ipWhitelist HowTo

mochman

Since a couple people are having issues with the ipWhitelist (me included), I’m putting this up to help people use the whitelist correctly.

For starters, the easiest way to whitelist your IP is to start up Magic Mirror with the default settings. Try opening it up remotely from the computer you want to grant access to. You’ll probably see an error that says:

“This device is not allowed to access your mirror.
Please check your config.js or config.js.sample to change this.”

Now you need to check your MagicMirror logs.

• If you are VPN’d into (or running directly on your pi), take a look at the terminal output.
• If you are running MagicMirror using SSH and DISPLAY=:0 nohup npm start & to start your mirror, take a look at your nohup.out file (tail -f ~/MagicMirror/nohup.out) to see the output.
• If you are using pm2, run tail -f ~/.pm2/logs/mm-out-0.log

You should see an error in there stating something like

Access denied to IP address: ::ffff:192.168.1.120

Change/Add your ipWhitelist in your config.js.
If you upgraded to MM 2.1.0 you’ll probably need to add the line
ipWhitelist: ["127.0.0.1", "::ffff:127.0.0.1", "::1", "::ffff:192.168.1.120"], to your file, otherwise just add the IP that was denied to the list.

---

If you want to give all of your network IPs access to your MagicMirror
You’ll have to use IPv6 CIDR.
For example, you have a couple devices with the IPs of 192.168.1.120, 192.168.1.155, 192.168.1.230 and you want to give them all access (along with everything else in the 192.168.1.X range), you should put "::ffff:192.168.1.1/120" in your ipWhitelist.
If you want to allow 192.168.0.0 - 192.168.255.255 access, you should use "::fff:192.168.1.1/112"

---

Restart MagicMirror to update your changes

---

The reason why “/24” works
A couple different threads state to add /24 to the end of the IP address. (I’ve put a couple of those up before doing some research too). While this will indeed allow your network devices access to your magic mirror, it will also allow any device with an IPv4 based address access to your mirror (obviously your router would need to be configured to allow this).
This “/24” in IPv6 CIDR allows 20,282,409,603,651,670,423,947,251,286,016 different IP addresses access. (IPv4’s total addresses are 4,294,967,296).

---

More information
If you’d like to learn more or have different sub-netting needs, I found this page useful.

lolobyte

@mochman

Thank you.

Now i understand this thematic a bit better an can solve my issue.

schlachtkreuzer6

Thanks! but i don´t like this feature in the moment… i`m travelling with my “mirror” (home-work-home-work…) I´m not finishend yet, so its only a raspi with a screen in a small box XD

looolz

Thank you for posting this! However, I still haven’t got it working yet. Access via VNC works fine, but not via a remote web browser.

1: When I ran the command tail -f ~/MagicMirror/nohup.out I got this:

Loading module helpers …
Initializing new module helper …
No helper found for module: helloworld.
All module helpers loaded.
Starting server op port 8080 …
Server started …
Connecting socket for: updatenotification
Sockets connected & modules started …
Fontconfig warning: ignoring UTF-8: not a valid region tag
Launching application.

Nothing more happens. I’ve tried to access the mirror both via Chrome and Safari. Both before and after I run the command. Nothing shows up in the log.

My desktops IP is 10.0.0.95, so I added the ipWhitelist line:

    ipWhitelist: ["127.0.0.1", "::ffff:127.0.0.1", "::1", "::ffff:10.0.0.95"],

Still, I get the same error:

This device is not allowed to access your mirror.
Please check your config.js or config.js.sample to change this.

I experimented with various writings, such as: “::fff:10.0.0.1/120” No dice.

Is there a way to disable the whitelist function completely?

toonazd

@mochman thanks topman been trying to get this back up and running

mochman

@looolz When you run the mirror through VNC. If you leave the terminal open then try to open the mirror on your other computer, do you see the

“This device is not allowed to access your mirror.
Please check your config.js or config.js.sample to change this.”

message? If so, does anything pop up in your terminal?

Another thing to look at, if you run ifconfig and take a look at your wlan0 (assuming you are using wifi to get internet) do you see a “inet6 addr:”? If not, just try adding "10.0.0.95" to the whitelist.

mochman

A way to tell if you need to use "::ffff:192.168.1.120" or just "192.168.1.120"
Run netstat -lnpt, if you see something like:

tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1271/electron.js

Then you are using IPv4 and should add "YO.UR.IP.AD" or "YO.UR.IP.AD/24" to the whitelist.

If you see: tcp6 0 0 :::8080 :::* LISTEN 1170/electron.js

You are using IPv6 address schemas and need to add "::ffff:YO.UR.IP.AD" or "::ffff:YO.UR.IP.AD/120" to the whitelist.

---

If you have IPv6 and want to turn it off, add ipv6.disable=1 to your /boot/cmdline.txt and restart your pi.

xer0design

Not a fan of this addition; would have rathered it was something you enable rather than disable.

