ipWhitelist HowTo

cowboysdude

@roblocksrocks Lets see if @mochman answers because honestly I don’t use it and really have no working knowledge of it or how to use it.

mochman

@open_book The ipWhitelist should have no affect on your SSH ability. This sounds like there is some problem with either your network or the pi itself. The ipWhitelist just affects what can connect to the MagicMirror software.

Can you give me your network setup and how you’re trying to access it through SSH? I’m guessing that you are trying to SSH in from inside your network and not from somewhere else.

I haven’t used the remote control module so I’m not to sure how it works with the whitelist. From how you’re describing it, it sounds like whatever the IP of the device you use the remote control with is what the MagicMirror needs whitelisted. If that’s the case, are you just trying to access your mirror from devices on your internal network or are you using a data plan with your mobile? If so, that IP probably changes frequently.

Those IPs you listed ("...1.1/120"), are those IPv6 or IPv4 IPs?

open_book

Hi @mochman thanks for your reply!

You’re correct that I’m SSH’ing to the mirror from within my home network. I use putty from a laptop that is connected to my wireless router and uses an IPv4 address. The setup looks like this if I run ipconfig from the laptop:

Link-local IPv6 Address . . . . . : XXXX::XXXXX:XXXX:XXXX:XXXX%XX
IPv4 Address. . . . . . . . . . . : 192.168.X.XX
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.X.X

I can gain access through my mobile and laptop as long as I open for all devices. But as soon as I limit it to even a broad range of ip addresses - they get shut out.

Here’s the setup on the mirror:

wlan0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:XX XXX ff:ff:ff:ff:ff:ff
inet 192.168.0.19/24 brd 192.168.0.255 scope global wlan0
valid_lft forever preferred_lft forever
inet6 XXXX::XXXX:XXXX:XXXX:XXXX/XX scope link
valid_lft forever preferred_lft forever

Here’s the full ipWhitelist I’m trying at the moment:

[“127.0.0.1”, “::ffff:127.0.0.1”, “::fff:192.168.1.1/112”, “::1”, “::ffff:192.168.1.1/120”, “::ffff:192.168.0.14”, “::ffff:192.168.0.16”]

Any tips, or anything else I can supply to help?

EDIT: mobile ip config looks the same as the laptop ip config.

mochman

@open_book Just looking at your pi’s IP. It looks like it’s using 192.168.0.X and you’re whitelisting the 192.168.1.X IPs. Can you try adding

"::ffff:192.168.0.1/120", "192.168.0.1/24"

to your whitelist and see if that fixes it up?

open_book

@mochman sorry for the slow reply. I’ve been on holiday.

Wanted to let you know that your suggestion fixed my problem. I added your suggested IPs and now I can both access through SSH and through a mobile device/browser.

Thanks for your replies!

Mykle1

@mochman said in ipWhitelist HowTo:

see if that fixes it up?

I don’t have a problem with my Whitelist but a couple of people have lately. I wonder if they bother searching the forum and/or read topics such as this.

Anyway, nice work @mochman :-)

pingywon

LOL. Not sure if you mean me, but yes I have read this thread from beginning to end and it doesnt resolve my white list issues. This for whole forum is not that big. I’d be willing to bet I have read most of it

krisalexroberts

The reason why “/24” works
A couple different threads state to add /24 to the end of the IP address. (I’ve put a couple of those up before doing some research too). While this will indeed allow your network devices access to your magic mirror, it will also allow any device with an IPv4 based address access to your mirror (obviously your router would need to be configured to allow this).
This “/24” in IPv6 CIDR allows 20,282,409,603,651,670,423,947,251,286,016 different IP addresses access. (IPv4’s total addresses are 4,294,967,296).

---

More information
If you’d like to learn more or have different sub-netting needs, I found this page useful.

I don’t ageee with that. 192.167.1.0/24 is everything in the 192.168.1.x range, nothing more nothing less. If it allows more than this is a massive flaw/security risk.

If you want to allow your own subnet then just look at your subnet mask and use google to get the CIDR

pingywon

I agree that /24 is 255.255.255.0 or 192.268.x.0 to 192.168.x.255

That’s why these issues are making me crazy aka can’t figure them out.

pingywon

FOUND A WAY TO RESOLVE THIS!

Add

cat /etc/modprobe.d/ipv6.conf 
# Don't load ipv6 by default
alias net-pf-10 off
# uncommented
alias ipv6 off
# added
options ipv6 disable_ipv6=1
# this is needed for not loading ipv6 driver 
blacklist ipv6

to turn off all IPv6 on the Raspi.
Than edit all the IPv6 out of your config file.

 },
        ipWhitelist: [
                "192.168.0.92",
                "192.168.0.1/24",
                "127.0.0.1"

I still have the .92 in there from testing. It is not needed.

did a sudo reboot just for safe measure and now it all seems to be working as intended. No real idea what the actual issue was…but it is resolved. FINALLY! :)