[Resolved] Specify single IP access on LAN

I have recently attempted to specify a single IP address to only allow access to a specified range of TV Channels … try to imagine one user should see only Sports or Childrens channels and you get the idea.

I thought it would be simple TBH … just specify the IP address and the allowed channel group and place that user entry before any other.

Unfortunately it does not seem to work for me.
Example …
limited user IP 192.168.1.100/32
general LAN 192.168.1.0/24

When the user with the ‘100’ IP address launches Kodi they get the same channels as the rest of the LAN users, and not just their own specified channel group.
If the general LAN user is disabled, then the ‘100’ channels are shown on the ‘100’ device.
Once the general LAN user is activated the ‘100’ is apparently ignored.

Have I taken an incorrect approach or erred somewhere?
This is not supremely important but it would be nice to get it done correctly.

Thanks for any suggestions.

To limit access to some TV channels to a user:

1.- Go to tvheadend web server
2.- Configuration-> Users-> Access_Entries
3.- Edit some user and modify ‘Exclude channel tags’

Sorry if I did not make it clear.
The problem is not in limiting the channels, the problem is that the user client gets connected via the general LAN channels (account for all other users on LAN), even though the specific user IP has its own account in tvheadend with the required limitations applied.

It does this even though the specific user IP account is listed prior to the general account, and will connect through that account if the general account is disabled … but not if it is enabled.

This seems contrary to what I understand should happen … the accounts are polled from the top of the list and the first applicable account is used.

I do not know if I understood what you want. The problem seems to be that the 192.168.0.1/24 domain includes the 192.168.0.100/32 domain.

Why do not you design excluding domains?, for example:

192.168.0.1/26
192.168.0.64/26
192.168.0.128/26
192.168.0.192/26

The limited user is one IP address and is first on the list of users in tvheadend.
That is the one which that user should use and not proceed through the list to get a less limited account.

That is how I understood it to work.
It seems now I maybe misunderstand how things work.

Hopefully I can be enlightened.

Sorry again, when I spoke about excluding domains, I referred to the configuration of tvheadend users, not the configuration of your network.

Anyway, I do not do things like that, in my network I use low IPs for known devices and servers (192.168.x.2-29), the general pool of addresses (192.168.x.30-220), and high IP addresses (192.168.x.221-250) for PPTP connections (which are almost always disabled).

But regardless how the router IP range is arranged, in this case I want to limit one of those IPs to a particular set of TV channels from tvheadend, such as childrens channels only for a child.
the IP is fixed
the limited channel list is done
the user account for the IP is created
that user account is first in the list of accounts in tvheadend

Yet, that device with fixed IP, does not use that first account when connecting, unless the more open account, which follows it in the list, is disabled, which causes it to connect using the first (correct) account.

Why would it skip the first account in the list, and use the third one?
Is there some setting I am missing?

From what I have read, all access to tvheadend should go through the account list and use the first one it finds that it can connect through.
That is not what appears to be happening here. :frowning:

Maybe I misunderstand how this works, and that is my problem … reading this leaves me a little confused …

Tvheadend verifies access by scanning through all enabled access control entries in sequence, from the top of the list to the bottom. The permission flags, streaming profiles, DVR config profiles, channel tags and so on are combined for all matching access entries. An access entry is said to match if the username / password matches and the IP source address of the requesting peer is within the prefix.
https://docs.tvheadend.org/webui/config_access/

Does this mean that all user accounts on the list, which could possibly be matched to the client device are combined?

If that is the case then what I am trying to do is not possible.

EDIT: It seems I would have to have all connecting devices on the LAN use a username/password to use separate channel lists.
I will try that …

I think this is the solution. I use this, different users in tvheadend with different permissions.

I thought it might work with just user names, but it seems passwords are also required. Yes they can be simple, but apparently they must be present.

This means that all devices connecting to the tvheadend server must have username:password set.
I had hoped to make a general ‘open’ connection available for visiting devices, but I cannot see how this is possible now.

Thanks for the help.

Generic anonymous user in tvheadend
name = *
password = <no password>

I previously had such a user but it caused the limited account to have access to all channels.

I must try again now that all accounts have username:password to see if it still causes the same issues.
Logically it should still cause problems … otherwise I have no idea what is happening.

Yes, it appears that if I want one user to have access to a limited range of channels, then ALL users must have username:password, else the limited user will have access to the channels allowed for any ‘open’ user … because of all the channels being combined as per the quote in my post above.