mengoshmink 16 Posted January 11, 2022 Posted January 11, 2022 Hi guys, for reasons not worth explaining here I am currently without my dedicated server hardware. So I decided to install Docker to my Synology NAS and install the Emby image. My reasons for using the Docker Emby image and not the native Synology Emby app are various. DSM 6.2.4-25556 Update 2 Docker 20.10.3-0554 Emby latest (4.7.0.9) When I entered my premier key I got an error. After a bit of digging I found that if I turned off my Synology firewall then the key worked fine. Not ideal but to turn off the firewall for a few seconds while my premier key is validated and verified is not a deal breaker. What I found next is that when scanning my video library it doesn't download any metadata unless the firewall is off. I've tried a few different firewall rules but to no avail. Does anyone here have any ideas or the answer? Many thanks in advance! Container Log emby-1.html Container Settings emby.json embyserver.txt
Luke 38825 Posted January 11, 2022 Posted January 11, 2022 Hi, that's interesting. That's the first I've seen of this but then again most Synology users are on the native package (and DSM7 if available to them).
Carlo 4478 Posted January 12, 2022 Posted January 12, 2022 (edited) What interface is Emby running on in Docker? Bridge, Host, Macvlan or other network setups will require different firewall ports. Just a quick look at your server log and 172.17.0.2 or 172.17.0.1 likely needs opening in the firewall. Edited April 14, 2022 by cayars 1
mengoshmink 16 Posted January 12, 2022 Author Posted January 12, 2022 On 11/01/2022 at 20:57, Luke said: Hi, that's interesting. That's the first I've seen of this but then again most Synology users are on the native package (and DSM7 if available to them). Hi Luke, nice to hear from you again I prefer Docker over native installs for when I inevitably break something. As for DSM 7, I was going to upgrade until I read some negative feedback about some features I think I use in DSM 6. Until I have had a chance to check I'm not upgrading. 9 minutes ago, cayars said: What interface is Emby running on in Docker? Bridge, Host, Macvlan or other network setups will require different firewall ports. Just a quick look at your server log and 172.17.0.2 or 172.17.0.1 likely needs open in the firewall. Hi cayars, That setup is bridge. As a temporary solution I'm using host. I don't have time tonight to test bridge with 172.17.0.1 open. I will try soon and feedback. Thank you.
Carlo 4478 Posted January 12, 2022 Posted January 12, 2022 Smart move not doing the DSM upgrade until you've had a chance to review everything you use first. Sounds good on the bridge setup. Let us know how you make out. Does your NAS support Virtual Machines? If so you could install a VM using DSM 6 with the software you use. Then upgrade that to DSM 7 and see what happens. I did the migration video using a VM after I ran through the process once or twice beforehand. It's great for things like this even if you don't normally use it for running VMs.
mengoshmink 16 Posted January 17, 2022 Author Posted January 17, 2022 (edited) Okay, so with Emby running in a default bridged container it has the IP: 172.17.0.2 but I am connecting to it with the IP: 192.168.1.72. I concede I may of set the firewall rule incorrectly. It's network access still appears to be limited as it still can not fetch metadata. Thanks, Edited January 17, 2022 by mengoshmink
Carlo 4478 Posted January 18, 2022 Posted January 18, 2022 What happens if you turn off the firewall and run a scan? That will let you know if the firewall is the issue or if you need to look elsewhere. You're not using any kind of VPN are you?
mengoshmink 16 Posted January 18, 2022 Author Posted January 18, 2022 If I turn off the firewall and scan a library / try and fetch metadata it works as it should. Nope. No VPN's in use here.
Carlo 4478 Posted January 20, 2022 Posted January 20, 2022 That would seem to indicate that it's a firewall issue then. You should be able to tell by the logs why it's getting blocked. For starters you could change TCP to ALL Make sure you have the proper interfaces covered. Make sure you cover all the IPs used between metal, Synology & Docker for Emby including WAN.
mengoshmink 16 Posted January 20, 2022 Author Posted January 20, 2022 Thanks cayars. Any suggestions of which log to look at? Synology firewall log (if there is such a thing) or Emby server log? I'm guessing this (below quote) is the type of error I'm looking for? I am also guessing turning on Emby's debug logging would be overkill. Quote 2022-01-11 20:29:14.331 Info Server: http/1.1 Response 200 to 172.17.0.1. Time: 51ms. Ah, not like the old days of my Slackware server when I configured iptables with fwbuilder and monitored with dmesg I'll probably have a library of just a couple of videos and debug with that. Good idea to check the interfaces first and the IPs between the Synology and Docker.
