Restrict viewers by IP address
Pearl-2 permits you to restrict which computers can access broadcasts by building a list of allowed and denied IP addresses. You can do this at a global level for the system and can also override these settings on a per-channel basis. Both global and per-channel configuration procedures are described.
The following table describes what happens when an IP address is added to the allowed and denied IP address lists.
Item | Description |
---|---|
Allow IP's |
Users connecting from addresses in this list are permitted to view broadcasts from the system, provided their IP address is not in the Deny IP’s list. To allow all except IP addresses in the deny list, if any, leave the field blank. You can use the Allow list by itself, or in conjunction with the Deny IP’s list as an exception to a rule in the allow list. |
Deny IP's |
Users connecting from addresses in this list are not allowed to view broadcasts from the system, unless their IP address is in the Allow IP’s list. If a specific IP address is in both lists, access to the stream is denied. You can use the Deny list by itself, or in conjunction with the Allow IP’s list as an exception to a rule in the allow list. |
If your viewer account has a password, your viewers must connect to the system from a computer (or gateway) with a permitted IP address and must also supply the user name (viewer) and password before they can view the broadcast.
To restrict access by IP address, you need to know the IP addresses or range of addresses for your viewers. By default, all IP addresses are allowed to connect to the broadcast.
If a user attempts to connect to the stream from a disallowed IP address, access is denied. If there's an attempt to connect using a web browser, the message "IP address rejected" is displayed.
IP Based Restriction Options
If you’re not familiar with creating allow/deny lists, see IP restriction examples.
IP address restriction is valid for the viewer only and does not affect the Admin panel or the mobile configuration interface.
Restrict viewer access to watch streams for all channels by their IP address
- Login to the Admin panel as admin, see Connect to Admin panel.
- From the Configuration menu, select
Security . The Security configuration page opens. - Enter the allowed IP addresses or address ranges in the
Allow IP’s field and enter denied IP addresses or address ranges in the Deny IP's field. Separate addresses with a comma. To specify a range, use a hyphen (-). Optional spaces improve readability. - Click
Apply .
Restrict viewer access to watch streams on a channel by their IP address
- Login to the Admin panel as admin, see Connect to Admin panel.
- From the Channels menu, select a channel and click
Streaming . The channel's streaming configuration page opens. - From the Stream access control drop-down, select Use these Settings to enable local password and Allow/Deny IP lists are enabled.
- (Optional) Enter a password for the viewer in the Viewer Password field.
- Enter the allowed IP addresses or address ranges in the
Allow IP’s field and enter denied IP addresses or address ranges in the Deny IP's field. Separate addresses with a comma. To specify a range, use a hyphen (-). Optional spaces improve readability. - Click
Apply .
IP restriction examples
The following table lists some example allow lists.
Example allow lists
Example | Description |
---|---|
Allow list with distinct IP addresses |
The simplest allow/deny list is to use the list of known IP addresses to craft a list of allowed IP addresses. All other addresses are denied access to the broadcast. For example if your system is accessible on your local area network (LAN) and you want to make sure only the CEO’s specific desktop, laptop and tablet computers (with IP Addresses 192.168.1.50, 192.168.1.51, and 192.165.1.75, respectively) can connect to the broadcast, construct the following allow list: Allow: 192.168.1.50, 192.168.1.51, 192.168.1.75 |
Allow list with a range of IP addresses |
Sometimes you’ll want a range of computer IP addresses to connect to your system. This may happen when you have one range of IP addresses assigned to desktop computers (i.e. in the range 192.168.1.1 to 192.168.1.100) and another range assigned to boardroom computers (i.e. the range 192.168.1.200 to 192.168.1.250). If you only want the boardroom computers to connect to broadcasts from the system you can specify the range of boardroom IP addresses rather than needing to type in each individual address. The allow list looks as follows: Allow: 192.168.1.200-192.168.1.250 Note that we could have specified two of the IP addresses in the previous example as a range. |
Allow list with a range of IP addresses and one or more specific IP addresses |
Putting the first two examples together, we want to permit access to IP addresses in the range of boardroom computers (192.168.1.200-192.168.1.250) and also want to add the desktop, laptop and tablet computers of the CEO (IP addresses 192.168.1.50, 192.168.1.51, and 192.168.1.75, respectively). Note the first two IP addresses are consecutive, so they can be added as a second range. Add these IP addresses to the list as follows: Allow: 192.168.1.200-192.168.1.250, 192.168.1.50-192.168.1.51, 192.168.1.75 Your list can have multiple ranges and multiple distinct IP addresses, provided they are separated by commas. |
Allow list with a range of IP addresses, distinct IP addresses, and an exception |
Building on the previous examples, consider a situation where you want the CEO’s computers (192.168.1.50, 192.168.1.51, 192.168.75) and all boardroom computers (192.168.1.200-192.168.1.250) to access the broadcast, with the exception of the public boardroom computer (192.168.1.211). Use both allow and deny lists to create the rule as follows: Allow: 192.168.1.200-192.168.1.250, 192.168.1.50-192.168.1.51, 192.168.1.75 Both lists can have multiple ranges and multiple distinct IP addresses, provided they are separated by commas. |
The following table lists some example deny lists.
Example deny lists
Example | Description |
---|---|
Deny list with distinct IP addresses |
Another simple allow/deny list is to use the list of known IP addresses to list specific denied IP addresses. All other addresses are allowed access to the broadcast. For example imagine your system is accessible on your local area network (LAN) and you want to allow any computer on the LAN can access the stream except your publicly-accessible boardroom (with IP address 192.168.1.211). You can use the following deny list (leave the allow list empty) to permit all computers except the boardroom computer: Deny: 192.168.1.211 As with allow lists, your deny list can specify a range of IP addresses, and can specify multiple ranges or distinct IP addresses in a comma-separated list. |
Deny list with a range of IP addresses |
Consider a situation where you want every computer on the network to access the broadcast, with the exception of the CEO’s desktop, laptop and tablet computers. Additionally, boardroom computers should not be permitted with the exception of the cafeteria computer (IP address 192.168.1.222). The deny list is an "exception" list for the allow list. So to craft the rule described above we need to allow all the computers in the local subnet, then deny specific sub-ranges including two groups of boardroom computers ensuring the cafeteria computer's IP address is not in the deny list: Allow: 192.168.1.1-192.168.1.250 |