Jump to content

Exclude single ip from local network?

tdiguy

By tdiguy
in Linux

 Share

Recommended Posts

tdiguy

tdiguy 99

Posted
Posted

Is there a way to exclude a single ip from what the server considers the local network? For some reason now the emby server sees my connection with my vpn as coming from my router ( which it is my router is also the vpn server ) would i simply have to add in the ip's and subnets into the allowed portion and exclude the router?

riothamus

riothamus 53

Posted
Posted (edited)

Yeah, you could add just the actual LAN subnet to the allowed list under Emby's settings, and exclude the range that your VPN assigns to its clients.  Note that it only pertains to bandwidth restrictions.

 

 

Comma separated list of IP addresses or IP/netmask entries for networks that will be considered on local network when enforcing bandwidth restrictions. If set, all other IP addresses will be considered to be on the external network and will be subject to the external bandwidth restrictions. If left blank, only the server's subnet is considered to be on the local network.

 

If you want to go the firewall route to completely block a network access to your Emby server (assuming firewalld here, not sure what your distro is, and using 192.168.10.0/24 as a source network range for an example):

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.10.0/24' port port='8096' protocol='tcp' drop"
firewall-cmd --reload
Edited by riothamus
tdiguy

tdiguy 99

Posted
  • Author
Posted (edited)

 

Yeah, you could add just the actual LAN subnet to the allowed list under Emby's settings, and exclude the range that your VPN assigns to its clients.  Note that it only pertains to bandwidth restrictions.

 

 

If you want to go the firewall route to completely block a network access to your Emby server (assuming firewalld here, not sure what your distro is, and using 192.168.10.0/24 as a source network range for an example):

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.10.0/24' port port='8096' protocol='tcp' drop"
firewall-cmd --reload

Thank you, I wish it was this easy honestly. Emby sees my vpn ip address as the address of my router now. ( my openvpn subnet is  a 10. ip and my local network is 192.168.1.0/24 ) When i log in to emby over my openvpn it shows my phone as 192.168.1.1 ( my router / openvpn ) rather than the 10. address my openvpn network gives it ) Not really sure how that is happening. Also not looking to block access just looking to have it properly identified as not local.

Edited by tdiguy
riothamus

riothamus 53

Posted
Posted

What are you using as your OpenVPN aggregator?  pfSense or something else?

tdiguy

tdiguy 99

Posted
  • Author
Posted

What are you using as your OpenVPN aggregator?  pfSense or something else?

That i am not completely sure of. I have dd-wrt on my router which supports openvpn.

tdiguy

tdiguy 99

Posted
  • Author
Posted (edited)

Do you have this in your OpenVPN configuration?

redirect-gateway autolocal

You might want to have a look at this page:

 

https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

No that is not in my config, what will that do?

Ok, so that tries to determin if the local flag should be used or not. Which i imagine might help with emby seeing the 192 address or the 10 address?

Edited by tdiguy
riothamus

riothamus 53

Posted
Posted

That option would force all client traffic through your VPN tunnel, making it the default gateway on your clients.

 

So, just to clarify, you want Emby to not see your VPN network (your 10.x.x.x range) as local to the Emby server, correct?  If that is the case, then putting the rest of your network into Emby's configuration (Dashboard->Advanced->LAN Networks and enter in only your local subnet) will force Emby to see just the 192.160.1.0/24 network as local, and restrict bandwidth to anything else.

 

As for your phone device showing up as a 192.168.1.0/24 device, that is likely happening due to how OpenVPN is configured on your router.  Would you mind posting your OpenVPN server config?  (You can leave out any sensitive bits, I'm mostly curious about the network assignment portions of the configuration).

tdiguy

tdiguy 99

Posted
  • Author
Posted

That option would force all client traffic through your VPN tunnel, making it the default gateway on your clients.

 

So, just to clarify, you want Emby to not see your VPN network (your 10.x.x.x range) as local to the Emby server, correct?  If that is the case, then putting the rest of your network into Emby's configuration (Dashboard->Advanced->LAN Networks and enter in only your local subnet) will force Emby to see just the 192.160.1.0/24 network as local, and restrict bandwidth to anything else.

 

As for your phone device showing up as a 192.168.1.0/24 device, that is likely happening due to how OpenVPN is configured on your router.  Would you mind posting your OpenVPN server config?  (You can leave out any sensitive bits, I'm mostly curious about the network assignment portions of the configuration).

