CIDR and you, or: What the heck are AllowedIPs?

[TheSpidey]

Trying to open a server but you keep getting this dreaded message:

connection attempt from <ip> FAILED. NOT AN ALLOWED IP.

The solution is quick and simple - You need to edit your CIDR range of allowed connections in ascent-logon.conf.

'But wait', you may ask, 'what should I put there?'

Well, i'll first explain about CIDR structure and then tell you

CIDR is an easy way to define IP ranges.

Refer to the following table:

Code:

IP/CIDR 	? to last IP addr
a.b.c.d/32 	+0.0.0.0
a.b.c.d/31 	+0.0.0.1
a.b.c.d/30 	+0.0.0.3
a.b.c.d/29 	+0.0.0.7
a.b.c.d/28 	+0.0.0.15
a.b.c.d/27 	+0.0.0.31
a.b.c.d/26 	+0.0.0.63
a.b.c.d/25 	+0.0.0.127
a.b.c.0/24 	+0.0.0.255
a.b.c.0/23 	+0.0.1.255
a.b.c.0/22 	+0.0.3.255
a.b.c.0/21 	+0.0.7.255
a.b.c.0/20 	+0.0.15.255
a.b.c.0/19 	+0.0.31.255
a.b.c.0/18 	+0.0.63.255
a.b.c.0/17 	+0.0.127.255
a.b.0.0/16 	+0.0.255.255
a.b.0.0/15 	+0.1.255.255
a.b.0.0/14 	+0.3.255.255
a.b.0.0/13 	+0.7.255.255
a.b.0.0/12 	+0.15.255.255
a.b.0.0/11 	+0.31.255.255
a.b.0.0/10 	+0.63.255.255
a.b.0.0/9 	+0.127.255.255
a.0.0.0/8 	+0.255.255.255
a.0.0.0/7 	+1.255.255.255
a.0.0.0/6 	+3.255.255.255
a.0.0.0/5 	+7.255.255.255
a.0.0.0/4 	+15.255.255.255
a.0.0.0/3 	+31.255.255.255
a.0.0.0/2 	+63.255.255.255
a.0.0.0/1 	+127.255.255.255
0.0.0.0/0 	+255.255.255.255

It lists all the CIDR ranges one can compile.

If, for instance, you want to ban a certain ISP, and you know their ip range from 135.129.0.0 up untill 135.129.255.255, refer to the table and find the range that adds 0.0.255.255:
a.b.0.0/16
Meaning, the CIDR 135.129.0.0/16 defines that range we wanted to ban.
Now we can add it to the ipbans table or whatever.

Now, say your server is getting that nasty NOT AN ALLOWED IP issue.
Look at the ip - if it's a local server, you should be getting 127.0.0.1, or your local network ip, say 192.168.0.1.

The easy solution is just setting the allowed IPs to 0.0.0.0/0 (Take a look at the table - it includes ALL existing ips, 0.0.0.0 until 255.255.255.255). However, this is a major security flaw that enables people to log into your logon server. NEVER use 0.0.0.0/0.
What you want to do there is just let 127.0.0.1 to log in (if the server is local):
127.0.0.1/32 will only let that one ip address to log in, effectively protecting you.

So if you need to ban a range, or give it Mod rights, refer to the table I posted.

Good luck

[faxmunky]

Really helpful!

This seems to work correctly, does that mean this is safe?

Code:

<LogonServer RemotePassword = "root"
             AllowedIPs = "5.221.222.12/32"
             AllowedModIPs = "5.211.222.12/32">

[TheSpidey]

Your example will only let 5.221.222.12 to connect to the logon server.

[InternetHero]

So what do you set it to if you want to make you server public? Sorry, I just discovered this and it's confusing at first.

I was using Jarg's 7.7 repack before and it all worked fine I had a website that connected to the database and I had the server public... now I decided to switch to OpenAscent and compile my own server. Now in the ascent.logonserver.conf what do I put if I want to make it public? Here is a couple images:


and this

[TheSpidey]

You need to use the same password in both world and logon confs.

[2dgreengiant]

127.0.0.1/24 would allow who then? Just me or everyone else as well since ive had this problem before, sometimes it allowed everyone, other times just me.

[ikuze]

how would i allow every ip?? plz helpzors

[TheSpidey]

0.0.0.0/0 +255.255.255.255

Will allow all ips, 0.0.0.0 - 255.255.255.255 to log onto your logon realm.
That's a security risk, actually.

[pennybox]

add me [email protected] Ill try to fix it for you

[Fujosej]

Will allow all ips, 0.0.0.0 - 255.255.255.255 to log onto your logon realm.
That's a security risk, actually.

don't work please help how allow every ip for my server...

[BMXer]

I have the same problem...I want to allow every ip, at least on my LAN. All my brothers can do from other computers is login, but then they cant join any realm :S. Any idea how to fix? Lets say my ip is 192.168.0.1 and my brothers are 192.168.0.2 and 192.168.0.3. I can connect but they can't. What do I have to do?

Thanks.

[BMXer]

So? sry for double post

[cdysmyths]

put 127.0.0.0/24 in thare it will work