Posts by snixel

Yes you are correct. The current implementation of connman doesn't allow you to set up stateless address auto configuration (SLAAC). The 'auto' setting which should enable SLAAC or DHCPv6 only gives you a link local address. Same for the settings regarding ipv6 in the interface. They don't correctly set a fixed ipv6 address.

The only way I found to get it working is to manually set a fixed ipv6 address with connmanctl in terminal. My provider sometimes changes the WAN prefix and then I have to manually change it on my LE box. So yes, this is far from ideal, but it only happens like ones in 6 months. I can live with that.

Basically the ISP's should not have to change it because there are more then enough ipv6 addresses for everybody, so keeping it fixed all the time would save us a lot of hassle, but it probably is because they use DHCP-PD to assign ipv6 prefixes to their customers and you just get auto assigned a free one out of the pool.

My guess is that SLAAC doesnt work correctly because of the version of conmann used in LE. I'm not sure what version LE uses, but there were bugs with ipv6 and SLAAC in older connman versions. I haven't looked into it any further since I use port forwards on my LE box, so I really need a fixed IP instead of a SLAAC config.

Should work, I've got a working static ipv6 address configured on my LE9 box.

connmanctl config ethernet_<ID>_cable ipv6 manual <your fixed ipv6 address> 64 <your link local ipv6 gateway address>

The 64 is the prefix length, you can change this to something else. My provider gives me 56 as prefix, but that gives me way to many ipv6 addresses to use on my LAN so I used 64 instead.

Don't forget to edit ip6tables if you have the firewall enabled. The build in firewall only sets ip4tables because ipv6 is not officially supported, so you have to do it manually.

Best to see if you get it working with the firewall disabled first.

aptalca yes a reverse proxy could solve this, but it would be a lot easier if we could use the build in SSL feature of Kodi. That way we don't have to set up a separate reverse proxy server to accomplish this.

The --disable-https option to configure the libmicrohttpd package in LibreELEC is probably the root cause. Any reason why this is included? Can't it be removed?

Thx, I'll open up a ticket.

I did some more testing yesterday and found one more odd thing. When I completely disable the firewall in settings only port 443 and port 8080 (kodi web interface) show up on my local LAN for ipv6, while on ipv4 there or more services visible with the firewall disabled (port 80 for example were I run marachino as HTPC front end);

Does this mean that those applications don't have support for ipv6?

haha, thanks a million vpeter!!!!!

reading your post I thought you could be on to something with the icmp part. Since I noticed I couldn't ping the machine using its static ipv6 address nor on it's link-local ipv6 address with the firewall enabled. So I added the INPUT line to accept icmp packets and voila, port 443 shows up on ipv6 aswell

I also read this part about ipv6 using NDP instead of ARP and SLAAC both using icmp packets to work correctly on shouldiblockicmp.com:

Should I block ICMP?

I guess this is also the reason why me and corbosman couldn't get SLAAC to work with LE from within the GUI. We probably both had the firewall set to 'home' blocking icmp and therefor SLAAC did not work as it should.

ipv6 not working

I don't know if you are the guy that implemented the firewall in LE (you seem to know your network stuff), but maybe this could be added in a future release for the few people out there using ipv6. SLAAC is the most common ipv6 implementation provided by ISP's for home connections, so this could be very useful.

Thanks so much for you expertise, this was really helpful!

They look exactly the same.

iptables -L output:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:443
private-subnets  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER-USER (0 references)
target     prot opt source               destination
private-subnets  all  --  anywhere             anywhere

Chain private-subnets (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.0.0/19       anywhere             ctstate NEW
ACCEPT     all  --  192.168.0.0/19       anywhere             ctstate NEW
ACCEPT     all  --  192.168.0.0/19       anywhere             ctstate NEW
ACCEPT     all  --  192.168.0.0/19       anywhere             ctstate NEW
ACCEPT     all  --  192.168.0.0/19       anywhere             ctstate NEW
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

ip6tables -L output:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     udp      anywhere             anywhere             ctstate NEW
ACCEPT     tcp      anywhere             anywhere             tcp dpt:443
private-subnets  all      anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER-USER (0 references)
target     prot opt source               destination
private-subnets  all      anywhere             anywhere

