Announcement

**mherger** · 2018-01-15, 05:45

IMPORTANT: Stop forwarding your LMS ports to theinternet!

> mea culpa i just forget the NAT/Routing Mode from some devices....
>
> There is the transparent Mode and the NAT/Routing Mode thats the one
> Michael is using. That Mode really translates the external IP from
> sender/receiver to the router.....

Oh, good point. Thanks for the hint. I did have a check for non-local
addresses in that code at some point. Should have left it in.

--

Michael

**mherger** · 2018-01-15, 07:29

IMPORTANT: Stop forwarding your LMS ports to theinternet!

> I therefore surmise that the SSH server is sending from the music
> server's own IP address to the same address.

Hmm... it depends on how your tool is setting up the tunnel. But when I
ssh into my box and forward requests to the internal IP of the LMS
machine, then LMS does see the IP address of the SSH server. If that was
the router itself (which I doubt), then LMS would see the gateway
address. If the router forwarded SSH to some other box, then LMS would
see that other box' IP address.

--

Michael

**PasTim** · 2018-01-15, 08:16

Originally posted by mherger View Post

> I therefore surmise that the SSH server is sending from the music
> server's own IP address to the same address.

Hmm... it depends on how your tool is setting up the tunnel. But when I
ssh into my box and forward requests to the internal IP of the LMS
machine, then LMS does see the IP address of the SSH server. If that was
the router itself (which I doubt), then LMS would see the gateway
address. If the router forwarded SSH to some other box, then LMS would
see that other box' IP address.

--

Michael

My router is forwarding all incoming on port 22 to the music server where there is an SSH server, so that matches what you say.

**mherger** · 2018-01-16, 09:43

IMPORTANT: Stop forwarding your LMS ports to theinternet!

> mea culpa i just forget the NAT/Routing Mode from some devices....
>
> There is the transparent Mode and the NAT/Routing Mode thats the one
> Michael is using. That Mode really translates the external IP from
> sender/receiver to the router.....

Both modes now should be covered.

--

Michael

**Paul Webster** · 2018-01-16, 10:58

I have not updated my LMS yet but I thought I'd try connecting via a VPN to see what happens.
I installed OpenVPN on a Pi (not the one running LMS) and used port forwarding on intermediate routers to get the traffic from an iOS device using iPeng through the VPN server to the LMS server ... and it worked.
LMS logs show that it saw the IP address of the connection as being the VPN server.
So I think that when I update LMS this will still work without me needing to set a password on LMS.

I know that my LMS is not reachable from outside except through this VPN so this is good for me.

**PasTim** · 2018-01-16, 12:22

Notwithstanding the recent LMS security improvements, I assume that explicitly specifying each of the local IP addresses that might use LMS in the 'Allowed' list, and not including the router, will achieve much the same effect, so I don't need to use the CLI password. If an SSH or VPN server is on the home network that could be explicitly included or excluded as required.

**PasTim** · 2018-01-16, 15:46

Originally posted by DJanGo

Hi,

sounds like a "clever" idea but....

1)
Who should change that setting?

The Installer/updater on a clean install -> yes
The Installer/updater on a update install -> ????
The Installer/updater on a update install where allowedHosts: 127.*, not in the Server.prefs-> yes

2)
Remember the guys we are talking about are "clever" - when Michael changes these settings for them -> They cant use lms from outside (and these clever guys are stupid enough to change that setting back to something they think of)

IMHO Michael had the "better" Idea with "lms is available from everywhere but the settings are only from internal except Gateway....

I'm not trying to be clever or better, just trying to understand my options. I'm the only (valid) user. Why would I need to change a setting on an update?

I don't really understand what or who you mean about the "clever" guys (and presumably gals) and Michael changing settings for them, but it doesn't matter.

**d6jg** · 2018-01-16, 16:46

Originally posted by mherger View Post

> This unfortunately might be a very common problem as a VPN server is
> often the GW (Mine is both, IPSEC and SSL)

I doubt it'll be anywhere near "common". Please let me know if it causes
you a problem.