Carlo 4478 Posted January 21, 2022 Posted January 21, 2022 I don't use it so I can't say for sure but I was thinking the firewall software would have to write a log file. I just took a look at this: Have you tried the option I have selected in the red box? That should be all that's needed I'd think. If you try that and still can't figure out the issue let me know and we can setup a remote session to get you some help figuring it out. Carlo
mengoshmink 16 Posted February 19, 2022 Author Posted February 19, 2022 Hi guys, sorry for the delay. Just turned my NAS back on so I should be able to test and report back soon. 2
mengoshmink 16 Posted April 12, 2022 Author Posted April 12, 2022 Hi guys, I finally spent some time tonight trying to figure it out. My gut feeling is it is a routing issue but it's beyond me. I found this but got nowhere. Strictly speaking I think it is talking about a different problem. cayars I tried that option but I think it only displays notifications from changes within the DSM software. Not what's going on behind the scenes. Honestly the last couple of months I have been using the Emby Docker image with host networking. This week I put on my separate server box where I was originally hosting the Emby Docker image and will again; unless energy prices prove to be prohibitive. So I'm sorry guys but I don't think I'll be pursuing this any further. Many thanks for the support.
Luke 38825 Posted April 12, 2022 Posted April 12, 2022 Why not just keep the firewall off and use the firewall on your router?
mengoshmink 16 Posted April 13, 2022 Author Posted April 13, 2022 I just don't trust the firewall on my router. Simply because I don't see the firmware get many updates and I don't see many features to protect against intrusion. It is a simple ISP provided router. That said it seems to handle connecting well. I'm now on the journey of setting up a reverse proxy to protect my Emby server and other services I like to access externally. 1
Solution emoby0 5 Posted April 13, 2022 Solution Posted April 13, 2022 (edited) Thanks for posting your question, I think I had the same problem (I'm also running Emby on a Synology nas with a firewall, and had issues trying to identify media failed to search (after it working very reliably for a long time) Thanks to this post, I remembered I had recently cleaned up my Synology firewall settings. I believe I had inadvertently removed the rule to allow applications on the Docker bridge to access the Synology network. (unrelated I wish Synology allowed us to put comments in the firewall rule settings so we know what they were for!...) As the Docker configuration has my emby server on this bridge: I added a rule like this: Once doing this, I was able to identify media and retrieve metadata. I had originally thought I had to allow access from the docker images to the main internet firewall, but it seems the issue was that the docker bridge needs to go through the synology system first. This seems reasonable, but I must have forgotten since I set it up a while ago. Hope it helps someone! BTW, I'm on DSM 7.0.1 Edited April 13, 2022 by emoby0 1
mengoshmink 16 Posted April 13, 2022 Author Posted April 13, 2022 25 minutes ago, emoby0 said: I added a rule like this: Once doing this, I was able to identify media and retrieve metadata. You legend emoby0. Your reply and solution are spot on! Many thanks @cayars you were right too, I just didn't know how to fix it. BTW Adding comments to the Synology firewall rules would indeed be helpful. I am trying to keep my NAS as purely a file server but other things are creeping in. BTW BTW I am still on DSM 6 as I read something (I think it was in the release notes) about DSM 7 and NFS.
emoby0 5 Posted April 13, 2022 Posted April 13, 2022 (edited) Great to hear it was helpful! The way the firewall is blocking the internal network, is a bit counter intuitive. It seems like Synology sees the docker network as external to some extent, and the traffic passes through the synology device before it goes out to the main router. For reference for anyone coming across this post. The firewalls rules are executed in order from the top down, so if a DENY ALL rule is at the top, then it trumps other rules. Edited April 13, 2022 by emoby0
Carlo 4478 Posted April 14, 2022 Posted April 14, 2022 Glad you guys got this figured out but I was going to comment the same thing emobyo did. So file that one away so you'll remember if you ever see the 172 address space you're missing a route from 192 which the firewall is doing for you. Alternately, don't use a bridge in Docker for Emby but let it get a host address which will be faster too.
emoby0 5 Posted April 14, 2022 Posted April 14, 2022 (edited) Thanks for the additional info Carlo. I took a look at switching the docker network to "host", but it seems it's not possible to switch the container network once the container is created easily in the UI based on this reddit post. I was able to create a new container and point the mounts accordingly - thanks! Edited April 14, 2022 by emoby0 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now