Chain private-subnets (2 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all      fc00::/7             anywhere             ctstate NEW
ACCEPT     all      fc00::/7             anywhere             ctstate NEW
ACCEPT     all      fc00::/7             anywhere             ctstate NEW
ACCEPT     all      fc00::/7             anywhere             ctstate NEW
ACCEPT     all      fc00::/7             anywhere             ctstate NEW
REJECT     all      anywhere             anywhere             reject-with icmp6-port-unreachable

In LE settings the firewall is set to 'custom' and I'm using a static ipv6 address within the prefix provided from my ISP.

What's so strange is that when I turn off the firewall in settings the port suddenly opens for ipv6. So my guess is it has to be related to the rules.

And what's even stranger is that it actually works for ipv4. When I remove the line in rules.v4 for example the port closes as expected.

Greetings all,

I hope some of the experts here can shed some light on this mystery i'm facing.

I'm running a webservice (https) on my libreelec machine through default TCP port 443. I have a dual stack ipv4/ipv6 internet connection. I have forwarded port 443 in my network firewall and all has been working flawless for both ipv4 and ipv6.

Now, since the release of LE 9 there is a basic firewall introduced. So I thought I'll have a play with it. I copied over the standard 'home' rules for both ipv4 and ipv6 and placed them in the appropriate file in (/storage/.config/iptables/rules.v4 and rules.v6).

I added one line in the rules to open up TCP port 443. Below you can see my rules.v4 file for ipv4 with the added line (--dport 443)

# Completed on Thu May 30 22:42:56 2019
# Generated by iptables-save v1.8.2 on Thu May 30 22:42:56 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [146:18063]
:DOCKER-USER - [0:0]
:private-subnets - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tether -p udp -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j private-subnets
-A FORWARD -i tether -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o tether -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -j private-subnets
-A private-subnets -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i eth+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i en+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i wl+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i tether -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i docker+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -j REJECT --reject-with icmp-port-unreachable
COMMIT

This works perfectly. Hower, I cannot - for the life of me - get this same line to work with ipv6.

Below you can see my rules.v6 file with the same rule I've added to open up port 443 (which is basically the same file, except saved with ip6tables instead op iptables):

# Completed on Thu May 30 22:42:03 2019
# Generated by ip6tables-save v1.8.2 on Thu May 30 22:42:03 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [72:7296]
:DOCKER-USER - [0:0]
:private-subnets - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tether -p udp -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j private-subnets
-A FORWARD -i tether -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o tether -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -j private-subnets
-A private-subnets -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A private-subnets -s fc00::/7 -i eth+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s fc00::/7 -i en+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s fc00::/7 -i wl+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s fc00::/7 -i tether -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s fc00::/7 -i docker+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -j REJECT --reject-with icmp6-port-unreachable
COMMIT
# Completed on Thu May 30 22:42:03 2019

This however, does not work. If I reboot the machine i can see both rules get applied correctly with iptables -L and ip6tables -L, but only on ipv4 the port is open, while on ipv6 port 443 stays closed.

When I turn off the firewall in LE settings the port suddenly opens up for both ipv4 and ipv6, so there must be something wrong with the ipv6 rules, I just can't seem to figure out what it is.

I always thought basic iptable rules or the same for both ipv4 and ipv6

Can someone please be so kind and tell me where i'm failing here?

nevermind, I got it working by configuring a manual IP using connmanctl

May I ask how you got it working? I'm trying to set a manual ipv6 in the GUI but it always reverts back to 'off' or 'auto'. Problem is that the auto config doesn't work for me either, while all my other clients get a ipv6 address through SLAAC.

Quote from Klojum

Try enforcing Nvidia's old/legacy driver via SSH, see if that changes anything:

Code

[code]
wget http://chewitt.libreelec.tv/96-nvidia.rules -O /storage/.config/udev.rules.d/96-nvidia.rules

[/code]

Klojum, my hero!!

xorg now starts flawless with the legacy drivers. I extracted the EDID from my AVR and voila, no more resolution switching
Only issue I have now is that when I view videos with a width and height of 1920x1080 pixels and aspect ratio 16:9 (shown in MediaInfo) I get black bars on the right and left. Kodi is set to the same res and aspect ratio and the gui doesnt show these bars.
I can use the minimize black bars setting in Kodi, but i'm pretty sure before kodi 17 I did not have to do this. Could this be caused by the legacy drivers?

