ipWhitelist HowTo

cowboysdude

@roblocksrocks Lets see if @mochman answers because honestly I don’t use it and really have no working knowledge of it or how to use it.

mochman

@open_book The ipWhitelist should have no affect on your SSH ability. This sounds like there is some problem with either your network or the pi itself. The ipWhitelist just affects what can connect to the MagicMirror software.

Can you give me your network setup and how you’re trying to access it through SSH? I’m guessing that you are trying to SSH in from inside your network and not from somewhere else.

I haven’t used the remote control module so I’m not to sure how it works with the whitelist. From how you’re describing it, it sounds like whatever the IP of the device you use the remote control with is what the MagicMirror needs whitelisted. If that’s the case, are you just trying to access your mirror from devices on your internal network or are you using a data plan with your mobile? If so, that IP probably changes frequently.

Those IPs you listed ("...1.1/120"), are those IPv6 or IPv4 IPs?

open_book

Hi @mochman thanks for your reply!

You’re correct that I’m SSH’ing to the mirror from within my home network. I use putty from a laptop that is connected to my wireless router and uses an IPv4 address. The setup looks like this if I run ipconfig from the laptop:

Link-local IPv6 Address . . . . . : XXXX::XXXXX:XXXX:XXXX:XXXX%XX
IPv4 Address. . . . . . . . . . . : 192.168.X.XX
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.X.X

I can gain access through my mobile and laptop as long as I open for all devices. But as soon as I limit it to even a broad range of ip addresses - they get shut out.

Here’s the setup on the mirror:

wlan0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:XX XXX ff:ff:ff:ff:ff:ff
inet 192.168.0.19/24 brd 192.168.0.255 scope global wlan0
valid_lft forever preferred_lft forever
inet6 XXXX::XXXX:XXXX:XXXX:XXXX/XX scope link
valid_lft forever preferred_lft forever

Here’s the full ipWhitelist I’m trying at the moment:

[“127.0.0.1”, “::ffff:127.0.0.1”, “::fff:192.168.1.1/112”, “::1”, “::ffff:192.168.1.1/120”, “::ffff:192.168.0.14”, “::ffff:192.168.0.16”]

Any tips, or anything else I can supply to help?

EDIT: mobile ip config looks the same as the laptop ip config.

mochman

@open_book Just looking at your pi’s IP. It looks like it’s using 192.168.0.X and you’re whitelisting the 192.168.1.X IPs. Can you try adding

"::ffff:192.168.0.1/120", "192.168.0.1/24"

to your whitelist and see if that fixes it up?

open_book

@mochman sorry for the slow reply. I’ve been on holiday.

Wanted to let you know that your suggestion fixed my problem. I added your suggested IPs and now I can both access through SSH and through a mobile device/browser.

Thanks for your replies!

Mykle1

@mochman said in ipWhitelist HowTo:

see if that fixes it up?

I don’t have a problem with my Whitelist but a couple of people have lately. I wonder if they bother searching the forum and/or read topics such as this.

Anyway, nice work @mochman :-)

pingywon

LOL. Not sure if you mean me, but yes I have read this thread from beginning to end and it doesnt resolve my white list issues. This for whole forum is not that big. I’d be willing to bet I have read most of it

krisalexroberts

The reason why “/24” works
A couple different threads state to add /24 to the end of the IP address. (I’ve put a couple of those up before doing some research too). While this will indeed allow your network devices access to your magic mirror, it will also allow any device with an IPv4 based address access to your mirror (obviously your router would need to be configured to allow this).
This “/24” in IPv6 CIDR allows 20,282,409,603,651,670,423,947,251,286,016 different IP addresses access. (IPv4’s total addresses are 4,294,967,296).

---

More information
If you’d like to learn more or have different sub-netting needs, I found this page useful.

I don’t ageee with that. 192.167.1.0/24 is everything in the 192.168.1.x range, nothing more nothing less. If it allows more than this is a massive flaw/security risk.

If you want to allow your own subnet then just look at your subnet mask and use google to get the CIDR

pingywon

I agree that /24 is 255.255.255.0 or 192.268.x.0 to 192.168.x.255

That’s why these issues are making me crazy aka can’t figure them out.

pingywon

FOUND A WAY TO RESOLVE THIS!

Add

cat /etc/modprobe.d/ipv6.conf 
# Don't load ipv6 by default
alias net-pf-10 off
# uncommented
alias ipv6 off
# added
options ipv6 disable_ipv6=1
# this is needed for not loading ipv6 driver 
blacklist ipv6

to turn off all IPv6 on the Raspi.
Than edit all the IPv6 out of your config file.

 },
        ipWhitelist: [
                "192.168.0.92",
                "192.168.0.1/24",
                "127.0.0.1"

I still have the .92 in there from testing. It is not needed.

did a sudo reboot just for safe measure and now it all seems to be working as intended. No real idea what the actual issue was…but it is resolved. FINALLY! :)

lavolp3

Maybe I have missed this from someone else, but one important thing about the whitelisting message:

“This device is not allowed to access your mirror.
Please check your config.js or config.js.sample to change this.”

The EXACT SAME message appears (in my case) if the config.js has syntax errors. Locally your mirror will tell you that there is no config file or just give you a black screen, but if you try to reach it from outside through a browser (Firefox and Chrome in my case) with a broken config.js, you will get the whitelisting message above.

