Jump to content

Remote connect to my emby server


NOCHTPC

Recommended Posts

NOCHTPC

Hi, I am having issues connecting to emby outside my network.  I have the latest beta server build and beta classic build, I have comcast modem that is bridged with my linksys wr1900ac router.  I forwarded both 8096 and 8920 to my htpc hence emby server ip address but still cant get chrome from my iphone to connect outside my network.  Can someone help?

Link to comment
Share on other sites

pir8radio

You said comcast modem bridged to linksys...  is the firewall turned on for both devices?  Usually you want to turn all of that crap off on the comcast modem (if it has built in firewall, most do) then let your router do all of the work..  Otherwise you have a double NAT and troubleshooting can get difficult.  See what WAN address you show in your linksys, it should be your outside internet address and not a 192.x.x.x or 10.x.x.x 

Edited by pir8radio
Link to comment
Share on other sites

JeremyFr79

You said comcast modem bridged to linksys...  is the firewall turned on for both devices?  Usually you want to turn all of that crap off on the comcast modem (if it has built in firewall, most do) then let your router do all of the work..  Otherwise you have a double NAT and troubleshooting can get difficult.  See what WAN address you show in your linksys, it should be your outside internet address and not a 192.x.x.x or 10.x.x.x 

When you set the Comcaset Modems to "bridged" it's actually in reality gateway mode, it disables all NAT/Firewall/etc turning it into nothing more than a gateway.

Link to comment
Share on other sites

pir8radio

When you set the Comcaset Modems to "bridged" it's actually in reality gateway mode, it disables all NAT/Firewall/etc turning it into nothing more than a gateway.

 

Yea, I was not sure how techie NOCHTPC was so I just wanted to confirm it was actually in bridged mode.  Rather than him saying bridged just because they were physically connected.    Because he says "Bridged with"....  Just checking...   :)

  • Like 1
Link to comment
Share on other sites

NOCHTPC

Hi, thanx for the responses, when I say bridged, I called comcast and told them I wanted the modem/router only to be used as a modem not a router because I have a router already.  They said they were going to do this and it was called bridging.  I forwarded my ports on my linksys wr1900ac, How do I open ports to windows for emby?

Link to comment
Share on other sites

JeremyFr79

Hi, thanx for the responses, when I say bridged, I called comcast and told them I wanted the modem/router only to be used as a modem not a router because I have a router already.  They said they were going to do this and it was called bridging.  I forwarded my ports on my linksys wr1900ac, How do I open ports to windows for emby?

Um typically they can't switch the mode for you over the phone, you usually have to log into the local admin page for the modem to change that setting.

Link to comment
Share on other sites

pir8radio

yea I would look in your linksys router and see what ip shows up for the "internet" or WAN...   That will kind of tell you if you are in bridged mode.   

Link to comment
Share on other sites

NOCHTPC

Am I looking for internet connection ipv4 internet address or....?

Edited by NOCHTPC
Link to comment
Share on other sites

JeremyFr79

yeah you want to look at the internet IPV4 address, if it starts with 10 or 192 then you're double NAT'd and the modem is not properly set for bridge.

Link to comment
Share on other sites

karikimber

do not open emby for windows (maybe linux and etc) for internet, very critical security reason.

Link to comment
Share on other sites

mjktg99

do not open emby for windows (maybe linux and etc) for internet, very critical security reason.

What security reason is that?

Link to comment
Share on other sites

JeremyFr79

What security reason is that?

The guy has 6 post's since joining in May, most are "AAAAAAAAAAH SECURITY HOLE!!!!" with no other information, doubt he knows what the hell he's talking about.

  • Like 1
Link to comment
Share on other sites

NOCHTPC

before comcast when I had verizon fios I was able to connect remotely without windows firewall why do I have to mess with it now?  Should I call comcast again to make sure that its bridged the second time or should I call my routers help line to check if I have to reset it?

Link to comment
Share on other sites

JeremyFr79

before comcast when I had verizon fios I was able to connect remotely without windows firewall why do I have to mess with it now?  Should I call comcast again to make sure that its bridged the second time or should I call my routers help line to check if I have to reset it?