--

Michael

My gateway is also my VPN server. It may be more common than you think.

**mherger** · 2018-01-16, 17:47

IMPORTANT: Stop forwarding your LMS ports to theinternet!

> My gateway is also my VPN server. It may be more common than you think.

Are you saying you're facing any issue due to these recent changes?

I said it wasn't common because I doubt there are many LMS users using a
VPN. That simple. And in a VPN situation you would dial in to the
router, but AFAIK the client would receive its own IP address from
through the VPN. In that case LMS would not see the gateway's address
but the one of the remote client.

--

Michael

**Jeff07971** · 2018-01-16, 18:13

Originally posted by mherger View Post

> My gateway is also my VPN server. It may be more common than you think.

Are you saying you're facing any issue due to these recent changes?

I said it wasn't common because I doubt there are many LMS users using a
VPN. That simple. And in a VPN situation you would dial in to the
router, but AFAIK the client would receive its own IP address from
through the VPN. In that case LMS would not see the gateway's address
but the one of the remote client.

--

Michael

I don't think d6jg will have a problem, I think he uses the same system as I.
I tried accessing via both IPSEC and SSL (To iPhone with iPeng ) and had no problems playing etc though I have not tried "settings"
I could not work out how to see the accessing IP in the log ( I tried Plugin:cli @ info level logging ) though.

Jeff

**Paul Webster** · 2018-01-16, 18:27

Originally posted by Jeff07971 View Post

I could not work out how to see the accessing IP in the log ( I tried Plugin:cli @ info level logging ) though.

Jeff

Turn on the http logging that mherger referred to. I saw it in there earlier today.

**Jeff07971** · 2018-01-16, 18:33

Originally posted by Paul Webster View Post

Turn on the http logging that mherger referred to. I saw it in there earlier today.

Thanks for that, Yes I can confirm that the accessing IP address is that assigned by the VPN to the remote device (In my case this is NATted to a fixed IP)

**d6jg** · 2018-01-16, 18:48

Originally posted by Jeff07971 View Post

I don't think d6jg will have a problem, I think he uses the same system as I.
I tried accessing via both IPSEC and SSL (To iPhone with iPeng ) and had no problems playing etc though I have not tried "settings"
I could not work out how to see the accessing IP in the log ( I tried Plugin:cli @ info level logging ) though.

Jeff

Jeff is correct. I have no problem because I use high end kit.
I was just saying that router & vpn is actually more common than you would think.
DJanGo - I am more than familiar with DMZ and public IP assignment thank you.

Sent from my iPhone using Tapatalk

**d6jg** · 2018-01-16, 18:53

Originally posted by mherger View Post

> My gateway is also my VPN server. It may be more common than you think.

Are you saying you're facing any issue due to these recent changes?

I said it wasn't common because I doubt there are many LMS users using a
VPN. That simple. And in a VPN situation you would dial in to the
router, but AFAIK the client would receive its own IP address from
through the VPN. In that case LMS would not see the gateway's address
but the one of the remote client.

--

Michael

No issues Michael. I use site to site IPSEC and SSL client VPNs via Draytek Vigor router that is also a VPN server.
I was simply saying that router & vpn on the same device may be a little more common than you might think.

Sent from my iPhone using Tapatalk

**Mnyb** · 2018-01-16, 20:15

Originally posted by d6jg View Post

No issues Michael. I use site to site IPSEC and SSL client VPNs via Draytek Vigor router that is also a VPN server.
I was simply saying that router & vpn on the same device may be a little more common than you might think.

Sent from my iPhone using Tapatalk

Yes my linksys router has open vpn built in , and thats what i’m using the wrt1900ac is quite common?

But i’m out on site work will test later if it still works for me

Announcement

IMPORTANT: Stop forwarding your LMS ports to the internet!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment