mediaGuy 8 Posted October 25, 2020 Share Posted October 25, 2020 Depending on the router setup and it's port forwarding, reverse proxy, VPN, NAT translation, etc. an external connection may appear to Emby as the local gateway address (which is considered local). I think it'd be good to not include the gateway IP as part of the "local network" to add an extra layer of security. Link to comment Share on other sites More sharing options...
ebr 14850 Posted October 25, 2020 Share Posted October 25, 2020 Hi. Can't you already do this in the server configuration? Link to comment Share on other sites More sharing options...
mediaGuy 8 Posted October 25, 2020 Author Share Posted October 25, 2020 I don't think so unless I CSV every address I consider local in the settings. I thought about setting a remote blacklist and putting in the gateway address, but it makes no difference because the GW is considered local. Am I missing something? Link to comment Share on other sites More sharing options...
ebr 14850 Posted October 25, 2020 Share Posted October 25, 2020 15 minutes ago, mediaGuy said: unless I CSV every address I consider local in the settings You can use ranges... Link to comment Share on other sites More sharing options...
mediaGuy 8 Posted October 25, 2020 Author Share Posted October 25, 2020 (edited) Ah, perfect. Didn't see it in the help description. Thanks. Edited October 25, 2020 by mediaGuy Link to comment Share on other sites More sharing options...
mediaGuy 8 Posted October 25, 2020 Author Share Posted October 25, 2020 (edited) That didn't seem to work. I entered 192.168.1.2-192.168.1.254 and now I'm locked out. If by range you meant using a mask I don't think there's a way to filter out a single IP from a /24 mask. Edited October 25, 2020 by mediaGuy Link to comment Share on other sites More sharing options...
ebr 14850 Posted October 25, 2020 Share Posted October 25, 2020 @cayars Link to comment Share on other sites More sharing options...
Carlo 4328 Posted October 25, 2020 Share Posted October 25, 2020 Hi, Can you go over a specific example of how a remote user appears to be a local address on your system? Just need to understand your specific system a bit more and we can help you configure it better for your needs. Carlo Link to comment Share on other sites More sharing options...
mediaGuy 8 Posted October 25, 2020 Author Share Posted October 25, 2020 Emby sees the remote connection as the router's internal LAN address (192.168.1.1) so it thinks it's a local connection. I don't see a way within Emby's network settings to exclude 192.168.1.1 (default gateway) from what is considered the internal network (192.168.1.0/24). Yes, I can adjust my router (pfSense) to report the external address but this isn't a guarantee and wouldn't work in all configurations. Considering Emby allows/disallows logins and passwords based on remote/local access, I think it would be a decent safety layer for Emby to consider the default gateway as remote. Link to comment Share on other sites More sharing options...
ebr 14850 Posted October 25, 2020 Share Posted October 25, 2020 Okay, so basically, you need the opposite of what we have now in settings...? Link to comment Share on other sites More sharing options...
mediaGuy 8 Posted October 25, 2020 Author Share Posted October 25, 2020 A range option in the current box would be best (192.168.1.2-192.168.1.254). If it's the opposite or a backlist/whitelist option (similar to remote) I don't think it'd be as easy. If I chose a blacklist then it could only block the specific addresses I'd enter. Then my other subnet ranges and VPN ranges would also need to be maintained in the blacklist. Link to comment Share on other sites More sharing options...
Carlo 4328 Posted October 25, 2020 Share Posted October 25, 2020 6 minutes ago, mediaGuy said: Yes, I can adjust my router (pfSense) to report the external address but this isn't a guarantee and wouldn't work in all configurations. Considering Emby allows/disallows logins and passwords based on remote/local access, I think it would be a decent safety layer for Emby to consider the default gateway as remote. That would be the best solution as you want the actual address of the user not the proxy or gateway. Another thing you could do is change to using 192.168.0.1/23 instead of 24. That would give you the local IP of 192.168.0.1-192.168.1.254 of usable LAN ips. You could then set things up so gateway and VPN use one /24 network while actual local IPs are in the other /24 network as far as Emby is concerned. Do you follow what I'm getting at? PS I do agree being able to enter a range of IP to treat local would be ideal. Link to comment Share on other sites More sharing options...
mediaGuy 8 Posted October 25, 2020 Author Share Posted October 25, 2020 I know what you mean with the /23 but I can't really do that with my setup. My router still needs to have dual LAN addresses (192.168.1.1 and 192.168.0.1) due to various VLANs I have on my network. So Emby will still see it as local. Link to comment Share on other sites More sharing options...
Carlo 4328 Posted October 25, 2020 Share Posted October 25, 2020 Could use /22 as well to get 4 C blocks. But if you can change pfsense to show the external IP that should fix the issue right there. Any reason you're not doing that now already? Link to comment Share on other sites More sharing options...
mediaGuy 8 Posted October 25, 2020 Author Share Posted October 25, 2020 I do it already by enabling "forwardfor" on my reverse proxy. However this isn't a guaranteed method since it's only adding to the http header and requiring the internal app to recognize it (which Emby does). My system is working properly right now; I wanted to send in the request since external address reporting isn't always visible the way it is in pfSense and highly depends on how the user enters the firewall (VPN, Reverse Proxy, Port Forward, NAT, etc.) I work in cyber security so I find myself always trying to add additional layers and precautions. I think adding the default gateway to Emby's "remote" list would be a great improvement to help cover the various router configs I mentioned above. 1 Link to comment Share on other sites More sharing options...
Carlo 4328 Posted October 25, 2020 Share Posted October 25, 2020 OK didn't know if you had a specific problem we need to handle now for you. But yes your info is clear and understood. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now