Web access forbidden even on local network

[fogpuppy 1]

I find that I have to click the option "Connection to this Emby Server" to allow a web browser to connect even though the client IS on the same local network (subnet).  I get a "Forbidden" message.  Once I connect the Remote access option the web browser works fine.  I CAN connect with the Emby app. (not sure if that is related or useful info).  Am I misunderstanding the meaning of Remote?  I assumed that would mean outside my local network...

[mastrmind11 717]

9 minutes ago, fogpyppy said:

I find that I have to click the option "Connection to this Emby Server" to allow a web browser to connect even though the client IS on the same local network (subnet).  I get a "Forbidden" message.  Once I connect the Remote access option the web browser works fine.  I CAN connect with the Emby app. (not sure if that is related or useful info).  Am I misunderstanding the meaning of Remote?  I assumed that would mean outside my local network...

do you have an external domain set up for the server?  if so and you're using the domain name in the browser, it has to go out to the internet then back in to your server (unless you have loopback setup on your router).  the app is smart enough to use the IP directly when on your local network.

[fogpuppy 1]

I'm using a domain name of xxx.local:8096 which is a dmain name resolved by the local (in house) DHCP server provided by the router.  So it *should* not go outside ....

[mastrmind11 717]

2 minutes ago, fogpyppy said:

I'm using a domain name of xxx.local:8096 which is a dmain name resolved by the local (in house) DHCP server provided by the router.  So it *should* not go outside ....

yeah that wouldn't do it.  hmm.  what happens when you use the IP though?

[fogpuppy 1]

A direct ip address does not trigger the issue.I have left the LAN Networks field blank in networking because as I read it ... it should keep my local 192.168.x.x addresses as local by default

Also if I ping the Emby server I get

PING bbair-ife.local (192.168.7.57): 56 data bytes

64 bytes from 192.168.7.57: icmp_seq=0 ttl=64 time=106.811 ms

So it definitely appears that dns lookup is resolving to a local address.  Shouldn't the logic be ... look up the address ... then check to see if it's local ....

[mastrmind11 717]

and you have no proxy anywhere in between?

[fogpuppy 1]

I *would hope* this has no bearing on the problem/answer but my server is running Unbuntu linux.

[fogpuppy 1]

no proxy servers

[fogpuppy 1]

not sure if this helps in any way .... but here is the routes table form the Mac I'm trying to connect from. 192.168.7.57 is the Emby server and 192.168.7.49 is the Mac

 

netstat -rn

Routing tables

 

Internet:

Destination        Gateway            Flags        Netif Expire

default            192.168.7.1        UGSc           en1       

127                127.0.0.1          UCS            lo0       

127.0.0.1          127.0.0.1          UH             lo0       

169.254            link#7             UCS            en1      !

169.254.147.245    0:5:cd:2b:93:f5    UHLSW          en1      !

192.168.7          link#7             UCS            en1      !

192.168.7.1/32     link#7             UCS            en1      !

192.168.7.1        4c:1:43:a8:5:c2    UHLWIir        en1   1162

192.168.7.21       f8:38:80:e4:5b:80  UHLWIi         en1    164

192.168.7.24       b4:f6:1c:5c:92:e8  UHLWIi         en1   1032

192.168.7.28       b0:fc:d:af:33:41   UHLWI          en1   1090

192.168.7.32       f8:38:80:57:c5:2   UHLWI          en1   1028

192.168.7.39       74:d6:37:5a:1c:37  UHLWI          en1    251

192.168.7.49/32    link#7             UCS            en1      !

192.168.7.54       8c:49:62:2d:c7:d4  UHLWI          en1   1090

192.168.7.57       5c:80:b6:95:9c:e6  UHLWIi         en1   1036

192.168.7.67       28:ff:3c:9e:c9:31  UHLWIi         en1    628

224.0.0/4          link#7             UmCS           en1      !

224.0.0.251        1:0:5e:0:0:fb      UHmLWI         en1       

239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI         en1       

255.255.255.255/32 link#7             UCS            en1      !

