NOCHTPC 1 Posted July 4, 2015 Share Posted July 4, 2015 Hi, I am having issues connecting to emby outside my network. I have the latest beta server build and beta classic build, I have comcast modem that is bridged with my linksys wr1900ac router. I forwarded both 8096 and 8920 to my htpc hence emby server ip address but still cant get chrome from my iphone to connect outside my network. Can someone help? Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted July 5, 2015 Share Posted July 5, 2015 (edited) You said comcast modem bridged to linksys... is the firewall turned on for both devices? Usually you want to turn all of that crap off on the comcast modem (if it has built in firewall, most do) then let your router do all of the work.. Otherwise you have a double NAT and troubleshooting can get difficult. See what WAN address you show in your linksys, it should be your outside internet address and not a 192.x.x.x or 10.x.x.x Edited July 5, 2015 by pir8radio Link to comment Share on other sites More sharing options...
JeremyFr79 228 Posted July 5, 2015 Share Posted July 5, 2015 You said comcast modem bridged to linksys... is the firewall turned on for both devices? Usually you want to turn all of that crap off on the comcast modem (if it has built in firewall, most do) then let your router do all of the work.. Otherwise you have a double NAT and troubleshooting can get difficult. See what WAN address you show in your linksys, it should be your outside internet address and not a 192.x.x.x or 10.x.x.x When you set the Comcaset Modems to "bridged" it's actually in reality gateway mode, it disables all NAT/Firewall/etc turning it into nothing more than a gateway. Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted July 5, 2015 Share Posted July 5, 2015 When you set the Comcaset Modems to "bridged" it's actually in reality gateway mode, it disables all NAT/Firewall/etc turning it into nothing more than a gateway. Yea, I was not sure how techie NOCHTPC was so I just wanted to confirm it was actually in bridged mode. Rather than him saying bridged just because they were physically connected. Because he says "Bridged with".... Just checking... 1 Link to comment Share on other sites More sharing options...
mjktg99 34 Posted July 6, 2015 Share Posted July 6, 2015 Are the ports open on your Windows Firewall? Link to comment Share on other sites More sharing options...
NOCHTPC 1 Posted July 6, 2015 Author Share Posted July 6, 2015 Hi, thanx for the responses, when I say bridged, I called comcast and told them I wanted the modem/router only to be used as a modem not a router because I have a router already. They said they were going to do this and it was called bridging. I forwarded my ports on my linksys wr1900ac, How do I open ports to windows for emby? Link to comment Share on other sites More sharing options...
JeremyFr79 228 Posted July 6, 2015 Share Posted July 6, 2015 Hi, thanx for the responses, when I say bridged, I called comcast and told them I wanted the modem/router only to be used as a modem not a router because I have a router already. They said they were going to do this and it was called bridging. I forwarded my ports on my linksys wr1900ac, How do I open ports to windows for emby? Um typically they can't switch the mode for you over the phone, you usually have to log into the local admin page for the modem to change that setting. Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted July 7, 2015 Share Posted July 7, 2015 yea I would look in your linksys router and see what ip shows up for the "internet" or WAN... That will kind of tell you if you are in bridged mode. Link to comment Share on other sites More sharing options...
NOCHTPC 1 Posted July 7, 2015 Author Share Posted July 7, 2015 (edited) Am I looking for internet connection ipv4 internet address or....? Edited July 7, 2015 by NOCHTPC Link to comment Share on other sites More sharing options...
JeremyFr79 228 Posted July 7, 2015 Share Posted July 7, 2015 yeah you want to look at the internet IPV4 address, if it starts with 10 or 192 then you're double NAT'd and the modem is not properly set for bridge. Link to comment Share on other sites More sharing options...
karikimber 0 Posted July 7, 2015 Share Posted July 7, 2015 do not open emby for windows (maybe linux and etc) for internet, very critical security reason. Link to comment Share on other sites More sharing options...
mjktg99 34 Posted July 7, 2015 Share Posted July 7, 2015 do not open emby for windows (maybe linux and etc) for internet, very critical security reason. What security reason is that? Link to comment Share on other sites More sharing options...
JeremyFr79 228 Posted July 7, 2015 Share Posted July 7, 2015 What security reason is that? The guy has 6 post's since joining in May, most are "AAAAAAAAAAH SECURITY HOLE!!!!" with no other information, doubt he knows what the hell he's talking about. 1 Link to comment Share on other sites More sharing options...
mjktg99 34 Posted July 7, 2015 Share Posted July 7, 2015 How do I open ports to windows for emby? Nothing implied by the website, just grabbed it from google.... http://www.dummies.com/how-to/content/how-to-open-a-port-in-the-windows-7-firewall.html Link to comment Share on other sites More sharing options...
NOCHTPC 1 Posted July 8, 2015 Author Share Posted July 8, 2015 before comcast when I had verizon fios I was able to connect remotely without windows firewall why do I have to mess with it now? Should I call comcast again to make sure that its bridged the second time or should I call my routers help line to check if I have to reset it? Link to comment Share on other sites More sharing options...
karikimber 0 Posted July 8, 2015 Share Posted July 8, 2015 What security reason is that? Luke working on it. Link to comment Share on other sites More sharing options...
