[Opensim-dev] Question about client ip verification (Ferd Frederix)

Fred Beckhusen fred at mitsi.com
Tue Aug 14 17:06:52 UTC 2018 

Forwarded from opensim-users list as I know of lots of people that have this same issue.

tl;dr:  If loopback is fixed with hosts file, or a device driver is used to loopback, and you log into a foreign grid, you cannot reach your own local grid, even from the server.
The IP it verifies against is the local LAN, and not the domain name, so the verification fails locally.  as 127.0.0.1 or 192.* does not match the domain name it should be using.

Fred*(Ferd Frederix)*

Fwd: Opensim-users Digest, Vol 51, Issue 7
From: Markus<pet2001 at epbfi.com>
Subject: [Opensim-users] Question about client ip verification

I've got one of those routers which do not handle loopback correctly.
Pinging my external IP works but that's only half of the story. The
router replaces the sender address (which is the computer inside the lan
running the client) with its own local address which of course is
nonsense. So this is my current setup:

A server running a standalone HG enabled private grid with 4 regions,
using ports TCP 9000 and UDP 9000-9003.
My desktop pc (inside my lan) running the client.
My router with its brain damaged implementation of loopback.
A dynamic dns domain for accessing my private grid from the outside.

These scenarios do work without a problem:
I can login to my private grid.
I can make a HG jump from my grid to other OS grids.
I can jump back home (this actually works because client ip verification
is not performed when I return to my home grid because its a local account).
Other people from outside the lan can HG jump to my private grid.

What does not work?
I login to a different OS grid which is outside my lan (e.g. I login to
DigiWorldz because I also have an account there) and then try to HG jump
to my private grid at home. In this case, the client ip verfication
fails. DigiWorldz reports to my server my external ip and my "new"
client ip all in a sudden is the same as my router's internal ip because
of the buggy router.

So the question is: can I somehow disable the client ip verification if
the incoming avatar is foreign (not from my private grid) but his
client's ip is internal to my lan? That would solve my problem right
away and not cause any security problem because I could then disable
loopback completely and set a local dns record in my router's host which
resolves my external dynamic dns domain directly to my OpenSim server.

In short: Is there any way to disable client ip verification if the
client ip of the incoming avatar is part of the local lan?

Markus.

More information about the Opensim-dev mailing list