ipWhitelist HowTo

rudibarani

@cowboysdude Thanks for your reply. My white Lists work fine for the MM2 screen. I was looking for a way to separately limit access to the sites generated by the Remote Control and Admin interface module. Any ideas?

cowboysdude

@rudibarani said in ipWhitelist HowTo:

@cowboysdude Thanks for your reply. My white Lists work fine for the MM2 screen. I was looking for a way to separately limit access to the sites generated by the Remote Control and Admin interface module. Any ideas?

Honestly the best thing to do is ask the creator of those modules ;) I don’t do the ipWhitelist.

roblocksrocks

@cowboysdude Maybe you’ll be able to help, I’ve tried doing [ ], I’ve tried whitelesting all IPs as shown in here, and the only thing I have been able to get to work is whitelisting specific IPV4 and IPV6 addresses. That was fine because my most used devices have static IPs anyway however the issue comes now that I have port forwarding and am trying to open it up to any IP (I am aware of the security ramifications)

open_book

@mochman I’m experiencing a similar problem to the one @looolz describes above.

I can access through SSH (putty) no problem. I’ve seen the logs “Access denied to …” and added the two addresses (my laptop and mobile) to the ipWhitelist.

I’ve also added the “…1.1/120” and “…1.1/112” to the list but I still get access denied.

I did get both devices working for a while - but was then denied access through putty! I’d really like to be able to access through mobilebrowser for MMM-remotecontrol AND SSH for other work.

The reason for this comment is that I checked wlan0 and I have an inett6 addr listed.

You mention this above but don’t say what to consider next. If you’re still around and have any thoughts about this I’d appreciate it!

resulted in me being able to connect from mobile/laptop but meant that SSH stopped working.

cowboysdude

@roblocksrocks Lets see if @mochman answers because honestly I don’t use it and really have no working knowledge of it or how to use it.

mochman

@open_book The ipWhitelist should have no affect on your SSH ability. This sounds like there is some problem with either your network or the pi itself. The ipWhitelist just affects what can connect to the MagicMirror software.

Can you give me your network setup and how you’re trying to access it through SSH? I’m guessing that you are trying to SSH in from inside your network and not from somewhere else.

I haven’t used the remote control module so I’m not to sure how it works with the whitelist. From how you’re describing it, it sounds like whatever the IP of the device you use the remote control with is what the MagicMirror needs whitelisted. If that’s the case, are you just trying to access your mirror from devices on your internal network or are you using a data plan with your mobile? If so, that IP probably changes frequently.

Those IPs you listed ("...1.1/120"), are those IPv6 or IPv4 IPs?

open_book

Hi @mochman thanks for your reply!

You’re correct that I’m SSH’ing to the mirror from within my home network. I use putty from a laptop that is connected to my wireless router and uses an IPv4 address. The setup looks like this if I run ipconfig from the laptop:

Link-local IPv6 Address . . . . . : XXXX::XXXXX:XXXX:XXXX:XXXX%XX
IPv4 Address. . . . . . . . . . . : 192.168.X.XX
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.X.X

I can gain access through my mobile and laptop as long as I open for all devices. But as soon as I limit it to even a broad range of ip addresses - they get shut out.

Here’s the setup on the mirror:

wlan0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:XX XXX ff:ff:ff:ff:ff:ff
inet 192.168.0.19/24 brd 192.168.0.255 scope global wlan0
valid_lft forever preferred_lft forever
inet6 XXXX::XXXX:XXXX:XXXX:XXXX/XX scope link
valid_lft forever preferred_lft forever

Here’s the full ipWhitelist I’m trying at the moment:

[“127.0.0.1”, “::ffff:127.0.0.1”, “::fff:192.168.1.1/112”, “::1”, “::ffff:192.168.1.1/120”, “::ffff:192.168.0.14”, “::ffff:192.168.0.16”]

Any tips, or anything else I can supply to help?

EDIT: mobile ip config looks the same as the laptop ip config.

mochman

@open_book Just looking at your pi’s IP. It looks like it’s using 192.168.0.X and you’re whitelisting the 192.168.1.X IPs. Can you try adding

"::ffff:192.168.0.1/120", "192.168.0.1/24"

to your whitelist and see if that fixes it up?

open_book

@mochman sorry for the slow reply. I’ve been on holiday.

Wanted to let you know that your suggestion fixed my problem. I added your suggested IPs and now I can both access through SSH and through a mobile device/browser.

Thanks for your replies!

Mykle1

@mochman said in ipWhitelist HowTo:

see if that fixes it up?

I don’t have a problem with my Whitelist but a couple of people have lately. I wonder if they bother searching the forum and/or read topics such as this.

Anyway, nice work @mochman :-)