For anyone wondering how to allow all ips, use:

ipWhitelist: ["::fff:0.0.0.0/1", "::fff:128.0.0.0/2", "::fff:192.0.0.0/3", "::fff:224.0.0.0/4", "127.0.0.1", "::ffff:127.0.0.1", "::1"],

looolz

@xer0design

Thanks! That worked for me!

looolz

@mochman

Thanks, I do see a inet6 address with the command ifconfig.

I tried to add 10.0.0.95 to the config with no success :-(

But @xer0design’s tip worked!

schlachtkreuzer6

@xer0design verry nice thx!

BenRoe

This post is deleted!

AAPS

@mochman I have put “/24” in my ipWhitelist. Looking around the forum, I’ve seen that “/120” might help. What I have now seems to be working for my devices, so is there a difference between “/24” and “/120” that I should know about? Which is better?

mochman

@AAPS If /24 is working for you then stick with it. The /120 just allows less IPs the ability to access your mirror.

If you aren’t forwarding your pi’s ports outside your local network it really shouldn’t matter.

Snille

Hi all, anybody else having trouble accessing the mirror remotely? I have reinstalled mm (development branch and nodejs v7.7.3), default config. only added allow access from my “lan”.
The mirror shows up on the local screen, so it works.

Mirrors IP: 10.0.0.112/24

ipWhitelist: ["::ffff:10.0.0.1/120", "127.0.0.1", "::ffff:127.0.0.1", "::1"],

Still I get

0|mm       | Access denied to IP address: 10.0.0.99

In the log.

My client IP: 10.0.0.99/24

Just to be sure, here is my full config:

/* Magic Mirror Config Sample
 *
 * By Michael Teeuw http://michaelteeuw.nl
 * MIT Licensed.
 */

var config = {
	port: 8080,
	ipWhitelist: ["::ffff:10.0.0.1/120", "127.0.0.1", "::ffff:127.0.0.1", "::1"],
	language: "en",
	timeFormat: 24,
	units: "metric",

	modules: [
		{
			module: "alert",
		},
		{
			module: "updatenotification",
			position: "top_bar"
		},
		{
			module: "clock",
			position: "top_left"
		},
		{
			module: "calendar",
			header: "US Holidays",
			position: "top_left",
			config: {
				calendars: [
					{
						symbol: "calendar-check-o ",
						url: "webcal://www.calendarlabs.com/templates/ical/US-Holidays.ics"
					}
				]
			}
		},
		{
			module: "compliments",
			position: "lower_third"
		},
		{
			module: "currentweather",
			position: "top_right",
			config: {
				location: "New York",
				locationID: "",  //ID from http://www.openweathermap.org
				appid: "YOUR_OPENWEATHER_API_KEY"
			}
		},
		{
			module: "weatherforecast",
			position: "top_right",
			header: "Weather Forecast",
			config: {
				location: "New York",
				locationID: "5128581",  //ID from http://www.openweathermap.org
				appid: "YOUR_OPENWEATHER_API_KEY"
			}
		},
		{
			module: "newsfeed",
			position: "bottom_bar",
			config: {
				feeds: [
					{
						title: "New York Times",
						url: "http://www.nytimes.com/services/xml/rss/nyt/HomePage.xml"
					}
				],
				showSourceTitle: true,
				showPublishDate: true
			}
		},
	]

};

/*************** DO NOT EDIT THE LINE BELOW ***************/
if (typeof module !== "undefined") {module.exports = config;}

Everything is default, no modules installed… What am I missing?!

mochman

Have you tried adding "10.0.0.1/24" to the list since it looks like your client is using an IPv4 connection?

Snille

@mochman Hmm… Clearly I have missunderstood something. I thought this: “::ffff:10.0.0.1/120” was to allow my 10.0.0.x network to access, I have used that from the beginning and it has worked. But yesterday it stopped working. So I added as you suggested “10.0.0.1/24” and it works… So, Thank you! :)

In the instructions in the first post, it’s suppose to be “::ffff:10.0.0.1/120” for a full C-Net. But… Not any more obviously. :)

Thanks again! I’m all happy now!

mochman

It looks like your raspberry pi started using IPv4 instead of IPv6. the ::ffff: before your ip shows that it’s trying to use a IPv6. That’s where "::ffff:10.0.0.1/120" was working. Seems like something changed though that it’s now using the IPv4 address.
So to cover all your bases, keep both "::ffff:10.0.0.1/120" and "10.0.0.1/24" in and you shouldn’t run into this problem again.

Snille

@mochman Will do, thank you, no idea what changed the behavior. :) But at least I have a totally fresh install now! :)

pepemujica

Hi @mochman !! I can access from the same device where I run the MM, but can’t access from external devices (smartphone ie)
Any idea why?

Kind regards