 

Internet6:

Destination                             Gateway                         Flags         Netif Expire

default                                 fe80::%utun0                    UGcI          utun0       

default                                 fe80::%utun1                    UGcI          utun1       

::1                                     ::1                             UHL             lo0       

fe80::%lo0/64                           fe80::1%lo0                     UcI             lo0       

fe80::1%lo0                             link#1                          UHLI            lo0       

fe80::%en6/64                           link#5                          UCI             en6       

fe80::aede:48ff:fe00:1122%en6           ac:de:48:0:11:22                UHLI            lo0       

fe80::aede:48ff:fe33:4455%en6           ac:de:48:33:44:55               UHLWIi          en6       

fe80::%en1/64                           link#7                          UCI             en1       

fe80::7:fd8a:fb20:7e69%en1              a4:83:e7:19:32:b3               UHLI            lo0       

fe80::826:f6fd:3740:f000%en1            28:ff:3c:9e:c9:31               UHLWI           en1       

fe80::c3c:cfcd:5dfe:1013%en1            f8:38:80:57:c5:2                UHLWI           en1       

fe80::ca5:318a:c7b:5d74%en1             f8:38:80:e4:5b:80               UHLWI           en1       

fe80::5dea:5c37:eb54:d5ed%en1           5c:80:b6:95:9c:e6               UHLWI           en1       

fe80::%awdl0/64                         link#9                          UCI           awdl0       

fe80::6422:30ff:fe8f:645a%awdl0         66:22:30:8f:64:5a               UHLI            lo0       

fe80::%llw0/64                          link#10                         UCI            llw0       

fe80::6422:30ff:fe8f:645a%llw0          66:22:30:8f:64:5a               UHLI            lo0       

fe80::%utun0/64                         fe80::1631:bbab:b8ca:3623%utun0 UcI           utun0       

fe80::1631:bbab:b8ca:3623%utun0         link#16                         UHLI            lo0       

fe80::%utun1/64                         fe80::4c33:64d1:a97b:7298%utun1 UcI           utun1       

fe80::4c33:64d1:a97b:7298%utun1         link#17                         UHLI            lo0       

ff01::%lo0/32                           ::1                             UmCI            lo0       

ff01::%en6/32                           link#5                          UmCI            en6       

ff01::%en1/32                           link#7                          UmCI            en1       

ff01::%awdl0/32                         link#9                          UmCI          awdl0       

ff01::%llw0/32                          link#10                         UmCI           llw0       

ff01::%utun0/32                         fe80::1631:bbab:b8ca:3623%utun0 UmCI          utun0       

ff01::%utun1/32                         fe80::4c33:64d1:a97b:7298%utun1 UmCI          utun1       

ff02::%lo0/32                           ::1                             UmCI            lo0       

ff02::%en6/32                           link#5                          UmCI            en6       

ff02::%en1/32                           link#7                          UmCI            en1       

ff02::%awdl0/32                         link#9                          UmCI          awdl0       

ff02::%llw0/32                          link#10                         UmCI           llw0       

ff02::%utun0/32                         fe80::1631:bbab:b8ca:3623%utun0 UmCI          utun0       

ff02::%utun1/32                         fe80::4c33:64d1:a97b:7298%utun1 UmCI          utun1       

[fogpuppy 1]

BTW i see similar problems form my iPhone and my iPad on the same network ....

[Luke 37178]

Did you customize any server network settings?

[fogpuppy 1]

You mean on the Emby server ... Nope.  And the Linux setup is about as vanilla as it gets. I'm running no firewalls, proxies, etc.   Just a straight up DHCP config from the wifi router.

[fogpuppy 1]

Any more thoughts here.  I also get this problem in my stand alone linux hotspot where my server acts as it's own hotspot. It's not a huge issue but I'd like to try to get to the botten of the problem.

[Happy2Play 8332]

You are saying there are no settings applied on Dashboard-Network, correct?  I know that is the only way I have ever got Forbidden.

[fogpuppy 1]

I have changed nothing on the Server - Network section of the Emby server config (excpet to change the "remote access" which seems to be what fixes the issue but also opens up the server pretty widely.

