:
  [WARNING] DNS (4a3a40a7-0b87-42c9-9465-619b36d70c88)
    Message: All upstream servers failed (probe failed)
    Time: 24 minutes, 45 seconds ago
    Metadata: upstreams: 10.20.3.2:53, 10.20.3.34:53
  [INFO] SYSTEM (51b9c390-036f-4767-9652-972e30bf8293)
    Message: Network map updated
    Time: 24 minutes, 45 seconds ago
  [WARNING] DNS (9fb33e6b-c355-4f10-9166-7bc1995d863d)
    Message: All upstream servers failed (probe failed)
    Time: 23 minutes, 59 seconds ago
    Metadata: upstreams: 10.20.3.2:53, 10.20.3.34:53
  [WARNING] DNS (2352d301-c97e-4a9f-a0e2-6f2727ddc6ee)
    Message: All upstream servers failed (probe failed)
    Time: 23 minutes, 59 seconds ago
    Metadata: upstreams: 10.20.3.2:53, 10.20.3.34:53
  [WARNING] DNS (530c79bf-9f15-43b3-9c4a-2135f4c607db)
    Message: All upstream servers failed (probe failed)
    Time: 23 minutes, 58 seconds ago
    Metadata: upstreams: 10.20.3.2:53, 10.20.3.34:53
  [WARNING] DNS (ed1bdfff-96d8-4e65-a924-5056d524dd37)
    Message: All upstream servers failed (probe failed)
    Time: 23 minutes, 58 seconds ago
    Metadata: upstreams: 10.20.3.2:53, 10.20.3.34:53
  [WARNING] DNS (aa358ce7-1a35-4106-91de-be652929feaa)
    Message: All upstream servers failed (probe failed)
    Time: 23 minutes, 58 seconds ago
    Metadata: upstreams: 10.20.3.2:53, 10.20.3.34:53
  [INFO] SYSTEM (28cc3b65-3bc5-4acc-8e1c-9a8faa67d684)
    Message: Network map updated
    Time: 23 minutes, 58 seconds ago
  [INFO] SYSTEM (9fe6df97-825f-44ed-957a-c45007f4a15e)
    Message: Network map updated
    Time: 10 minutes, 31 seconds ago
  [INFO] SYSTEM (7dc5d707-7f4c-4810-a5b1-1634e09f32f5)
    Message: Network map updated
    Time: 10 minutes, 27 seconds ago
OS: darwin/arm64
Daemon version: 0.60.7
CLI version: 0.60.7
Profile: MDofBonnyville
Management: Connected to https://netbird.anon-LxI9t.domain:33073
Signal: Connected to http://netbird.anon-LxI9t.domain:10000
Relays:
  [stun:netbird.anon-LxI9t.domain:3478] is Available
  [turn:netbird.anon-LxI9t.domain:3478?transport=udp] is Available
  [rel://netbird.anon-LxI9t.domain:33080] is Available
Nameservers:
  [10.20.3.2:53, 10.20.3.34:53] for [md.bonnyville.anon-Mm4oy.domain, anon-LxI9t.domain, anon-WPMFg.domain, anon-9nLrc.domain, anon-tZvzD.domain] is Available
FQDN: als-mbp.nb.anon-LxI9t.domain
NetBird IP: 10.15.1.113/24
Interface type: Userspace
Quantum resistance: false
Lazy connection: true
SSH Server: Disabled
Networks: -
Forwarding rules: 0
Peers count: 2/5 Connected

Create and upload a debug bundle, and share the returned file key:

netbird debug for 1m -AS -U

Uploaded files are automatically deleted after 30 days.

Alternatively, create the file only and attach it here manually:

netbird debug for 1m -AS

I ran the command on the routing peer, but can’t seem to upload it here as it only allows images…

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Partial ARP table of IPs in the same block (obfuscated). Ran on routing peer I’m trying to reach (OPNsense)

? (10.82.4.247) at XX:50:c2:XX:90:15 on bridge0 expires in 1186 seconds [bridge]
? (10.82.4.1) at XX:9c:fc:XX:d2:3c on bridge0 permanent [bridge]
? (10.82.4.2) at XX:1b:f8:XX:8e:a6 on bridge0 expires in 812 seconds [bridge]

Add any other context about the problem here.

Have you tried these troubleshooting steps?

  • Reviewed client troubleshooting (if applicable)
  • Checked for newer NetBird versions
  • Searched for similar issues on GitHub (including closed ones)
  • Restarted the NetBird client
  • Disabled other VPN software
  • Checked firewall settings
2

Yeah, weird. I just started using Netbird, looking to move from tailscale. Added my home /24, exiting out a macbook for testing, and every single address in the /24 is pingable even though nothing exists at those addresses. Not a fan of this.

3

This could just be my own confusement, but isn’t Netbird dependent on being able to maskerade the connection for machines that do not have netbird behind them? If you look in the firewall logs, does it display any IMCP logs to attempted locations?

My best guess here is that you are pinging the netbird agent no matter what IP you put in there. I could also be wrong, as it’s just a guess here. Since it has to go through the agent anyway to get into the subnet.

4

This is a bug in the netstack lib that generates (duplicate) replies. Will be fixed as part of [client] Add non-root ICMP support to userspace firewall forwarder by lixmal · Pull Request #4792 · netbirdio/netbird · GitHub

5

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.