mutex 0 Posted October 8, 2024 Posted October 8, 2024 (edited) I'll try to give as much info as I can about my setup. I have a cable modem/router that hands out 192.168.0.0/16 addresses, my emby server is 192.168.1.2. Right now my external IP is 72.71.X.X. Ive setup port fwding on the router. Settings dashboard correctly shows my setup: In-Home (LAN) access: http://192.168.1.2:8096 Remote (WAN) access: http://72.71.X.X:8096 Allow remote connections is enabled, and if I try http://72.71.X.X:8096 from my cell (wifi is off) it works as expected. I''d like to whitelist who's going to access this, so I set "remote ip address filter mode" to whitelist and added my phone's IP (172.56.119.57) to "remote address filter", but I get a "forbidden" when I try to access it from my phone. This is what it looks like in the debug logs: 2024-10-08 00:52:15.445 Debug Server: http/1.1 GET http://emby_remote_ip:8096/favicon.ico. Source Ip: host4, UserAgent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 2024-10-08 00:52:15.446 Info Server: http/1.1 Response 403 to host4. Time: 0ms. GET http://emby_remote_ip:8096/favicon.ico Any idea why the whitelist isnt working as expected? Edited October 8, 2024 by seanbuff removed public IP for privacy
Abobader 3464 Posted October 8, 2024 Posted October 8, 2024 Hello mutex, ** This is an auto reply ** Please wait for someone from staff support or our members to reply to you. It's recommended to provide more info, as it explain in this thread: Thank you. Emby Team
Carlo 4561 Posted October 8, 2024 Posted October 8, 2024 Hi, Try removing the entry you added to "Remote IP address filter" and log into the server on your phone. Now check the Emby Dashboard or the server log file for the Phone's IP address. Is it the same or different from what you entered? Using a whitelist with a cell phone is likely not going to work as your cell phone is going to get different IPs all the time. It might be behind a CG-NAT at times as well. Cell phone traffic could go through a transparent proxy as well without your knowledge. Lots of things like this happen on cell networks. Also keep in mind your cell phone doesn't have a static IP and depending on the carrier you could get a different IP if your cell connection switches towers. If you do see different IPs but they all start with the same first two or three numbers, you might be able to use the "IP/netmask" format for the whitelist. This might still cause problems at time if your cell phone roams to a different network as the would likely have a completely different set of IPs and IP tricks they use. If the whitelist doesn't work for you, check out Tailscale. It allows you to setup a private overlay network for your own use. You could set Emby Network to support your two IP network (real local IPs & the overlay tunnel IP subnet given to you by Tailscale. You might need to add entries to "LAN networks" & "Local IP address" in the network config page. You could then turn off remote access in Emby because the Tailscale tunnel connections will appear as local connections to Emby Server. With this method no outside devices or computers can access your Emby Server unless they have the Tailscale tunnel running and of course have been added already to your overlay network. Carlo
moviepalace4K 29 Posted October 8, 2024 Posted October 8, 2024 The first three numbers on the server (192.168.1.xx), must be the same as the router.
mutex 0 Posted October 9, 2024 Author Posted October 9, 2024 The emby server is 192.168.1.3 and the router is 192.168.1.1 so they're on the same subnet. I was only using my cellphone as a testing device, since its a handy external IP to test with. I dont want to actually use it to connect once the whitellist is working. I work as a linux sysadmin so im able to connect to webservers at work with my phone and then check the server logs to get the phones IP to make sure I have the correct one. If I remove the phones IP from the filter and connect with my phone, yes it shows up correctly in the dashboard with the same IP. I had a friend give me their IP (I had them use whatsmyip) and the whitelist didnt work with them either. If I removed their IP from the filter it also showed up correctly. Other than tailscale any other ideas to get the whitelist working?
moviepalace4K 29 Posted October 9, 2024 Posted October 9, 2024 Ask your buddy his public ip address and fill it in on your server. Then indicate whitelist or blacklist.
visproduction 315 Posted October 9, 2024 Posted October 9, 2024 (edited) I think the phone's IP source address is masked by the encapsulation inside the 4G or 5G mobile data. Linux may not be able to pull it out because the TCP packets are inside the 5G packets, so it never will recognize the phone's temp IP address as valid. Since no one really needs to check a mobile temp IP address for any reason, I don't think any program has bothered to make that work easily. Do phones actually get a temp IP address when TCP packets are wrapped in 5G and sent anyway to the phone's mobile ID in a data stream? I have never heard anyone talk about mobile IP addresses before. Maybe you are looking at a host's network IP address. Look up the actually IP with traceroute and you will probably find it belongs to a network host, not your phone. Why not check from a remote workstation with a proper IP address that doesn't get hidden inside 5G wrapper? That seems like a better whitelist test. I have not bothered to look this up, but I do not about TCP wrapped inside of 5G. I am just guess that screws up the IP info coming into your server. Edited October 9, 2024 by visproduction
pwhodges 2012 Posted October 9, 2024 Posted October 9, 2024 The phone has an IP address (temporary); the fact that the IP packets are carried over 4G or 5G matters no more than their being carried over ADSL or wifi. Paul
Carlo 4561 Posted October 9, 2024 Posted October 9, 2024 Hi, Can you try something for me. Try entering the whitelist using a subnet in the format "IP/netmask". Try setting this using 255.255.255.255 for the netmask. I try a C class subnet with a netmask of 255.255.255.0 Does that make any difference?
mutex 0 Posted October 9, 2024 Author Posted October 9, 2024 (edited) visproduction: I cant access the workstations at work without a VPN, which would complicate things further and right now its the only computer I have. Im pretty sure I have the correct IP for the phone since it shows up in emby when I connect with it and emby works when I dont try to use the whitelist. Carlo: My cell ip is now 172.56.199.250 so I tried 172.56.199.250/255.255.255.255 and 172.56.199.0/255.255.255.0 but its still forbidden. Im only going to allow 1 person to connect that uses fios and they usually keep their IP's for a while, I guess I can always use the windows firewall to accomplish the same thing. Thanks for everyone that chimed in! Edited October 9, 2024 by mutex
Carlo 4561 Posted October 9, 2024 Posted October 9, 2024 OK thanks, we'll take a look at this to see if we can reproduce it. @Luke Can you have a look at this to see if anything has changed that would cause this?
visproduction 315 Posted October 10, 2024 Posted October 10, 2024 On 10/9/2024 at 8:38 AM, pwhodges said: The phone has an IP address (temporary); the fact that the IP packets are carried over 4G or 5G matters no more than their being carried over ADSL or wifi. Paul Paul, Most of this is ignored by developers. There is not much you can do about it. But TCP over 5G gets more lost segments, ACK's out of order and all sort of possible slowing when TCP is encapsulated inside 5G. There are many tweaks that Mobile data uses to make it better, but it is not the same as direct connection with no Wireless. That's the comparison I was making. See: https://ieeexplore.ieee.org/document/9205403 (I have the full pdf of this one) https://ieeexplore.ieee.org/document/8466604 https://ieeexplore.ieee.org/document/10692896
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now