JeremyFr79 228 Posted July 8, 2015 Share Posted July 8, 2015 before comcast when I had verizon fios I was able to connect remotely without windows firewall why do I have to mess with it now? Should I call comcast again to make sure that its bridged the second time or should I call my routers help line to check if I have to reset it? Here's the instructions for bridging your Comcast modem. http://customer.xfinity.com/help-and-support/internet/wireless-gateway-enable-disable-bridge-mode Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted July 13, 2015 Share Posted July 13, 2015 (edited) do not open emby for windows (maybe linux and etc) for internet, very critical security reason. @@karikimber DO NOT BREATH THE AIR IS BAD.......... How about some details on this deadly security reason? I bet you don't just trust me and stop breathing....... Edited July 13, 2015 by pir8radio 1 Link to comment Share on other sites More sharing options...
NOCHTPC 1 Posted July 13, 2015 Author Share Posted July 13, 2015 Thanx guys, lifesaver....! Link to comment Share on other sites More sharing options...
karikimber 0 Posted July 13, 2015 Share Posted July 13, 2015 Critic security bug solved by Luke. Must be a new version use it, 3.0.5667.6 Link to comment Share on other sites More sharing options...
plazma 13 Posted July 13, 2015 Share Posted July 13, 2015 (edited) One of the other issues is there is no rate limitation or ip lockout timer for bad logins (hasn't been previously, may have now changed), due to this there is no protection against brute force attacks or dos attacks. For example, the image on the login page (or the page its self) could be request over and over and over and someone could effectively dos your connection (eating bandwidth) without much effort, wget and a few lines of bash / batch script would be all it would take. Also its a really bad idea to use the http port at all externally (https is better), but due to the above personally I put it behind something that does. The issue with http is your sending logins back in clear text (hence possible to steal without much effort in a man in the middle attack). Instead I would advise for better security to instead use a vpn or an ssh port forward for the backhaul and never open emby directly to outside logins. OpenVPN support most platforms, im happy to provide a template server config file to anyone who messages me. OpenSSH (useful on clients where vpn is not possible, some android devices don't have a tun.ko module) in this case the ssh connection is used for port redirection, so once connected the client maps a connection to the emby server (using the openssh server as a pivot) to a local port. Both are supported in Linux with fail2ban. using a dd-wrt, openwrt, gargoyle, tomato, pf sense router or an existing server, even a raspberry pii to act as a ssh or vpn server. with openvpn clients I don't rewrite the gateway, just injecting a single route and opening in iptables, the client can stay connected and vpn is only used for request to emby. So no access to the rest of my network for further security. So unlike a typical vpn im not redirecting all traffic across the vpn. with openssh the server will only allow a port redirect for the emby server and the user has no shell set, so again all it can be used for is connections to emby. Again I don't mind pointing people in the right direction on this to required guides. Obviously emby connect I believe is also another solution for those who cant do either of the above (I say this as no where have I seen it say emby connect requires port forwards and assume the emby website is used as a pivot to establish the connection to work around nat). Someone else will have to verify. One thing I will say is emby by default tries to auto map ports (most routers have upnp turned on), this is a bit of a concern as some users may not be aware their emby server is already open to the outside world. As a security based recommendation this option should either be off by default or the user should be asked if required at install or first run. People have different feelings about upnp, personally it will never be used on any kit I use/setup as there is no security model around what can ask for port forward to be setup. Its one of those times your trading convenience but throwing out/reducing security to archive it. Emby is doing nothing wrong in the way it works, many programs are just the same, but things like fail2ban and public private key hardening of systems were invented to improve security, so why no use them. Edited July 13, 2015 by plazma 1 Link to comment Share on other sites More sharing options...
ebr 14862 Posted July 14, 2015 Share Posted July 14, 2015 We never send passwords in clear text. Just FYI. Link to comment Share on other sites More sharing options...
plazma 13 Posted July 14, 2015 Share Posted July 14, 2015 Gotcha, sorry my mistake, but the connection is not encrypted over http so what ever else is done will never be as good as just using https, I would globally ban port 80 if I could lol :-) sorry don't get me wrong im not knocking emby at all, gosh ive been asked to setup commercial and expensive bespoke software that gave no thought to security. But as it evolves a tweak her, there etc, which is why emby is so great, if something needs a tweak or could be done a different way you guys actually listen ;-) Interestingly does the Linux version (never check last time I installed) log failed logins, as if it could spit an ip of bad logins to the auth log it would be relatively trivial to make it work with fail2ban... Ultimately I would be nicer to have it as a built in feature for all platforms, but a small tweak to the Linux version and shazam most of the hard work is already done. Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted July 15, 2015 Share Posted July 15, 2015 (edited) you can always put Emby behind a reverse proxy... let the proxy handle logging, and HTTPS. You can even add protection for DOS attacks and what not. I get some pretty cool graphic logs using my reverse proxy and WebLog Expert. Edited July 15, 2015 by pir8radio Link to comment Share on other sites More sharing options...
Luke 36886 Posted March 29, 2018 Share Posted March 29, 2018 This may help with fail2ban: https://emby.media/community/index.php?/topic/57525-33111-log-file-rotation Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now