Ok, I already force all my vpn traffic over the vpn connection. The problem is that emby sees my vpn traffic as coming from 192.168.1.1 not 10. I dont really have issues with the vpn itself its working as i expect it to. 5b6af085c7eb4_Untitled.png

riothamus

riothamus 53

Posted
Posted

 

The problem is that emby sees my vpn traffic as coming from 192.168.1.1 not 10.

 

Which would make sense as your VPN server and router are on the same box, and that the router is going to be the last hop (192.168.1.1) before it reaches your server.  So, if you connect your phone to the VPN, it should get one of your 10.x.x.x VPN addresses.  Then, when it connects back to your VPN server, OpenVPN is going to route the traffic over to your default gateway (your router), which hands the traffic to your Emby server.  The last bit of traffic that Emby sees is the IP of your router, hence your phone showing up as your router's IP.

tdiguy

tdiguy 99

Posted
  • Author
Posted

Which would make sense as your VPN server and router are on the same box, and that the router is going to be the last hop (192.168.1.1) before it reaches your server.  So, if you connect your phone to the VPN, it should get one of your 10.x.x.x VPN addresses.  Then, when it connects back to your VPN server, OpenVPN is going to route the traffic over to your default gateway (your router), which hands the traffic to your Emby server.  The last bit of traffic that Emby sees is the IP of your router, hence your phone showing up as your router's IP.

Ya I agree that does make sense, is there a good way to exclude my routers ip from what is considered the local network by emby? Rather than specifying multiple ip's / subnets as being local?

riothamus

riothamus 53

Posted
Posted

What is your DHCP range for your local 192.168.1.0/24 network?  You might be able to just include that range in the Advanced tab to be considered local.

tdiguy

tdiguy 99

Posted
  • Author
Posted

What is your DHCP range for your local 192.168.1.0/24 network?  You might be able to just include that range in the Advanced tab to be considered local.

Good point, I have it set to hand out 192.168.1.100 + as ip's which is going to be messy because that does not fall neatly into a subnet but i wasnt thinking about that when i set it up.

riothamus

riothamus 53

Posted
Posted

You could try using 192.168.1.128/25 as the range in the Advanced->LAN networks: field within Emby, and set up your DHCP range to reflect that.  Just a thought.

tdiguy

tdiguy 99

Posted
  • Author
Posted

Yea then i will only have to add in my home laptop as a local ip. I have several filter rules in the router for it so my dam blizzard games will play nice and update.

riothamus

riothamus 53

Posted
Posted

Let us know if that works out.  I'm curious to see how it pans out for you.

tdiguy

tdiguy 99

Posted
  • Author
Posted

Looks like this will work just fine. When i connected from my vpn it started transcoding due to bitrate.

tdiguy

tdiguy 99

Posted
  • Author
Posted

never mind this is not working well there are some holes as to what ip's are covered with a /25

riothamus

riothamus 53

Posted
Posted

What was it that didn't work?

tdiguy

tdiguy 99

Posted
  • Author
Posted

Several of my devices fell outside the range. To do this properly I would have to specify multiple ranges and several single ips.

 

Sent from my moto g(6) play using Tapatalk

tdiguy

tdiguy 99

Posted
  • Author
Posted

Unless of course I can specify a range that doesn't make sense in networking like 192.168.1.2-255

 

Sent from my moto g(6) play using Tapatalk

riothamus

riothamus 53

Posted
Posted

Is your DHCP server set up to only hand out IP's within the /25 range?

tdiguy

tdiguy 99

Posted
  • Author
Posted

No its set up for 100-255 its a bit odd but it allows to specify a starting ip and i have it set with 100 as the start so i can reserve ips for network printers, cameras and such.

riothamus

riothamus 53

Posted
Posted

Ok.  That looks right if you're using /25.  Are the IP's that are still getting assigned bandwidth restrictions within that range?  It actually would be really nice to have the ability to just specify a range that would get excluded (such as your example above) rather than just by just using individual IP's or subnet ranges.

tdiguy

tdiguy 99

Posted
  • Author
Posted

I had a ip of 192.168.1.106 that was not restricted then i had a ip of 192.168.1.136 that did get restricted.  So to do it right i would have to either re-configure my dhcp range or specify multiple subnets.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...