Dynamic IP address

[Luc. 0]

I am trying to replicate the Plex family functionality on my Android TV. I want to protect my account with a PIN code and leave the kid's one accessible directly. To accomplish this I have created local accounts on my server and added my home network IP address so that it is considered as part of the LAN where the server is located.

 

However my home ISP doesn't provide me with a fixed IP address, which means that every other day I need to replace my home IP in the LAN whitelist. Is there a way to use some sort of reverse dynamic DNS?

(I already asked about having PIN codes for local accounts/profiles and it doesn't seem to be on the roadmap)

 

Thanks!

[rbjtech 5284]

I'm a little confused by your request.  The Pin system can only be used on your local LAN only as by having a Pin for remote access this would be extremely weak security. 

 

It is therefore a very bad idea to add your internet facing IP to this 'local' list - as assuming the port forwarding is in place,  anybody on the internet can now use this Pin to access your system. 

 

A 4 digit pin has extremely low entropy and could be broken in seconds by anybody wanting to get into your system - unfortunately, emby has no brute force protection, so repeat attempts are not blocked..

 

There are no rules to stop you using a 'Pin' as part of a proper password - personally, I would add a couple of letters (perhaps their initials) to the front of the Pin to make it a bit harder to brute force.

[negativzeroe 80]

I don't understand the request either, why does your wan IP need to be in your lan list? Is the box at a different location as the server?

 

Sent from my ONEPLUS A5000 using Tapatalk

[Luc. 0]

Apparently I wasn't clear. So second try.

 

The server is in a datacenter with its own IP address. The Android TV is at my home with a dynamic IP address. What I am after is a way to have my home IP address always considered as part of the local network of the server so that I only have to enter a PIN and not my whole complex password.

 

Unless the person who will get my IP address after my ISP will reattribute it to them knows the address of my server and then bruteforce their way though the pin protection, I don't believe there is a high security risk. 

 

I have only whitelisted my home IP, but I have to do it every so often and I am looking to automate that process.

 

Hoping  I am clearererererer.

[Luke 42085]

Can you do it with a netmask?

[rbjtech 5284]

If the emby server is in a remote data centre, with presumably a fixed IP, then it is the DC's network/ip that will be considered the 'LAN' (to emby) - it has nothing to do with your local LAN (or your ISP's WAN address) - you are just the source/client.

 

The WAN IP you have been allocated by the hosting company is going to be a public IP, so you just need to put this IP into emby (LAN whitelist) - xxx.xxx.xxx.xxx/32 - and it will then be valid for Pin use. I'd be very surprised if this IP keeps changing ?  If it does for some reason, then you could widen the range using subnets as Luke has suggested but you'll need to get the ranges used from the hosting company.

[negativzeroe 80]

Yeah in my experience the IP of home networks doesn't change THAT often. But maybe a ddns would work if the field accepted it.

 

Sent from my ONEPLUS A5000 using Tapatalk

[legallink 187]

Yeah, if you can use an FQDN in your whitelist and then update a ddns, that would really be the easiest.

[pwhodges 2014]

(deleted)

Oops - got that wrong in this setup...

 

Paul

Edited May 18, 2020 by pwhodges

[negativzeroe 80]

Yeah, if you can use an FQDN in your whitelist and then update a ddns, that would really be the easiest.

Can you use the fqdn though? I've never had the need so I've never done it. @@Luc. Let us know if it works.

[rbjtech 5284]

Generally ACL's and firewalls will not allow external DNS as they are then dependent on a DNS lookup to make the rule decision.  For that reason alone, I expect the implementation of this whitelist/blacklist is IP/subnet only.

[Luc. 0]

It seems my duckdns subdomain is considered as valid.  Now let see if it holds. I have the home assistant addon installed so that my subdomain always points to my home current IP address. That's not ideal but if it works.

 

Thanks guys.

[Luc. 0]

Scratch that.L FQDN doesn't work. The server had my Home IP in memory. After a reboot it did not recognised my home IP as part of the local network. Any other idea?