Emby IP and Firewall

[Arrgh 4]

Hi,

I cannot access my Emby Server remotely. When I turn off my Synology NAS firewall, I can access the Emby server just fine. I only have this problem when I have my firewall turned on. The firewall is setup to block all IP addresses, except for the ones I specify. I have the devices I try accessing Emby from on the IP exception/allow list, but it still won't let me through on Emby. I discovered that with other Synology apps, they recognize my local IP address from the device instead of the public IP address, even when I am accessing the server remotely. Example: DS Video lets me access it with my phones IP address (not public address) on the firewall allow list. Emby is the only app that wont let me access the server remotely with my phones IP address on my firewalls allow list.

However, when I identify my phones public IP address and enter it into the firewalls allow list, I can access my Emby Server. I don't understand why other Synology apps will recognize the regular Phone IP address and allow access to their app and yet Emby won't; Emby seems to be looking at the public IP address when accessing remotely.

I have a DDNS set up and I have that domain entered in the Emby Server network settings.

Any ideas on how I can keep my firewall active with the "do not allow any traffic except for specified IP addresses" rule and yet still be able to access my Emby Server remotely, without having to enter a different public IP address in my allow list every time I attempt to connect remotely?

Thank you.

[Luke 37024]

@FrostBytehave you tried this before?

[FrostByte 5044]

9 minutes ago, Luke said:

@FrostBytehave you tried this before?

No, I have no external users and don't host anything from my NAS externally.   Internally all my devices connect.

[Luke 37024]

@Arrgh did you figure this out?

[Arrgh 4]

I have not figured this out yet. My goal is to merely make my NAS as secure as I can considering I have to open ports for Emby to work while I am accessing remotely.

[Luke 37024]

@cayars may have some tips.

[rbjtech 4223]

I don't have any experience of the Synology - but this sounds to me like the Synology is running a reverse proxy and thus it is passing the WAN address to the Emby Server.  This is correct  - otherwise all remote users will be coming from the RP (synology) address.

Remember if using remote access via a RP, then you need to setup emby for remote use, but use the 'Lets RP decide' in the Emby remote config.

If you do not do this, then emby will see it as a non-local address and deny access.

[Carlo 4330]

Hi,

You likely have the other apps in the Synology Proxy but not Emby.  It changes slightly the way this works.

I'd suggest NOT adding Emby to the Proxy as it's an old version not really compatible with Emby and will cause additional issues.

Are you using the default Emby ports of 8096 and/or 8920?
You should be able to forward these directly from your router to Emby.

Worse case is you need to add a rule to the firewall for that port to allow it to pass through without being blocked.

Should be as simple as that.

Carlo
 

[Arrgh 4]

Thank you all. I will work with this new information and let you know what happens.

[Luke 37024]

Let us know how you get on. Thanks.

[Carlo 4330]

On 9/19/2022 at 3:01 AM, Arrgh said:

Thank you all. I will work with this new information and let you know what happens.

Any update?

Have you tried punching a whole through the firewall (per usual) for 8096 (whatever Emby port you are using)?  It might be as simple as that.
If you can't figure this out let me know and I'll try it on my Synology and/or do a remote session with you and help you get this ironed out and working.

Carlo

[Arrgh 4]

Thanks Carlo. I added a rule on my firewall to allow all IP addresses to the two Emby ports and it is now working. Its not the most secure, but it works.

[rbjtech 4223]

29 minutes ago, Arrgh said:

Thanks Carlo. I added a rule on my firewall to allow all IP addresses to the two Emby ports and it is now working. Its not the most secure, but it works.

Cool.

Did you try just opening the Synology IP (as the local source) to the Emby Server (as the local destination) on the emby ports ?

This is what I do with my reverse proxy f/w configuration using NGINX.

[Arrgh 4]

@rbjtech, I'm not sure I follow. Could you give a little more detail? You will have to forgive me, I am still learning the whole NAS thing.

[rbjtech 4223]

So assuming the Synology is working as a reverse proxy - the WAN connection is effectively terminated on the RP.

The RP then initiates a connection and FORWARDS the remote http request to your local emby host - it should also modify the http header to provide the original WAN IP address.

The RP will need access to the local emby host - so if it's on a different LAN or even on the same LAN - you are going to need to make sure the RP has access to your emby host (firewall etc).

Due to the modified header (with the WAN address), Emby will see the RP request as a 'remote' request - and thus be processed as such.

[Arrgh 4]

Okay, gotcha. I have actually been doing this without a reverse proxy. Maybe I should set up a reverse proxy, It would probably be more secure for streaming Emby remotely?

[Luke 37024]

On 9/22/2022 at 2:48 AM, Arrgh said:

Okay, gotcha. I have actually been doing this without a reverse proxy. Maybe I should set up a reverse proxy, It would probably be more secure for streaming Emby remotely?

Many believe that is more secure for remote access, yes.

[Arrgh 4]

Okay, I have a reverse proxy setup now but am struggling to make the mobile emby app work. I can punch the reverse proxy address in a web browser and it works just fine, but the app gives me a connection error saying it was unable to connect to the server. I think it has something to do with the space that it asks for a port number. How are you supposed to access your server with a reverse proxy using the mobile app?

[rbjtech 4223]

2 hours ago, Arrgh said:

Okay, I have a reverse proxy setup now but am struggling to make the mobile emby app work. I can punch the reverse proxy address in a web browser and it works just fine, but the app gives me a connection error saying it was unable to connect to the server. I think it has something to do with the space that it asks for a port number. How are you supposed to access your server with a reverse proxy using the mobile app?

No different to any other connection type - if you are using https - then just use the default port of 443.

You may have to clear out the app cache/settings and maybe even reload the app if it's playing hardball.. 

[Arrgh 4]

Well, I tried it with port 443 and it didn't work. So I cleared all app data and that didn't work. So I reinstalled and that didn't work. The weird thing is that even after clearing data and reinstalling, it logs me into my emby server automatically by IP. I have attached a photo of how I am entering the server information.

[rbjtech 4223]

you need the full url - as in https://emby.<blank>.synology.me

 

[Luke 37024]

11 minutes ago, Arrgh said:

Well, I tried it with port 443 and it didn't work. So I cleared all app data and that didn't work. So I reinstalled and that didn't work. The weird thing is that even after clearing data and reinstalling, it logs me into my emby server automatically by IP. I have attached a photo of how I am entering the server information.

If it's https, then make sure to explicitly prefix with https://

[Arrgh 4]

Of course... That worked. Thank you. Now I can filter the reverse proxy with an access profile by IP address. I feel it is much more secure now. Thank you all.