turpentine 17 Posted May 25, 2025 Posted May 25, 2025 (edited) Hello i am using last emby version on DSM 6 in this section https://support.emby.media/support/articles/Hosting-Settings.html it is told emby server can filter public source or range in Remote Connections IP Address Filters with whitelist or blacklist. is it possible to put an ipv6 public range to filter it ? 200x:xx00: /32 prefix ? for example 200x:xx00:0000:0000:0000:0000:0000:0000-200x:xx00:ffff:ffff:ffff:ffff:ffff:ffff have a nice day all. Edited May 25, 2025 by turpentine
Luke 42077 Posted May 25, 2025 Posted May 25, 2025 Hi, in theory but I don’t think we’ve tested this with ipv6. be careful though as you could end up locking yourself out of your own server. 1
turpentine 17 Posted May 25, 2025 Author Posted May 25, 2025 i have tested to put something like 2001:ab00:/32 and it does nothing, the user interface take it, but it does nothing at all. i have tried to put a /64 host to blacklist for exemple , it does nothing. Everything is still working lol i am not blocked at all.
Q-Droid 989 Posted May 25, 2025 Posted May 25, 2025 Shouldn't the notation be 2001:ab00::/32 <-- extra ":"
turpentine 17 Posted May 25, 2025 Author Posted May 25, 2025 (edited) 12 minutes ago, Q-Droid said: Shouldn't the notation be 2001:ab00::/32 <-- extra ":" i will retest without and with a" :", but when i put a complete ipv6 address with 64 mask there is no ":" at the end of ipv6 and it is not filtering the host. Edited May 25, 2025 by turpentine
Q-Droid 989 Posted May 25, 2025 Posted May 25, 2025 (edited) Maybe you misunderstood. The two colons "::" are used to denote contiguous groups of 0s. From Wikipedia: https://en.wikipedia.org/wiki/IPv6_address Network address ranges are written in CIDR notation. A network is denoted by the first address in the block (ending in all zeroes), a slash (/), and a decimal value equal to the size in bits of the prefix. For example, the network written as 2001:db8:1234::/48 starts at address 2001:db8:1234:0000:0000:0000:0000:0000 and ends at 2001:db8:1234:ffff:ffff:ffff:ffff:ffff. This doesn't mean Emby supports it but you need to make sure the notation is correct. Edited May 25, 2025 by Q-Droid
turpentine 17 Posted May 25, 2025 Author Posted May 25, 2025 (edited) 14 minutes ago, Q-Droid said: Maybe you misunderstood. The two colons "::" are used to denote contiguous groups of 0s. From Wikipedia: https://en.wikipedia.org/wiki/IPv6_address Network address ranges are written in CIDR notation. A network is denoted by the first address in the block (ending in all zeroes), a slash (/), and a decimal value equal to the size in bits of the prefix. For example, the network written as 2001:db8:1234::/48 starts at address 2001:db8:1234:0000:0000:0000:0000:0000 and ends at 2001:db8:1234:ffff:ffff:ffff:ffff:ffff. This doesn't mean Emby supports it but you need to make sure the notation is correct. even with the correct notation it does not work, in fact emby does not check at all the syntax. even if you put 2001:db8:1234:0000:0000:0000:0000:0001 or 2001:db8:1234:0000:0000:0000:0000:0001/64 it does not care and does not filter anything. so for the moment 2001:ab00::/32 (network) or hosts in /64 has no effects. Edited May 25, 2025 by turpentine 1
turpentine 17 Posted May 29, 2025 Author Posted May 29, 2025 On 5/25/2025 at 11:51 PM, Luke said: Emby supports with or without the cidr notation. even if the cidr notation is supported, ipv6 host or network filtering do not work at all
Luke 42077 Posted May 29, 2025 Posted May 29, 2025 7 hours ago, turpentine said: even if the cidr notation is supported, ipv6 host or network filtering do not work at all Hi, it works just fine. Many users around here use it. Are you sure you entered the correct values?
turpentine 17 Posted May 29, 2025 Author Posted May 29, 2025 (edited) 50 minutes ago, Luke said: Hi, it works just fine. Many users around here use it. Are you sure you entered the correct values? it seems to work now, i had to stop and restart the synology package in order to work. it seems to be a software filtering, because there is a message "forbidden" that is displayed with wrong source ipv6 address. that means that i see wireshark packets responding in both ways. it is a pity that this is not a real network filtering, that simply ignore the network packets. this might show the port is open and listening. it is not really a true network filtering but it works at least. i would prefer that emby does not reply to packets at all Edited May 29, 2025 by turpentine
Luke 42077 Posted May 31, 2025 Posted May 31, 2025 On 5/29/2025 at 2:28 PM, turpentine said: it seems to work now, i had to stop and restart the synology package in order to work. it seems to be a software filtering, because there is a message "forbidden" that is displayed with wrong source ipv6 address. that means that i see wireshark packets responding in both ways. it is a pity that this is not a real network filtering, that simply ignore the network packets. this might show the port is open and listening. it is not really a true network filtering but it works at least. i would prefer that emby does not reply to packets at all I think for that kind of filter you would have to set it up at an earlier level than Emby Server, like in a reverse proxy so that the request never each reaches your Emby Server. 1
turpentine 17 Posted May 31, 2025 Author Posted May 31, 2025 (edited) 9 hours ago, Luke said: I think for that kind of filter you would have to set it up at an earlier level than Emby Server, like in a reverse proxy so that the request never each reaches your Emby Server. this is a good idea there is also a firewall in DSM 6.x i will try to filter there, ipv6 seems to work weirdly in the user interface. in a home environment and FTTH SLAAC ipv6 only connectivity, the home router, allows you to filter only incoming ports. no access-lists like i would like. there is indeed a reverse proxy on xpenology DSM 6. this reverse proxy provided by DSM6.2 is usually used to transform https requests to http request for running services that do not support https or SSL certificates. i use cloudflare SSL. and fortunately emby server supports .p12 certificates. So if i use a reverse proxy for the emby port, the SSL certificate used will be the DSM cloudflare one used, instead the emby's certificate. Should i remove the SSL cloudflare certificate in emby ? Edited May 31, 2025 by turpentine typo
Q-Droid 989 Posted May 31, 2025 Posted May 31, 2025 It's really up to you how you want to handle the TLS (SSL) connections. Most who use a reverse proxy have TLS termination at the proxy and run the Emby server with HTTP, no certs, using the reverse proxy options in the network settings. Some/few run end-to-end TLS maintaining HTTPS and certs for every segment and the server. Even fewer run HTTPS on LAN. Using Cloudflare's origin cert on a properly configured reverse proxy there's little chance someone could guess your domain or even connect directly to your public IP. Your choice. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now