Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.moodmnky.com/llms.txt

Use this file to discover all available pages before exploring further.

This page mirrors internal notes in docs/network/07-netbird-policy-streamlining.md (Markdown repo). It reflects the 2026-03-25 control-plane cleanup.

What we standardized on

  • LAN reachability: Classic network routes on peer pfSense.mnkylab.moodmnky.com ( /api/routes ) for 10.0.0.0/24, 10.0.13.0/24, and 10.1.0.0/2410.4.0.0/24 — see NetBird platform.
  • Removed: NetBird Networks object for 192.168.1.0/24, the main subnet Access policy, the traefik network router, and the 10.0.0.22/32 host resource on the main network (Traefik is still on the LAN; it is no longer a NetBird routing peer).

Universal SSH

  1. Default policy remains AllAll with protocol: all (includes NetBird SSH and other traffic the client allows).
  2. ssh_enabled was turned on for all peers in the management API so netbird ssh <peer> can target any compatible client.
  3. The target must still run sshd (or equivalent) and allow the connection on the OS firewall; NetBird provides overlay connectivity only.
Redundant, overlapping SSH-named policies were removed from the dashboard to reduce confusion.

Group cleanup note

The pfsense-net access group could not be deleted via API because it is linked to a setup key (pfsense). Remove that link under Setup keys in the dashboard if you want to delete the empty group.

Role groups (implemented, 2026-03-26)

Flat tags (no subgroups): Hypervisors, Infra-Edge, Monitoring, Apps, Remote-Operators, BreakGlass (empty), plus Datacenter and External. Remote-Operators stay in Datacenter so classic LAN routes are unchanged; tightening is via policies and DNS, not by removing route membership. Additive policies (still redundant while Default is on): Remote-Operators → Monitoring (common web/metrics ports), Remote-Operators → Infra-Edge (80/443), NetBird SSH → Hypervisors.

Next: retire Default safely

1

BreakGlass

Add emergency admin peers to BreakGlass and create an explicit BreakGlass policy before disabling Default — peer visibility in the mesh follows policy group membership.
2

Verify explicit coverage

Confirm ICMP, DNS, netbird-ssh, and required TCP/UDP paths are covered without Default.
3

Logging

Turn on activity / traffic logs briefly; validate from Remote-Operators and Apps peers.
4

API snapshot

After each change, GET /api/policies and GET /api/routes; update internal docs/network/05 if IDs change.