Hi everyone,
I’m running a self-hosted NetBird Management Server and recently made it reachable via both IPv4 and IPv6.
Since then, I noticed that in the connection details of a connected peer, the displayed Public IP is not the actual public IPv4 or IPv6 address of the peer. Instead, it shows: 172.30.0.1
This looks like the Docker network gateway address rather than the real public IP of the client.
An important detail: this only happens when the peer connects to the NetBird Management Server via IPv6.
When i delete the AAAA Record for the management server the peer connects via IPv4, the public IP appears to be shown correctly.
Where is it showing the public IP, in the interface of the machine or the netbird dashboard?
In the NetBird dashboard, the peer’s public IP is shown as 172.30.0.1, which appears to be the Docker bridge/gateway IP rather than the real public IP of the connecting peer.
This seems to be more than just a UI/display issue. It also affects access rule configuration, because connections coming from outside are reported as originating from 172.30.0.1 instead of the peer’s actual public IP address.
This makes IP-based access rules and auditing difficult or unreliable in a self-hosted Docker/reverse-proxy setup, especially when peers connect via IPv6.
See if you can add:
NB_PROXY_PROXY_PROTOCOL=true
NB_PROXY_TRUSTED_PROXIES=172.30.0.10
to your proxy.env
I think the entry was already there after the installation.
I am seeing the same issue on my end - i am unable to use geoblock on my Authentik which is proxied through netbird as when that IP pops up it blocks it and breaks the auth flow…
I’m glad I’m not the only one having this problem. Have you tried making the management server accessible only via IPv4? I just deleted the AAAA record, and then it worked.
The Quickstart only documents an A record and does not show an AAAA/dual-stack setup. Since the issue only appears when IPv6 is enabled, I’m wondering whether dual-stack is currently supported/tested for the self-hosted Reverse Proxy setup, or whether additional configuration is required.