ipWhitelist HowTo

open_book · Jul 2, 2017, 8:18 PM

Hi @mochman thanks for your reply!

You’re correct that I’m SSH’ing to the mirror from within my home network. I use putty from a laptop that is connected to my wireless router and uses an IPv4 address. The setup looks like this if I run ipconfig from the laptop:

Link-local IPv6 Address . . . . . : XXXX::XXXXX:XXXX:XXXX:XXXX%XX
IPv4 Address. . . . . . . . . . . : 192.168.X.XX
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.X.X

I can gain access through my mobile and laptop as long as I open for all devices. But as soon as I limit it to even a broad range of ip addresses - they get shut out.

Here’s the setup on the mirror:

wlan0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:XX XXX ff:ff:ff:ff:ff:ff
inet 192.168.0.19/24 brd 192.168.0.255 scope global wlan0
valid_lft forever preferred_lft forever
inet6 XXXX::XXXX:XXXX:XXXX:XXXX/XX scope link
valid_lft forever preferred_lft forever

Here’s the full ipWhitelist I’m trying at the moment:

[“127.0.0.1”, “::ffff:127.0.0.1”, “::fff:192.168.1.1/112”, “::1”, “::ffff:192.168.1.1/120”, “::ffff:192.168.0.14”, “::ffff:192.168.0.16”]

Any tips, or anything else I can supply to help?

EDIT: mobile ip config looks the same as the laptop ip config.

mochman · Jul 4, 2017, 12:48 PM

@open_book Just looking at your pi’s IP. It looks like it’s using 192.168.0.X and you’re whitelisting the 192.168.1.X IPs. Can you try adding

"::ffff:192.168.0.1/120", "192.168.0.1/24"

to your whitelist and see if that fixes it up?

open_book · Jul 22, 2017, 9:01 PM

@mochman sorry for the slow reply. I’ve been on holiday.

Wanted to let you know that your suggestion fixed my problem. I added your suggested IPs and now I can both access through SSH and through a mobile device/browser.

Thanks for your replies!

Mykle1 · Aug 27, 2017, 1:04 AM

@mochman said in ipWhitelist HowTo:

see if that fixes it up?

I don’t have a problem with my Whitelist but a couple of people have lately. I wonder if they bother searching the forum and/or read topics such as this.

Anyway, nice work @mochman :-)

pingywon · Aug 27, 2017, 1:14 AM

LOL. Not sure if you mean me, but yes I have read this thread from beginning to end and it doesnt resolve my white list issues. This for whole forum is not that big. I’d be willing to bet I have read most of it

krisalexroberts · Aug 27, 2017, 1:36 PM

The reason why “/24” works
A couple different threads state to add /24 to the end of the IP address. (I’ve put a couple of those up before doing some research too). While this will indeed allow your network devices access to your magic mirror, it will also allow any device with an IPv4 based address access to your mirror (obviously your router would need to be configured to allow this).
This “/24” in IPv6 CIDR allows 20,282,409,603,651,670,423,947,251,286,016 different IP addresses access. (IPv4’s total addresses are 4,294,967,296).

More information
If you’d like to learn more or have different sub-netting needs, I found this page useful.

I don’t ageee with that. 192.167.1.0/24 is everything in the 192.168.1.x range, nothing more nothing less. If it allows more than this is a massive flaw/security risk.

If you want to allow your own subnet then just look at your subnet mask and use google to get the CIDR

pingywon · Aug 27, 2017, 8:29 PM

I agree that /24 is 255.255.255.0 or 192.268.x.0 to 192.168.x.255

That’s why these issues are making me crazy aka can’t figure them out.

pingywon · Aug 28, 2017, 4:17 PM

FOUND A WAY TO RESOLVE THIS!

Add

cat /etc/modprobe.d/ipv6.conf 
# Don't load ipv6 by default
alias net-pf-10 off
# uncommented
alias ipv6 off
# added
options ipv6 disable_ipv6=1
# this is needed for not loading ipv6 driver 
blacklist ipv6

to turn off all IPv6 on the Raspi.
Than edit all the IPv6 out of your config file.

