Allow one network resource to have both IPv4 and IPv6 IP (or CIDR) to fully support dualstack behind a network gateway

[sjansen1]

Before posting

• I searched existing discussions and issues for similar requests.
• I checked the documentation to confirm this is not already supported.
• This is a product idea or enhancement request, not a support question.
• I removed or anonymized sensitive details from examples and screenshots.

Product area

Routes / Exit nodes

Problem or use case

Now with IPv6 overlay network support, i can reach systems behind a subnet gateway via IPv4 and IPv6, thats awesome and important for dualstack deployment. Previously, every IPv6 requests goes right into the internet and not into the Netbird tunnel.

Now with dualstack, there are three ways to define a resource in a networks:

IPv4/IPv6 single IP, a whole IPv4/IPv6 CIDR and DNS Name. DNS Name let the subnet gateway peer of the network resolve the IP and establish a route via Netbird between the requested peer and subnet gateway.

What can i do now:

Creating two resources, one with IPv4 and one with IPv6, now we have two resources with different names and we have to assign both to every acl. A bit to much overhead in my opinion. So, I tought the best way would be DNS, so it covers IPv4 and IPv6 automaticly. But here i found a problem.

One example:

I have FreeIPA Servers, FreeIPA has a management web interface and a dns server. If i define this server as DNS and open the Webinterface, that works fine, Netbird let the subnet gateway resolve the IP and establish a route, i can access the Webservice, and AFTER that the IPv4 or IPv6, depending what got resolved. But because this is also a dns server, i have a problem, system does not use DNS, it goes straight to the IP to resolve DNS. If my system try to access this dns server (of course via ipv4 or ipv6), this fails, netbird has no route because the FreeIPA Server DNS domain does not get resolved and so no route is established.

Proposed solution

Let us define IPv4 and IPv6 in a resource in one single resource entry, so we do not have to create every resource definition twice for IPv4 and IPv6.

Alternatives or workarounds considered

So far the only workaround is to create every resource twice for example myhost_ipv4, myhost_ipv6 and address both in an ACL. Lot of work if you have to define a lot of resources.

Community impact and priority

It helps administrators with dualstack deployment to have much less work creating just one resource with an IPv4+IPv6 the the definition, it looks cleaner in the overview and of source in the the control center.

Examples from other tools or products

No response

Security, privacy, and compatibility considerations

No response

Implementation ideas

No response

Are you willing to help?

Not at this time.

Additional context

No response

[kyberorg]

Totally support this, we also have dual-stack env. Actually lack of this feature pushed us to IPv6-only overlay :)