IP/domain filtering for CDVR remote streaming

I have recently started testing remote access to CDVR. I have been able to get it working (under some conditions, described below), and it's very cool! (kudos to devs @maddox @tmm1 @eric !)

I have been able to get remote access to work if I set my router firewall to allow inbound access on port 8089 from the USA region (or of course, from anything broader that that). I am using a Firewall Gold as the router -- which I became aware of thanks to @rog889 -- thanks for that, I am very thankful to have that now! I have had to set the port forward manually, but I am confident that I have done that correctly, as I do have reasonable experience with port forwarding.

However, if I try to restrict access via the firewall further (eg to the specific IP address of the device on which I run the Channels client app remotely), I have been unable to get remote access to work. I assume that this is because in this case, the Fancybits servers cannot get through my firewall to my server at home, in order to authenticate between my client and my server(?)

However, when I set my home firewall to allow USA region access, I get a lot of 8089 access attempts, some of which are blocked, but some of which are allowed -- and I am unable to identify what those are, which concerns me.

So, I would like to lock things down a bit more with my router. I have read through all of the threads I could find that discuss remote access and security, but still have a few questions:

My questions:

  1. Is there an IP address range and/or domain for Fancybits' server(s) that I can add to my 8089 firewall whitelist so that CDVR remote access will work without my having to allow 8089 access for the entire USA region?

  2. If not: Is there any other way to lock down 8089 access to be more restrictive than "USA region" while still allowing CDVR remote access to work?

Apologies in advance if my questions are stupid and/or ill-formed! -- I am not very knowledgeable about router/port security.

And thanks in advance for any help!

We don't have a fixed list of IPs.

If you don't want to open ports to the internet, you can explore our new Tailscale integration.

What exactly is the error or behavior in this scenario?

If you're getting an error coming from us, there should be a link on the page that lets you continue anyway.

@tmm1 -- thank you very much for the information and the hyper-speed reply.

I wasn't aware of the new Tailscale feature, but have now looked that post: NEW: DVR Server + Tailscale integration, for easier Away from Home access (Experimental)

Looks very interestting (and again, kudo to devs!) Not immediately usable for me, though, as my Channels remote access client is an Apple TV.

Yes, I did get that notification with the link to continue anyway, but couldn't connect. However, I am less confident that I had all port forward filtering settings set up correctly when I reached that point (I had been making various changes), so I will test this more systematically, and report back.

Thank you!

Okay there may be a bug if the continue link doesn't work. More details about where the link takes you and what errors are shown would be helpful in tracking that down. We would like remote auth to work in the scenario you describe, without needing to give access to our servers.

That's great to know -- thanks! So I will definitely test more carefully and report back.

@tmm1 — sorry, it took longer than expected (was moving my CDVR server to a new machine) — just wanted to report back — I’ve been able to successfully set this up. Am able to authenticate when I get that message. Thanks.

It works on Apple TV now

2 Likes

@chDVRuser — thanks for this! Yes, I had seen that and have it set up. Will see how well it works soon on some upcoming travel. Tailscale does work well for me on iOS.

I also feel like I now have the 8089 port forward security locked down to within my comfort level (CDVR server on a new machine that has no sensitive info; on separate LAN which cannot send traffic to my main LAN; port access restricted to specific IP addresses).

So between that and Tailscale it’s good to have options!

Thanks again.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.