Here's the instructions for bridging your Comcast modem.

 

 

http://customer.xfinity.com/help-and-support/internet/wireless-gateway-enable-disable-bridge-mode

Link to comment
Share on other sites

pir8radio

do not open emby for windows (maybe linux and etc) for internet, very critical security reason.

 

@@karikimber DO NOT BREATH THE AIR IS BAD..........                    How about some details on this deadly security reason?  I bet you don't just trust me and stop breathing.......     ;)

Edited by pir8radio
  • Like 1
Link to comment
Share on other sites

plazma

One of the other issues is there is no rate limitation or ip lockout timer for bad logins (hasn't been previously, may have now changed), due to this there is no protection against brute force attacks or dos attacks.

 

For example, the image on the login page (or the page its self) could be request over and over and over and someone could effectively dos your connection (eating bandwidth) without much effort, wget and a few lines of bash / batch script would be all it would take.

 

Also its a really bad idea to use the http port at all externally (https is better), but due to the above personally I put it behind something that does. The issue with http is your sending logins back in clear text (hence possible to steal without much effort in a man in the middle attack).

 

Instead I would advise for better security to instead use a vpn or an ssh port forward for the backhaul and never open emby directly to outside logins.

 

OpenVPN support most platforms, im happy to provide a template server config file to anyone who messages me.

 

OpenSSH (useful on clients where vpn is not possible, some android devices don't have a tun.ko module) in this case the ssh connection is used for port redirection, so once connected the client maps a connection to the emby server (using the openssh server as a pivot) to a local port.

 

Both are supported in Linux with fail2ban.

 

using a dd-wrt, openwrt, gargoyle, tomato, pf sense router or an existing server, even a raspberry pii to act as a ssh or vpn server.

 

with openvpn clients I don't rewrite the gateway, just injecting a single route and opening in iptables, the client can stay connected and vpn is only used for request to emby. So no access to the rest of my network for further security. So unlike a typical vpn im not redirecting all traffic across the vpn.

 

with openssh the server will only allow a port redirect for the emby server and the user has no shell set, so again all it can be used for is connections to emby.

 

Again I don't mind pointing people in the right direction on this to required guides.

 

Obviously emby connect I believe is also another solution for those who cant do either of the above (I say this as no where have I seen it say emby connect requires port forwards and assume the emby website is used as a pivot to establish the connection to work around nat). Someone else will have to verify.

 

One thing I will say is emby by default tries to auto map ports (most routers have upnp turned on), this is a bit of a concern as some users may not be aware their emby server is already open to the outside world.

 

As a security based recommendation this option should either be off by default or the user should be asked if required at install or first run.

 

People have different feelings about upnp, personally it will never be used on any kit I use/setup as there is no security model around what can ask for port forward to be setup. Its one of those times your trading convenience but throwing out/reducing security to archive it.

 

Emby is doing nothing wrong in the way it works, many programs are just the same, but things like fail2ban and public private key hardening of systems were invented to improve security, so why no use them.

Edited by plazma
  • Like 1
Link to comment
Share on other sites

plazma

Gotcha, sorry my mistake, but the connection is not encrypted over http so what ever else is done will never be as good as just using https, I would globally ban port 80 if I could lol :-) sorry don't get me wrong im not knocking emby at all, gosh ive been asked to setup commercial and expensive bespoke software that gave no thought to security. But as it evolves a tweak her, there etc, which is why emby is so great, if something needs a tweak or could be done a different way you guys actually listen ;-)

 

Interestingly does the Linux version (never check last time I installed) log failed logins, as if it could spit an ip of bad logins to the auth log it would be relatively trivial to make it work with fail2ban...  Ultimately I would be nicer to have it as a built in feature for all platforms, but a small tweak to the Linux version and shazam most of the hard work is already done.

Link to comment
Share on other sites

pir8radio

you can always put Emby behind a reverse proxy...   let the proxy handle logging, and HTTPS. You can even add protection for DOS attacks and what not.    I get some pretty cool graphic logs using my reverse proxy and WebLog Expert.  

Edited by pir8radio
Link to comment
Share on other sites

  • 2 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...