[Happy2Play 8332]

4 minutes ago, fogpyppy said:

I have changed nothing on the Server - Network section of the Emby server config (excpet to change the "remote access" which seems to be what fixes the issue but also opens up the server pretty widely.

That would suggest Emby sees your connections as Remote.  Is Emby showing a LAN and WAN access on the Dashboard.

[fogpuppy 1]

The dashboard shows a valid IP address of 192.168.7.xxxx:8096 for Local and a 142. address for Remote (when I have it turned on).  The device trying to connect in also on a 192.168.7.xxxx.  So they are both on the same subnet.  

 

[Happy2Play 8332]

Only thing I can think of is appling LAN network setting to see if it works.

[fogpuppy 1]

are you saying fill in Area at the top of netowrk that defines what is "local".  I can do that ... but as I read it it seems like it shoudl already be automttically allowing all 10. and 192.168 addresses .... right?

[Happy2Play 8332]

17 minutes ago, fogpyppy said:

are you saying fill in Area at the top of netowrk that defines what is "local".  I can do that ... but as I read it it seems like it shoudl already be automttically allowing all 10. and 192.168 addresses .... right?

No it should only be allowing everything on the same subnet as the server.  I could be wrong but @Luke are all private networks considered local?

If left blank, only the server's subnet and common private IP subnets (10.0.0.0/8, 192.168.0.0/24, etc.) are considered to be on the local network.

But there would appear to be something going on with your setup though, if I am following this topic correctly things only work if you Allow Remote Connections, correct?

Edited June 18, 2020 by Happy2Play

[fogpuppy 1]

I agree there is most definitely "something going on" in my setup thought it's not very "exotic"..  I'm about to try resetting the entire box back to a freshly install Ubuntu OS and only installing only the minimal stuff I need to make the Emby server run.  Then If it happens again I'll have a 100% clean reproduce case ...  

If I do and it still happens is there any additional information that people want me to collect that might be useful beside the logs?

Edited June 18, 2020 by fogpyppy

[fogpuppy 1]

Ok I *think* I know what's going on.  I installed Emby on my Mac and I'm getting the same issue.  Here is what I was able to figure out.  If I hit it by domain name "mac-mini.local" I get a forbidden.  If I hit it by IP address then it works.  So I decided to ping by domain name and I got a connection but it's an IP6 address not a IP4 address.  but I did check and it seems like they are still both on the same ip6 subnet if I remeber my IP6 address info well enough).  The addresses in question are:

iPad addresses: fd0b:2f0a:3eff:1:8fc:2aae:68cd:56aa and fd0b:2f0a:3eff:1:7125:b88:a234:2659

mac (emby server) address: fd0b:2f0a:3eff:1:1406:a9a3:818:1164 and fd0b:2f0a:3eff:1:1942:abb7:e83a:1a8d

Router address (if it matters): fe80::4e01:43ff:fea8:5c2

So ... not sure why dns lookup is deciding toe return a ip6 address instead of an ip4 one but ... should it matter?  They are still in the same still in the same local subnet.

[fogpuppy 1]

one last bit of data (sorry for the multiple  messages) but the ping by name was actually returning the link local adrdess of  fe80::14dd:4bfb:6bb4:12b9 and I did confirm that is the correct link local for the mac server.

[fogpuppy 1]

and from the log you can see it is connecting using a valid ip6 link local address from my iPad.  So it looks like ip6 support does NOT understand link local addresses as being "local"

2020-06-19 12:24:51.228 Info HttpServer: HTTP GET http://[fe80::14dd:4bfb:6bb4:12b9]:8096/. UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Mobile/15E148 Safari/604.1
2020-06-19 12:24:51.228 Info HttpServer: HTTP Response 403 to fe80::1849:62ab:e96:9eae%7. Time: 0ms. http://[fe80::14dd:4bfb:6bb4:12b9]:8096/
 

[Luke 37178]

We'll take a look. Thanks for reporting. Your workaround for now would be to connect by ip address.