I assume I have to use the legacy drivers from now on or upgrade my gpu? Does the udev rule stay inline or does it get overwritten with every libreelec update?

Thanks again for all your help so far!

Quote from Klojum

You can try putting that xrandr command in the autostart.sh file. Sorry, it's Monday

Or try getting the EDID off your TV/AVR and store it on the LibreELEC box.

I tried, but from the moment i restart xorg (systemctl start xorg.service) it hangs. Doesnt matter if i copy /etc/X11/xorg-nvidia.conf to /storage/.config/xorg.conf or not I just get X server startup timeout.

systemctl status xorg.service shows the following (++) Using config file: "/etc/X11/xorg-nvidia.conf"
Apr 01 14:38:22 Batman xorg-launch[2955]: (==) Using system config directory "/usr/share/X11/xorg.conf.d"
Apr 01 14:38:52 Batman xorg-launch[2955]: X server startup timed out (30secs). This indicates anan issue in the server configuration or drivers.

The script throws the same error.
I'm running an Geforce GTX650Ti and the script detects the gpu as nvidia

Hi,

I've recently bought a new 4k TV (LG 55uh605v) and i have a AV receiver which does not support 4k hooked to it.
This is not a big issue, since i have set the resolution in kodi to 1920x1080.
I use HDMI CEC to power on the TV and Receiver when i turn on my Lebreelec device, but everytime i do this, my TV wakes up first and sets the res in kodi to 4k (3840x2160)
My Receiver wakes up last and does not support this res, so i get a message on the TV saying "unknown resolution". I can only change this by sshing into my Libreelec machine and using xrandr to manually change the res. This is quite annoying.
Is there any way I can set the display res in Kodi fixed so it doesn't change automatically?

Hi All,

I want try out retroplayer for the first time. Can i just upgrade by downloading the retroplayer build and put it in the update folder? (im currently running a generic libreelec 7.0.2 x64 build)
Do I keep all my addons and settings? I see some users report they had to do a hard reset before it fully functions? or can i do a backup, hard reset and then restore?

What are the things i should know about before starting?

Thanks for the advice!

Quote from raynetec

Did anyone mange to get sound with moonlight? I'm using the lastest x86_64 generic build #0902.

I can play a test.wav with the following commands:

Code

aplay -D hdmi:CARD=HDMI,DEV=1 test.wav
aplay -D hw:0,7 test.wav

But using hdmi:CARD=HDMI,DEV=1 or hw:0,7 as audio device doesn't work. Can anyone point me in the right direction please?

@Rumo, snixel & Zoba: I had the same problem with SDL: could not create window - exiting. After upgrading to the latest nighty build, it was working like a charm besides my audio issue.

I fixed my image problem by disabling 'Force HW acceleration'. Turns out you need to reboot before the changes take effect.
Cant get sound to work either, also tried with hw:x,x but it doesnt change anything.

Same for my controllers. I use wired logitech chillstreams with the same layout as xbox360 but using default or xbox360 mappings doesnt work. They do work in kodi tho

Quote from Rumo

I have the same issue as stConners even if i disable "Force HW" (and restart). It pairs, connects but didnt establish the stream.

System:
Asus chromebox with LibreELEC 7.0.2, Moonlight 7.0.101

Log:
Moonlight Embedded 2.2.0 (SDL;VDPAU;PULSE;CEC)
Searching for server...
Connect to 192.168.1.2...
NVIDIA GeForce GTX 970, GFE 2.11.4.0 (protocol version 7)
SDL: could not create window - exiting

Any idears?

Display More

I have the same issue on a GTX650ti. I see you have PULSE;CEC in your moonlight log, could it be you are using the Pulse Eight CEC adapter? I also use this adapter, maybe thats whats causing the issue.

Any chance to get your addon for the Generic build?