Jump to content

LAN Gateway Not Considered Local Network


mediaGuy

Recommended Posts

mediaGuy

Depending on the router setup and it's port forwarding, reverse proxy, VPN, NAT translation, etc. an external connection may appear to Emby as the local gateway address (which is considered local).

I think it'd be good to not include the gateway IP as part of the "local network" to add an extra layer of security.

Link to comment
Share on other sites

mediaGuy

I don't think so unless I CSV every address I consider local in the settings.

I thought about setting a remote blacklist and putting in the gateway address, but it makes no difference because the GW is considered local.

Am I missing something?

Link to comment
Share on other sites

15 minutes ago, mediaGuy said:

unless I CSV every address I consider local in the settings

You can use ranges...

Link to comment
Share on other sites

mediaGuy

That didn't seem to work.  I entered 192.168.1.2-192.168.1.254 and now I'm locked out.

If by range you meant using a mask I don't think there's a way to filter out a single IP from a /24 mask.

Edited by mediaGuy
Link to comment
Share on other sites

Hi, Can you go over a specific example of how a remote user appears to be a local address on your system?
Just need to understand your specific system a bit more and we can help you configure it better for your needs.

Carlo

Link to comment
Share on other sites

mediaGuy

Emby sees the remote connection as the router's internal LAN address (192.168.1.1) so it thinks it's a local connection.

I don't see a way within Emby's network settings to exclude 192.168.1.1 (default gateway) from what is considered the internal network (192.168.1.0/24).

 

Yes, I can adjust my router (pfSense) to report the external address but this isn't a guarantee and wouldn't work in all configurations.  Considering Emby allows/disallows logins and passwords based on remote/local access, I think it would be a decent safety layer for Emby to consider the default gateway as remote.

Link to comment
Share on other sites

mediaGuy

A range option in the current box would be best (192.168.1.2-192.168.1.254).

If it's the opposite or a backlist/whitelist option (similar to remote) I don't think it'd be as easy.  If I chose a blacklist then it could only block the specific addresses I'd enter.  Then my other subnet ranges and VPN ranges would also need to be maintained in the blacklist.

Link to comment
Share on other sites

6 minutes ago, mediaGuy said:

Yes, I can adjust my router (pfSense) to report the external address but this isn't a guarantee and wouldn't work in all configurations.  Considering Emby allows/disallows logins and passwords based on remote/local access, I think it would be a decent safety layer for Emby to consider the default gateway as remote.

That would be the best solution as you want the actual address of the user not the proxy or gateway.

Another thing you could do is change to using 192.168.0.1/23 instead of 24.
That would give you the local IP of 192.168.0.1-192.168.1.254 of usable LAN ips.

You could then set things up so gateway and VPN use one /24 network while actual local IPs are in the other /24 network as far as Emby is concerned.

Do you follow what I'm getting at?

 

PS I do agree being able to enter a range of IP to treat local would be ideal.

Link to comment
Share on other sites

mediaGuy

I know what you mean with the /23 but I can't really do that with my setup.  My router still needs to have dual LAN addresses (192.168.1.1 and 192.168.0.1) due to various VLANs I have on my network.  So Emby will still see it as local.

Link to comment
Share on other sites

Could use /22 as well to get 4 C blocks.
But if you can change pfsense to show the external IP that should fix the issue right there.  Any reason you're not doing that now already?

Link to comment
Share on other sites

mediaGuy

I do it already by enabling "forwardfor" on my reverse proxy.  However this isn't a guaranteed method since it's only adding to the http header and requiring the internal app to recognize it (which Emby does).  My system is working properly right now; I wanted to send in the request since external address reporting isn't always visible the way it is in pfSense and highly depends on how the user enters the firewall (VPN, Reverse Proxy, Port Forward, NAT, etc.)

I work in cyber security so I find myself always trying to add additional layers and precautions.  I think adding the default gateway to Emby's "remote" list would be a great improvement to help cover the various router configs I mentioned above.

  • Like 1
Link to comment
Share on other sites

OK didn't know if you had a specific problem we need to handle now for you.

But yes your info is clear and understood.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...