Remote MAC filtering?

LinuxMaster9 · January 7, 2018, 11:02pm

Im curious.

I run an emby server and want to use my SSL certs for security. But Roku does not allow connections over HTTPS. Can I add the MAC address of the Roku to my OpenWRT router Firewall to allow only that MAC address to access port 8096 when accessing emby from the WAN?

I forget if MAC addresses get sent all the way to the other end of the route.

NetBandit · January 10, 2018, 6:52pm

Routers deal in IP
Switches deal in MAC

LinuxMaster9 · January 10, 2018, 10:57pm

yeah, I figured that out about a couple hours later. I perused the Emby forums looking for answers to my Roku problem. I looked for Reverse Proxies etc. But thanks. I’d forgotten about this thread.

I had an inkling that MAC addresses didnt cross the WAN. But my OpenWRT firewall allowed for filtering MAC addresses via the WAN so I was like…huh… maybe.?

Do you have any suggestions to my problem with the roku and SSL? some way to have the roku use the HTTP address but have all traffic actually run over the HTTPS SSL route?

Shadowbane · January 11, 2018, 2:10am

I don’t know if this is what you are looking for, but how about setting up a Privet Network Server, like OpenVPN.

Dexter_Kane · January 11, 2018, 2:18am

I image the problem roku is having is with the self signed certificate and not with ssl in general. So if you can get emby to use a let’s encrypt certificate, or any other verifiable cert, then is should work.

Shadowbane · January 11, 2018, 2:46am

I just knew @Dexter_Kane would have the best answer. @LinuxMaster9 if I was you I would try and get hold of Roku support explain, what you are trying to do and see if they can help you.

Dexter_Kane · January 11, 2018, 4:56am

Also, if I understand correctly you want to configure the firewall to only allow one device to connect on the http port while the https port is open for everyone? What’s the concern here? If you’re okay with one device using http then it makes no difference if the port is open to the public or not.

Dexter_Kane · January 11, 2018, 5:10am

blog.awelswynol.co.uk/2017/06/emby-server-https-direct-connect

This script is for Windows but you should be able to adapt it to Linux

emby.media/community/index.php?/topic/47335-lets-encrypt-for-emby/

Unpopular suggestion: Save yourself a bunch of trouble and use plex instead

LinuxMaster9 · January 11, 2018, 5:21am

Emby already has HTTPS built in. nothing fancy to be done on the Linux side. It runs over port 8920.

Plex…I will never use Plex. Plex catalogs my entire library of all my files on my machine and sends the data to Plex themselves. not just my media library. Call me a tin foil person but I prefer the open source method.

I might just buy an SSL instead of using the self signed. I wanted to MAC filter the HTTP port address and have any devices not on that filter whitelist routed to the HTTPS page which is a Login page. The HTTPS page is for web browsers. Only the Roku seems to have issues with the SSL cert. Kodi does not.

lessaj · January 11, 2018, 5:36am

I use an apache reverse proxy with a Let’s Encrypt certificate to protect the Emby back end, but I don’t use Roku so I’m not sure if a reverse proxy would be helpful for your setup.

Dexter_Kane · January 11, 2018, 6:03am

It’s really up to the client to decide what to do about self signed certs and I doubt that can be changed on the roku. Those links aren’t about adding ssl to emby they’re about how to use emby with a real cert, which is what you need to do if you want to use https on a device that won’t connect with untrusted certs.

The reason I suggest plex is because this is not a simple problem and plex already figured out the sollution to it. According to their privacy agreement they don’t store any info about your library, but do what you want. Plex is the simple sollution to this problem and putting together all the necessary infrastructure to use real certs is the complicated sollution.

LinuxMaster9 · January 11, 2018, 4:05pm

Ill probably just get a CA signed SSL cert. once upon a time I used plex. i wont go back. if anything I will roll my own solution. Most likely through kodi.

Shadowbane · January 11, 2018, 10:03pm

I am just wondering why will you never go back to Plex?

LinuxMaster9 · January 12, 2018, 4:05pm

There are several privacy concerns I have with the ToS that Plex has. That and the kerfufle from last fall around the forced data collection policy. The Emby web interface is much more appealing and configurable in my experience. Emby is in general more Open Source than Plex is. For example, AFAIK, Emby does not force all remote content through their servers. You can direct connect to a server with the server address and port, username and login. Completely bypassing the Emby.media servers.

LOCAL Useraccounts
The Credentials of the Accounts are stored on your HDD.
Not in the emby-Cloud.
emby-connect is voluntary.
With PLEX, you have to have a useraccount with PLEX (Cloud-Based), unless you either only stream locally or don’t have any authentication at all
Better parental controls, able to set controls based on device and time limits
Trakt Sync for all users
Multi Part episodes show 1 playback item
Able to see Upcoming TV episodes and even ones that are missing.
Emby support much higher bitrate video and audio

My media server setup simply works. I only ran into an issue when I decided I wanted to use SSL certs instead of just using HTTP even though im not running port 80. I am not a fan of Roku but my folks wont let me put in HTPCs at each TV so I can run Kodi setups. They want a simple solution and Roku usually fits the bill. My server is a good 50 miles from their house but they have symmetrical no cap, 1Gbps FTTH and I have no cap, symmetrical 100Mbps business cable from my apartment complex (the complex has a 10G pipe that gets split across multiple buildings). I recently flashed my aging Asus RT-N56U to OpenWRT so now have access to a plethora of options I havent seen since my days at the local Cicso Academy studying for the CCNA.
So, I thought I would try and lock down access to the server as much as possible from devices outside my network. It already requires a login and password and does not pass directly through the Emby servers. It is a direct connection to my server through my DDNS server. Which I can get a SSL Cert through them if I need to.

Im interested to know why you would not switch to Emby?

Shadowbane · January 12, 2018, 6:42pm

I agree with your privacy concerns, and I have used Emby before when it was called Media Server and stopped using it when they changed the name to Emby, because of the lack of Linux support and setting up a Plex server just seemed easier. I might give it a try now there are apps for all my devices. I have one quick question, will an Emby Server accept HTTPS connections from a Virtual Privet Server like OpenVPN. In the future, I would like to accomplish the same goal you are trying to accomplish now.

LinuxMaster9 · January 12, 2018, 7:34pm

Emby has fully support for Linux. I run a fully Linux server setup without issue and it is usually on the same version as the Windows version.

AFAIK, you should have no issues connecting over VPN with HTTPS. . Id just rather not nerf my folks network by connecting it to mine. Maybe if they let me do some voodoo with their network I can set it up so I run a OpenVPN between their network and my network only for Emby traffic with VLAN tagging. Oh how I love VLAN tagging. That way only traffic that is tagged for Emby goes through the VPN whereas the rest goes out over the regular WAN network.

Shadowbane · January 12, 2018, 8:38pm

That wasn’t the case the last time I looked into Emby, as soon as I replace my failed hard drive with an SSD and reinstall Linux, I will give Emby a try.

LinuxMaster9 · January 12, 2018, 9:38pm

Linux Server Link