And yet another firewall question...

server-linux

#1

Been searching the forum and have tried a bunch of different suggestions to no avail. Running PMS on a CentOS VM hosted in Ubuntu 16.4 on a Dell PowerEdge R410 server (old machine I know, but running with 2 Xeon 5660 procs and 32-GB ram each so I have had plenty of horsepower). Router is a Unifi EdgeRouter Lite that I HAD setup to work the way I wanted until I locked everything out trying to tweak the firewall (Damb-it Jim, I'm a programmer, not a network admin). And, of course I did not have a backup of my config to rebuild from. Current situation is that I have my server shared with a buddy in another state and want to give him as much throughput as possible so I want the external access to work. But I cannot seem to find the right combination. I have 32400 forwarded in the router, I have tried a WAN_IN rule allowing 32400 through, I even tried the UPnP wizard, all to no avail. No Firewall on the Ubuntu server and firewall passthrough setup on the CentOS server (but even with firewall disabled I get no joy). My previous setup was a mirror of a walk through of setting up the EdgeRouter Lite with basic firewall settings. Without knowing what everything actually does, I'm hesitant to go back to that setup and punch in the many lines of commands needed so I'm hoping someone has had the same experience and knows the secret handshake. WAN_IN and WAN_Local NAT rules were created with the LAN+2LAN2 wizard. Anyone been through the same process and have any tips?


#2

May I interest you in some light reading?

I'll teach you the secret handshake later after you wipe the blood from your forehead :D

https://support.plex.tv/hc/en-us/articles/201543147-What-network-ports-do-I-need-to-allow-through-my-firewall-

Since you have Ubuntu , why not take your PMS config out of the VM and run it native? Transporting the metadata from Linux host -> Linux host is trivial.

Once there, you won't have the potential Double NAT of your VM's network adapter. (Hint: This should be in bridge mode for optimal operation :) )


#3

The VM is because the server has multiple VMs for different purposes (minecraft for the kids for example). The Ubuntu firewall is off. The CentOS has a dedicated IP and the web app port is forwarded to that IP at the router level and adapters are in bridge mode (no double-nat situation - first thing I checked. I have nothing between the EdgeRouter and the ONT) and the proper firewalld xml listing the above ports in your link are setup and applied. As I said, until I locked myself out of the Router and had to reset it, I had direct access with no issues so it is not something with the servers. And to further clarify, I only want direct web app access, not Samba or similar exposed to the WAN.


#4

Is the VM running Plex a NAT or bridge network configuration? IF it's NAT, you're introduced double NAT (ISP -> You, Your LAN -> VM) . PMS can never navigate double NAT automatically. You'll have to make multiple port-forwarding rules at each step


#5

Bridge configuration.


#6

You've configured it as a static IP peer on your LAN?

e.g. Host is 192.168.0.20 and VM guest is 192.168.0.21 ??


#7

Yes. Host has it's own IP xxx.xx.x.5 while the VM is xxx.xx.x.20. Both are SSH accessible via their IP addresses while on the LAN. Static mapping is done at the Router, not on the servers. Router dynamic leases start at xxx.xx.x.150 so there is no overlap. I can reach the PMS directly via a browser at xxx.xx.x.20:32400 while on the LAN.


#8

I would like you to try this if possible (investigating what appears to be a clue to issues others are having as well).

  1. Come into your Plex/Web UI from externally connected browser (e.g tablet or phone not on WiFi)
  2. When at the desktop, now initiate Remote access .
  3. If (it should) go green and stay there.
  4. Once it does, don't play with the connection state or port
  5. Let the server run 15-20 minute (next 'ping' from Plex.tv)
  6. Now you're free to restart the server as you wish

We're investigating what appears to be the server getting confused in certain situations. Some users have reported initiating the Remote Access works reliably and then stays properly connected.

If this also works for you then we have something for Engineering to focus on because it's reliably repeatable


#9

No joy. Done that MANY times from my office. Initial refresh goes green for a split-second and then reverts. As proof that there is more going on than just the app, i cannot access the web app directly on the PMS via "my external IP":32400. The EdgeRouter lite firewall will show the rule application in the statistics, but it never gets to the PMS. Checking into the Netgear switch settings now to ensure I did not muck with something there preventing the route. Path is WAN -> Unifi EdgeRouter Lite 3 -> Netgear Prosafe POE 16-port -> Ubuntu 16.04 server (Dell R410) -> CentOS PMS VM.


#10

Capture of the router seeing traffic per the rule:


#11

If you have the port open AND direct into the box but still can't get at PMS on 32400 (no connect), it's the network. Port forwarding is failing you regardless what it claims. You are forwarding 32400 to the static ip of your server?

Proof it's the router is because you can hit 32400 internally but not external.

EDIT.. The rule is telling you it sees packets but you should have a heck of a lot more than 6K bytes. it's the UBNT somehow


#12

Not disagreeing, hence the call out to others with a similar setup that, even though everything appears to be set up properly, having issues and how to resolve. Sorry, not trying to be abrupt. I believe it has to do with Unifi firewall. UPNP exposes my QNAP NAS via the public IP, but does not resolve the PMS via the port.


#13

I agree with you. I use pfSense and not Ubi. I know of others who use it and have similar problems.

I'm not knocking it but they are way behind in the edge routing tech game.

Hopefully someone will know how to make it play


#14

Well, found the magic handshake for now. Changed PMS server ip to new ip xxx.xx.x.21 based off of others having port forwarding issues with the UNBT routers and this being a common resolution. Changed port forwarding rule to use new IP. Turned UPnP on (I am going to try disabling it as I really do not like UPnP from a security stand point). Logged into the web interface directly while on the LAN. Specified the actual port, which is the same as the destination port. Clicked 'Retry' and it stuck to fully accessible. Verified it via a remote machine in the server settings. Not sure where the magic happened, but it did. Must be that 'A small miracle occurs here' phase I keep seeing in project planning workflows...
If UPnP is required, may set the PMS to eth1 on the router which is not being used now and make it a dedicated UPnP LAN or just create a VLAN for this purpose. Always wanted an excuse to create a VLAN.


#15

Disabled UPnP and the link broke. Caused PMS to set itself to not available to outside access. Re-enabling external access fixed it right back up and shows as direct connect available.


#16

If your distro is like mine, VLANs will show as multiple adapters. Multiple VLAN homing will create multiple adapters will drive PMS nuts. If you go the VLAN route, do it completely external to the box.