 },
        ipWhitelist: [
                "192.168.0.92",
                "192.168.0.1/24",
                "127.0.0.1"

I still have the .92 in there from testing. It is not needed.

did a sudo reboot just for safe measure and now it all seems to be working as intended. No real idea what the actual issue was…but it is resolved. FINALLY! :)

lavolp3 · Sep 21, 2017, 9:47 AM

Maybe I have missed this from someone else, but one important thing about the whitelisting message:

“This device is not allowed to access your mirror.
Please check your config.js or config.js.sample to change this.”

The EXACT SAME message appears (in my case) if the config.js has syntax errors. Locally your mirror will tell you that there is no config file or just give you a black screen, but if you try to reach it from outside through a browser (Firefox and Chrome in my case) with a broken config.js, you will get the whitelisting message above.

So, before trying to get your ipWhitelist in the right shape, make sure you have no other syntax errors with the mirror, e.g. using

npm run config:check

If you had some and had them corrected, be safe and restart the mirror.
Below you can see the example in my case.

pi@magicmirror2:~ $ tail ~/.pm2/logs/mm-out-0.log
No helper found for module: helloworld.
All module helpers loaded.
Starting server on port 8080 ...
Server started ...
Connecting socket for: updatenotification
Sockets connected & modules started ...
Launching application.
Access denied to IP address: 66.249.93.64
Access denied to IP address: 80.157.5.50
Access denied to IP address: 80.157.5.50
pi@magicmirror2:~ $ cd MagicMirror/
pi@magicmirror2:~/MagicMirror $ npm run config:check

> magicmirror@2.1.2 config:check /home/pi/MagicMirror
> node tests/configs/check_config.js

Checking file...  /home/pi/MagicMirror/config/config.js
Line 260 col 9 Expected ']' to match '[' from line 26 and instead saw '{'.
Line 261 col 16 Expected '}' to match '{' from line 11 and instead saw 'module'.
Line 261 col 22 Missing semicolon.
Line 261 col 16 Unrecoverable syntax error. (95% scanned).
pi@magicmirror2:~/MagicMirror $ sudo nano config/config.js
pi@magicmirror2:~/MagicMirror $ npm run config:check

> magicmirror@2.1.2 config:check /home/pi/MagicMirror
> node tests/configs/check_config.js

Checking file...  /home/pi/MagicMirror/config/config.js
Your configuration file don't containt syntax error :)
pi@magicmirror2:~/MagicMirror $ pm2 restart mm
Use --update-env to update environment variables
[PM2] Applying action restartProcessId on app [mm](ids: 0)
[PM2] [mm](0) ✓
┌──────────┬────┬──────┬─────┬────────┬─────────┬────────┬─────┬──────────┬──────┬──────────┐
│ App name │ id │ mode │ pid │ status │ restart │ uptime │ cpu │ mem      │ user │ watching │
├──────────┼────┼──────┼─────┼────────┼─────────┼────────┼─────┼──────────┼──────┼──────────┤
│ mm       │ 0  │ fork │ 901 │ online │ 6       │ 0s     │ 18% │ 2.3 MB   │ pi   │ disabled │
└──────────┴────┴──────┴─────┴────────┴─────────┴────────┴─────┴──────────┴──────┴──────────┘
 Use `pm2 show ` to get more details about an app
pi@magicmirror2:~/MagicMirror $

Gxnfr Ali · Jan 9, 2018, 8:24 AM

@mochman said in ipWhitelist HowTo:

tail -f ~/.pm2/logs/mm-out-0.log

Use pm2 show to get more details about an app
pi@raspberry:~ $ tail -f ~/.pm2/logs/mm-out-0.log
Initializing new module helper …
Module helper loaded: MMM-OnScreenMenu
No helper found for module: compliments.
No helper found for module: MMM-PrayerTime.
No helper found for module: MMM-Advent.
Initializing new module helper …
Module helper loaded: MMM-FRITZ-Box-Callmonitor
No helper found for module: MMM-Callmonitor-Current-Call.
No helper found for module: currentweather.
No helper found for module: weatherforecast.

no find out ipWhiteList