Hi Tom @LTS_Tom
I was watching Talking Heads Ep. 439 last night and heard you talking with Jeff about testing NetBird and Tailscale. I’ve been banging my head against the wall with this for a few weeks now and haven’t made any headway. I was wondering if you had any insight, or if you might be able to test something similar.
My setup is a UDM Pro as my firewall, sitting behind an AT&T BGW320 that is configured in IP Passthrough mode. I have AT&T Fiber with a dynamic public IP (not behind CGNAT). I’m self-hosting a NetBird server behind a Traefik reverse proxy, with ports 80, 443, and 3478 forwarded to the server.
On my home network (behind the UDM) I have:
- TrueNAS server
- Plex server
Outside my network I have:
- iPhone
- MacBook
- My parents’ Windows laptops
Here’s the behavior I’m seeing:
- Any two devices that are both outside the UDM establish a P2P connection.
- Any two devices that are both inside the UDM also establish a P2P connection.
- But the moment the connection has to traverse the UDM (inside ↔ outside), it always falls back to a relayed connection.
For example, if my MacBook is outside my network, it gets a P2P connection to my iPhone. If I bring the MacBook inside my network, it immediately gets P2P connections to my TrueNAS and Plex server, but it can no longer establish P2P with the external devices—it falls back to relayed. As soon as I take the MacBook back outside, P2P to the external devices works again.
That’s what has me convinced the UDM is somehow the common denominator.
I’ve already tried:
- Disabling IPS/IDS completely.
- Leaving IPS/IDS enabled but unchecking all of the peer-to-peer related detections.
- Enabling UPnP.
- Confirming that I’m not behind CGNAT.
- Verifying that the BGW320 is in IP Passthrough mode.
None of those changed the behavior.
I’ve also considered moving my NetBird server to a VPS just to rule out whether the issue is related to the server and the internal clients sharing the same public IP address. I haven’t tried that yet because it feels like P2P should still work in this scenario.
Since the BGW320 is just passing the public IP through to the UDM, I wouldn’t expect it to be interfering, which is another reason I’m leaning toward the UDM.
Have you run into anything like this before, or do you have any ideas what the UDM could be doing that would prevent direct P2P connections only when traffic has to cross the firewall? I’m hoping I’m just overlooking a setting somewhere, but at this point I’m running out of ideas.
