Enable Matrix Federation on same Cludron server
-
I'd like to propose a change to the default synapse config file. Currently, the federation blacklist blocks any connections from another Matrix instance on the same server:
federation_ip_range_blacklist: - '127.0.0.0/8' - '10.0.0.0/8' - '172.16.0.0/12' # this is blocking the internal conections - '192.168.0.0/16' - '100.64.0.0/10' - '169.254.0.0/16' - '::1/128' - 'fe80::/64' - 'fc00::/7'Synapse supports additional whitelisting which overrides the blacklist:
ip_range_whitelist: - '172.18.0.0/16' # Whitelist the Cloudron's docker network -
Cloudron's docker network is in 172.18.0.0/16 which afaict is not in the federation_ip_range_blacklist . What am I missing?
Hi @girish
-
The
172.16.0.0/12Range:- This CIDR block represents IP addresses from
172.16.0.0to172.31.255.255. - The
/12means the first 12 bits are fixed for the network portion, leaving 20 bits for host addresses.
- This CIDR block represents IP addresses from
-
Cloudron's Docker Network
172.18.0.0/16:- This CIDR block represents IP addresses from
172.18.0.0to172.18.255.255.
- This CIDR block represents IP addresses from
The range
172.18.0.0to172.18.255.255(Cloudron's Docker network) is a sub-range within172.16.0.0to172.31.255.255.
Since16 <= 18 <= 31, any IP in172.18.x.yfalls into the172.16.0.0/12block.You are likely looking at
172.18.x.xand172.16.x.xand thinking they are distinct because the second octet is different. However, the/12subnet mask on172.16.0.0makes it a much larger range that also encompasses172.18.0.0/16. -
-
Right, easy to overlook those in the ranges.
Given that we just pre-provision the package with a template of the sample config when we packaged the app, it is safe to adjust those values. In fact the current sample file at https://github.com/element-hq/synapse/blob/develop/docs/sample_config.yaml does not even mention any block/allow listing at all.
-
I'm not sure, there might be a good argument made fore the existing blocklist. However it made me troubleshoot a federation issue much longer than I wish it would, hence my request here to have the whitelist included if the blacklist is because others might run into similar issues.
-
Hi @girish
-
The
172.16.0.0/12Range:- This CIDR block represents IP addresses from
172.16.0.0to172.31.255.255. - The
/12means the first 12 bits are fixed for the network portion, leaving 20 bits for host addresses.
- This CIDR block represents IP addresses from
-
Cloudron's Docker Network
172.18.0.0/16:- This CIDR block represents IP addresses from
172.18.0.0to172.18.255.255.
- This CIDR block represents IP addresses from
The range
172.18.0.0to172.18.255.255(Cloudron's Docker network) is a sub-range within172.16.0.0to172.31.255.255.
Since16 <= 18 <= 31, any IP in172.18.x.yfalls into the172.16.0.0/12block.You are likely looking at
172.18.x.xand172.16.x.xand thinking they are distinct because the second octet is different. However, the/12subnet mask on172.16.0.0makes it a much larger range that also encompasses172.18.0.0/16. -
Will sync the configs to upstream ones and add the whitelist ...Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login