How is external access checked?

Hello,

I just upgraded to 1.10.0 and I now have a warning "Possible external access detected" but (I believe) it is not the case. How is this checked ?

Thanks !
JS

Hello again,

I think I understand what happens.

As I understand it, Octoprint check if the request is coming from a public or private IP. In my case, my PC has IPv6 activated and has 2 IPv6 addresses : a link-local (and I would have thought that is would be used on my home network) and a global address provided by my ISP DHCP.

I am using mDNS "fqdn" that is whateverpiname.local to connect to Octoprint.
It seems that mDNS (in my context... and I am not sure why exactly) returns IPv6 global address instead of the link local one. Thus leading Octoprint to believe it is open to Internet (which is not the case).

May be the method used to test if the OctoPrint instance should be improved to limit "false positive" alerting ?

Love Octoprint anyway !
Thanks for this great software.

JS

You're right, it checks the client request address to see if it is local or external access. That's done with this logic here:

I am not sure how the check could be improved if your IP address looks like an external one - what other factor/information could OctoPrint use to know it is definitely internal? It's better to have a false positive here than a false negative.

Your octoprint.log should show the connecting client's IP so you can check your theory is correct.

Hello @Charlie_Powell,

Thanks for the reply.

Log (auth.log) do show the IPv6 gobal address.

The problem is that this may trigger quite a lot of false positive for home users. If there are too many... people won't trust the test anyway and just dismiss the warning.

I can see 3 ways to improve the check... which may... or may not... be practical :

  • Based on routing : check if both IPs are part of the same segment by running a trace route : if there is no router, both hosts are on the very same lan. Quite simple and effective but it may require specific permissions on octoprint host. It may not trigger if both hosts are on the very same public subnet... which is quite unlikely for typical home user.
  • Based on subnet : check if both IPs are in the same subnet that is same prefix length (much probably 64) and same prefix value. But... I am not sure you can easily get prefix information for a remote host.
  • Real check : effectively check accessibility from a public server... but it requires a host available on the web... May be tricky to implement...

JS

This may be a tiny bug in 1.10.0 as well Incorrect External Access Warning · Issue #5005 · OctoPrint/OctoPrint (github.com)

Hello again,

That probably the cause indeed.

If I run some netifaces script in Python on my OctoPi, I can see "mask" key ans not netmask.

>>> print(json.dumps(netifaces.ifaddresses('wlan0').get(socket.AF_INET6), indent=4))
[
    {
        "addr": "****:****:****:****:****:****:****:****",
        "mask": "ffff:ffff:ffff:ffff::"
    },
    {
        "mask": "ffff:ffff:ffff:ffff::",
        "addr": "fe80::****:****:****:****"
    }
]

And code shows :

It is indeed looking for netmask and not mask...

Thanks for the help.
JS

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.