Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Matrix (Synapse/Element)
  3. Enable Matrix Federation on same Cludron server

Enable Matrix Federation on same Cludron server

Scheduled Pinned Locked Moved Matrix (Synapse/Element)
5 Posts 3 Posters 49 Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • andreasduerenA Online
    andreasduerenA Online
    andreasdueren
    wrote last edited by
    #1

    I'd like to propose a change to the default synapse config file. Currently, the federation blacklist blocks any connections from another Matrix instance on the same server:

    federation_ip_range_blacklist:
  - '127.0.0.0/8'
  - '10.0.0.0/8'
  - '172.16.0.0/12' # this is blocking the internal conections
  - '192.168.0.0/16'
  - '100.64.0.0/10'
  - '169.254.0.0/16'
  - '::1/128'
  - 'fe80::/64'
  - 'fc00::/7'

    Synapse supports additional whitelisting which overrides the blacklist:

    ip_range_whitelist:
  - '172.18.0.0/16' # Whitelist the Cloudron's docker network
    1 Reply Last reply
    2
    • girishG Offline
      girishG Offline
      girish
      Staff
      wrote last edited by
      #2

      Cloudron's docker network is in 172.18.0.0/16 which afaict is not in the federation_ip_range_blacklist . What am I missing?

      andreasduerenA 1 Reply Last reply
      0
      • girishG girish

        Cloudron's docker network is in 172.18.0.0/16 which afaict is not in the federation_ip_range_blacklist . What am I missing?

        andreasduerenA Online
        andreasduerenA Online
        andreasdueren
        wrote last edited by
        #3

        Hi @girish

        1. The 172.16.0.0/12 Range:

          • This CIDR block represents IP addresses from 172.16.0.0 to 172.31.255.255.
          • The /12 means the first 12 bits are fixed for the network portion, leaving 20 bits for host addresses.

        2. Cloudron's Docker Network 172.18.0.0/16:

          • This CIDR block represents IP addresses from 172.18.0.0 to 172.18.255.255.

        The range 172.18.0.0 to 172.18.255.255 (Cloudron's Docker network) is a sub-range within 172.16.0.0 to 172.31.255.255.
        Since 16 <= 18 <= 31, any IP in 172.18.x.y falls into the 172.16.0.0/12 block.

        You are likely looking at 172.18.x.x and 172.16.x.x and thinking they are distinct because the second octet is different. However, the /12 subnet mask on 172.16.0.0 makes it a much larger range that also encompasses 172.18.0.0/16.

        1 Reply Last reply
        0
        • nebulonN Offline
          nebulonN Offline
          nebulon
          Staff
          wrote last edited by
          #4

          Right, easy to overlook those in the ranges.

          Given that we just pre-provision the package with a template of the sample config when we packaged the app, it is safe to adjust those values. In fact the current sample file at https://github.com/element-hq/synapse/blob/develop/docs/sample_config.yaml does not even mention any block/allow listing at all.

          1 Reply Last reply
          1
          • andreasduerenA Online
            andreasduerenA Online
            andreasdueren
            wrote last edited by
            #5

            I'm not sure, there might be a good argument made fore the existing blocklist. However it made me troubleshoot a federation issue much longer than I wish it would, hence my request here to have the whitelist included if the blacklist is because others might run into similar issues.

            1 Reply Last reply
            0
            Reply
            • Reply as topic
            Log in to reply
            • Oldest to Newest
            • Newest to Oldest
            • Most Votes

            • Login
            • Don't have an account? Register
            • Login or register to search.
            • First post
              Last post
            0
            • Categories
            • Recent
            • Tags
            • Popular
            • Bookmarks
            • Search