Cannot use profiles to limit peer access

I must be terminally dense but I cannot understand how this works.

Environment is self hosted and working as expected aside from this.

I have setup a small test with 2 machines - test and nbtest - both have been added to group test-group. To be clear each node has only test-group and all attached (as all is not removable).

I set an access profile up with source and dest set to test-group bi-directional. And the default all-all profile is disabled.

Based on the docs and “common sense” this should mean that test and nbtest can only see themselves but they can see all the peers and initiate connections.

Honestly confused.

I first thought it mayt be that having src and dest the same was the issue so I changed the dest to a different group with 3 other peers - same result. The profile doesn’t restrict access.

ok resolved. The way this works is hellishly counter-intuitive. I had another profile set up with bi-directional access to all nodes and as-soon as I removed the “all” group from the dest element things started to behave. Need to be very careful with naming and especially bi-directional flows.

At least it works. My only remaining gripe is the interference NB does with dns resolvers. My desktop won’t now open a wireguard tunnel because resolvconf isn’t installed. If I install it the netbird client won’t come up. I have real love/hate wih NB tbh.