Netmask whitelist doesn't work (solved)

[NakedPirate 15]

Hi there, new to emby and Greetings to all!

The whitelisting with my server doesn't work. If I put in a local address, I'm unable to connect, but only with Browser. So does any netmask (e.g. 192.168.0.0/x, 192.168.0.0/24) not work.
Only way any Lan browser can connect is with empty field or 192.168.0.0/0. Plugins on TV and Kodi and everything else works great AFAICS.
Any firewalls are innocent, so is the specific source IP-Address. Newest server V 4.4.2., still figuring out the log...(update: can't find any info, all pings and connections seem to work in debug log, no entries with failed ip connections etc..)

Any ideas what I 'm doing wrong or miss? Thanx very much!

Edited May 11, 2020 by NakedPirate

[Luke 42085]

Hi there, why do you feel that it doesn't work?

[NakedPirate 15]

Hi there, why do you feel that it doesn't work?

Because "forbidden" is displayed instead of the emby index site, no matter if I work with single addresses or netmasks. All that works is an empty field or /0 mask.

Thanx

Edited May 10, 2020 by NakedPirate

[Happy2Play 9783]

Can you go over exactly what you are entering, and where?

 

I just entered "192.168.152.0/24" into LAN networks and anything not in that network was "Forbidden", everything within was allowed.

[NakedPirate 15]

I just entered "192.168.152.0/24" into LAN networks and anything not in that network was "Forbidden", everything within was allowed.

That's exactly my problem. I put IP-adresses or and mask in the IPRemote of filter field, choose whitelist and it doesn't work.

It can access emby only if I leave remote empty or with netmask /0.

192.168.xxx.xxx as single addresses don't work all over the LAN and 192.168.0.0/24 or/4 or /32 won't work. The rest of the network is o.k.I can ping every device and all services work. I can even access emby from every IP with plugins, phones, my TV.

Only the whitelist doesn't work with correct Ips and masks and it affects only Browser-Access from any IP, no matter if FF, Chrome or Edge.

 

I don't want to leave "remote ip" empty, even it's no big problem, because my router blocks outside traffic and I can allow only local traffic in firewall. I just wonder what the hell the problem could be.

 

I'll send screenshots tomorrow, I'm on my phone right now...

Edited May 10, 2020 by NakedPirate

[Happy2Play 9783]

Sorry, why are you putting private non routable ips in that field? These are for Remote IPs not local.  You should be using the LAN Networks field.  Unless I am missing something.  Outside/remote traffics can only enter your network if you port forward or have UPNP port mapping enabled.  But also have to enable "Allow remote connections to this Emby Server."

 

 

Remote IP address filter:

 

Comma separated list of IP addresses or IP/netmask entries for networks that will be allowed to connect remotely. If left blank, all remote addresses will be allowed.

Edited May 10, 2020 by Happy2Play

[NakedPirate 15]

Sorry, why are you putting private non routable ips in that field? These are for Remote IPs not local.

 

Interesting Question. Hm. 

But why would I know? It says in front row:

"Comma separated list of IP addresses or IP/netmask entries for networks that will be considered on local network when enforcing bandwidth restrictions."

What the heck  does it have to to with bandwidth restrictions?

"If left blank, only the server's subnet and common private IP subnets (10.0.0.0/8, 192.168.0.0/24, etc.) are considered to be on the local network."

So the server net is already considered to be the local network. So I thought to leave it alone as it is...

I tried putting IP-addresses and netmasks in this first field, but it doesn't work either. Try it out...

 

To access emby with a browser you must check "Allow remote connections to this Emby Server", no matter which network, local or outside world. The entry in "Lan Networks" seems to have nothing to do with it.

 

And it says:

If left blank, all remote addresses will be allowed.

And that is entirely true. If I shut down the SW firewall and tell my router to forward the ports, I indeed can access emby from every IP on this planet.

So in conclusion I must allow remote connections, if I want to access from any browser in my network and since the netmasks and IP entries don't work, I must leave the field empty or set netmask /0, what is the same at the end. I only wanted to know, if the entry is processed at all with /0.

 

So I must open emby for the rest of the world, hoping my router does a "secure" job and has no flaws.

Workaround would be to use any emby-client or app for config or access, because these work! Interestingly the clients work with the same IP-Addresses and the same port the browser gets a "forbidden". So there must be a special handshake with the client or a restriction or different netfilter tables or modules for client access and browser access. That's not good.

 

Thanx "Happy" and everyone for your time!

Greetings

Edited May 11, 2020 by NakedPirate

[pwhodges 2014]

These fields work as they should - and your statement that the apps are OK confirms that. So you need to look at why the browsers are behaving differently in your system.

 

As for the meaning of the local network - it is possible have networks other than the one containing the server  which are connected locally and so have the full network speed rather than being limited by the Internet connection.  It is useful to be able to specify these, as I do:

 

 

Paul

[NakedPirate 15]

These fields work as they should -

 

Is your "Remote IP address" field empty?

 

Can someone please try this?

Put your IP in the "remote IP address filter", choose whitelist and try accessing it with a browser from this whitelisted IP.

 

 

So you need to look at why the browsers are behaving differently in your system.

The browser is doing its job, only emby shows me "forbidden".

Thanx, any ideas are appreciated!

Edited May 11, 2020 by NakedPirate

[NakedPirate 15]

As you were!

It is all my fault. I am sorry. Thanks for your help!
The reason was a system wide "via/forwarded header" sent by all browsers, which emby reads and restricts access as it should.

I'm really sorry. Everything is working now as it should. Thanx again.

[rbjtech 5284]

Unless you have a loopback (aka hairpin) rule on your firewall, you will not generally be able to access your WAN IP on the local Lan.  Is that what you are trying to do ?