So, before trying to get your ipWhitelist in the right shape, make sure you have no other syntax errors with the mirror, e.g. using

npm run config:check

If you had some and had them corrected, be safe and restart the mirror.
Below you can see the example in my case.

pi@magicmirror2:~ $ tail ~/.pm2/logs/mm-out-0.log
No helper found for module: helloworld.
All module helpers loaded.
Starting server on port 8080 ...
Server started ...
Connecting socket for: updatenotification
Sockets connected & modules started ...
Launching application.
Access denied to IP address: 66.249.93.64
Access denied to IP address: 80.157.5.50
Access denied to IP address: 80.157.5.50
pi@magicmirror2:~ $ cd MagicMirror/
pi@magicmirror2:~/MagicMirror $ npm run config:check

> magicmirror@2.1.2 config:check /home/pi/MagicMirror
> node tests/configs/check_config.js

Checking file...  /home/pi/MagicMirror/config/config.js
Line 260 col 9 Expected ']' to match '[' from line 26 and instead saw '{'.
Line 261 col 16 Expected '}' to match '{' from line 11 and instead saw 'module'.
Line 261 col 22 Missing semicolon.
Line 261 col 16 Unrecoverable syntax error. (95% scanned).
pi@magicmirror2:~/MagicMirror $ sudo nano config/config.js
pi@magicmirror2:~/MagicMirror $ npm run config:check

> magicmirror@2.1.2 config:check /home/pi/MagicMirror
> node tests/configs/check_config.js

Checking file...  /home/pi/MagicMirror/config/config.js
Your configuration file don't containt syntax error :)
pi@magicmirror2:~/MagicMirror $ pm2 restart mm
Use --update-env to update environment variables
[PM2] Applying action restartProcessId on app [mm](ids: 0)
[PM2] [mm](0) ✓
┌──────────┬────┬──────┬─────┬────────┬─────────┬────────┬─────┬──────────┬──────┬──────────┐
│ App name │ id │ mode │ pid │ status │ restart │ uptime │ cpu │ mem      │ user │ watching │
├──────────┼────┼──────┼─────┼────────┼─────────┼────────┼─────┼──────────┼──────┼──────────┤
│ mm       │ 0  │ fork │ 901 │ online │ 6       │ 0s     │ 18% │ 2.3 MB   │ pi   │ disabled │
└──────────┴────┴──────┴─────┴────────┴─────────┴────────┴─────┴──────────┴──────┴──────────┘
 Use `pm2 show ` to get more details about an app
pi@magicmirror2:~/MagicMirror $

Gxnfr Ali

@mochman said in ipWhitelist HowTo:

tail -f ~/.pm2/logs/mm-out-0.log

Use pm2 show to get more details about an app
pi@raspberry:~ $ tail -f ~/.pm2/logs/mm-out-0.log
Initializing new module helper …
Module helper loaded: MMM-OnScreenMenu
No helper found for module: compliments.
No helper found for module: MMM-PrayerTime.
No helper found for module: MMM-Advent.
Initializing new module helper …
Module helper loaded: MMM-FRITZ-Box-Callmonitor
No helper found for module: MMM-Callmonitor-Current-Call.
No helper found for module: currentweather.
No helper found for module: weatherforecast.

no find out ipWhiteList

Oss

I just updated to the latest version of MM and am having White-list issues once again. I am using my exact same config.js file that was allowing any incoming connection. prior to the upgrade. I have attempted to debug but am not seeing any connection refusals in the mm-out-0.log. I have tried various fixes from posts on this forum, including disabling IPv6. I have confirmed my CIDR criteria using https://www.ipaddressguide.com/cidr#range attempting different variations to get anything to pass through with no luck.

I use MMM-syslog as a notification system from various sources and am basically in the dark now. Is there anyone having similar issues with the latest version, any luck on how to fix?

Mykle1

@Oss

Have you tried this at the beginning of your config?:

var config = {
	address: "0.0.0.0", 
	port: 8080,
	ipWhitelist: [],

Oss

@Mykle1

My hats off to you Mykle1, made that change to my config file and its working perfectly!! Thank you so much for your quick reply!!

Mykle1

@Oss

'Welcome, mate.

Peace!

illskool

Hello All. I recently upgraded my magic mirror and no matter what changes I make I can’t get ipwhitelist to work. I have searched the forums and every suggestion I have come across hasn’t rectified my issue. I had it working just fine prior to the upgrade. Any suggestions would be greatly appreciated.

Thanks,
Illskool

lavolp3

@illskool

How long ago was your last update?

Just to be sure, have you tried @Mykle1’s solution, which seems to help in most of the cases this has happened in recent months?

var config = {
    address: "0.0.0.0", 
    port: 8080,
    ipWhitelist: [],

adding the “address” part on the top of the config? This seems to be mandatory for the newer versions of MM.

Also, be sure to have no syntax error in your config.
Run

npm run config:check

from your MM directory and see of there are no errors.
Done all that?

illskool

@lavolp3

Thanks for the quick response. I’m not sure if I just overlooked it or if I’m just exhausted from trying to figure this issue out for the past several hours, but either way your tip solved my problem. I thank you very much.

I’ve been working on a new project to stream a camera I have setup on another raspberry pi on my local network to the magic mirror. My oil tank is under my house in a crawl space and I’m tired of making the crawl every couple of weeks to see how much oil I have left. I was able to use an infrared camera to stream the video and display it on the mirror using Iframe. I didn’t want it to be visible on the mirror unless I wanted to do a quick check and thats when I realized that the remote module would solve my issue but I couldn’t access it. You have helped finish my project. I can now go to sleep:)

Cheers

svenr

I tried everything wich is written in this post but i cant make it all the time it says:

This device is not allowed to access your mirror.
Please check your config.js or config.js.sample to change this.