Connectivity problem between PLEX Server and LG WebOS TV (used to work)

Server Version#: 1.16.5.1554 (Debian 10)
Player Version#: LG EF950V (webOS 2.2.0) (Plex for LG 4.3.0)

In short, this is unlikely a webos/LG issue per say.

My setup worked all perfectly before. But I’ve moved to a more complicated setup now, using a Debian based router and iptables. I know this issue is going to be with iptables. I just need some help trying to figure out whats going on.

The setup:
Plex server - 192.168.1.200
PC - 192.168.2.250
LG TV - 192.168.2.210

Networks:
192.168.1.0/24
192.168.2.0/24

I am not running vlans as i don’t have a managed switch, so its all being done via routing and firewall rules.

I opened the port from my PC to my plex server as so, and i am able to connect with the latest version of Plex on windows (Version 1.2.0.875-b7362913) (with green padlock, and it says its nearby)

As a pre=context, inbound and forward are default to drop; hence the related,established rule

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT

The rules i enabled to allow this to work are as follows:

-A FORWARD -s 192.168.2.250/32 -d 192.168.1.200/32 -p tcp -m tcp --dport 32400 -j ACCEPT
-A FORWARD -s 192.168.1.200/32 -d 192.168.2.250/32 -m state --state RELATED,ESTABLISHED -j ACCEPT

so i did the following for the TV, and nothing, just says its “unreachable”

-A FORWARD -s 192.168.2.210/32 -d 192.168.1.200/32 -p tcp -m tcp --dport 32400 -j ACCEPT
-A FORWARD -s 192.168.1.200/32 -d 192.168.2.210/32 -m state --state RELATED,ESTABLISHED -j ACCEPT

I’ve searched the forums and the help sites and it recommends the following URL: https://support.plex.tv/articles/201543147-what-network-ports-do-i-need-to-allow-through-my-firewall/ Which most will be familar with to open all the ports.

So i didnt have to open anything else other than 32400 for my PC to work, but ok i’ll try it for the TV. I added those ports in like this:

-A FORWARD -s 192.168.2.210/32 -d 192.168.1.200/32 -p udp -m udp --dport 1900 -j ACCEPT
-A FORWARD -s 192.168.2.210/32 -d 192.168.1.200/32 -p tcp -m tcp --dport 32469 -j ACCEPT
-A FORWARD -s 192.168.2.210/32 -d 192.168.1.200/32 -p udp -m udp --dport 32410 -j ACCEPT
-A FORWARD -s 192.168.2.210/32 -d 192.168.1.200/32 -p udp -m udp --dport 32412 -j ACCEPT
-A FORWARD -s 192.168.2.210/32 -d 192.168.1.200/32 -p udp -m udp --dport 32413 -j ACCEPT
-A FORWARD -s 192.168.2.210/32 -d 192.168.1.200/32 -p udp -m udp --dport 32414 -j ACCEPT

But still doesnt work.

So out comes tcpdump to see if the LG app needs something specific ? odd i would have thought but this is the output i got when it was attempting to connect.

root@router:~# tcpdump -i 3 -v src 192.168.2.210
tcpdump: listening on enp3s0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:32:53.140066 IP (tos 0x0, ttl 64, id 2988, offset 0, flags [DF], proto TCP (6), length 60)
192.168.2.210.35566 > 192.145.126.115.17275: Flags [S], cksum 0xf0e5 (correct), seq 177708439, win 14600, options [mss 1460,sackOK,TS val 1025
12:32:54.730539 IP (tos 0x0, ttl 64, id 57519, offset 0, flags [DF], proto TCP (6), length 52)
192.168.2.210.45675 > par21s03-in-f142.1e100.net.https: Flags [.], cksum 0xe639 (correct), ack 3604138779, win 535, options [nop,nop,TS val 10
12:32:55.317683 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.2.210 is-at c8:08:e9:9e:d3:82 (oui Unknown), length 46
12:33:09.156583 IP (tos 0x0, ttl 64, id 2989, offset 0, flags [DF], proto TCP (6), length 60)
192.168.2.210.35566 > 192.145.126.115.17275: Flags [S], cksum 0xe141 (correct), seq 177708439, win 14600, options [mss 1460,sackOK,TS val 1029
12:33:13.693521 IP (tos 0x0, ttl 64, id 62849, offset 0, flags [DF], proto TCP (6), length 52)
192.168.2.210.33804 > ec2-99-80-242-242.eu-west-1.compute.amazonaws.com.https: Flags [F.], cksum 0xf944 (correct), seq 2211942869, ack 2936754
12:33:20.262696 IP (tos 0x0, ttl 64, id 53997, offset 0, flags [DF], proto TCP (6), length 60)
192.168.2.210.35569 > 192.145.126.115.17275: Flags [S], cksum 0x66e1 (correct), seq 2855169413, win 14600, options [mss 1460,sackOK,TS val 103
12:33:20.300687 IP (tos 0x0, ttl 64, id 9416, offset 0, flags [DF], proto UDP (17), length 104)
192.168.2.210.34106 > 192.168.2.1.domain: 29180+ A? 192-168-1-200.9f6738043b204ee6b88510c951f00787.plex.direct. (76)
12:33:20.492119 IP (tos 0x0, ttl 64, id 9417, offset 0, flags [DF], proto UDP (17), length 104)
192.168.2.210.34106 > 192.168.2.1.domain: 48657+ A? 192-168-1-200.9f6738043b204ee6b88510c951f00787.plex.direct. (76)
12:33:21.260977 IP (tos 0x0, ttl 64, id 53998, offset 0, flags [DF], proto TCP (6), length 60)
192.168.2.210.35569 > 192.145.126.115.17275: Flags [S], cksum 0x65e7 (correct), seq 2855169413, win 14600, options [mss 1460,sackOK,TS val 103
12:33:22.319396 IP (tos 0x0, ttl 64, id 57520, offset 0, flags [DF], proto TCP (6), length 52)
192.168.2.210.45675 > par21s03-in-f142.1e100.net.https: Flags [.], cksum 0x5f4a (correct), ack 58, win 535, options [nop,nop,TS val 1032554 ec
12:33:23.265048 IP (tos 0x0, ttl 64, id 53999, offset 0, flags [DF], proto TCP (6), length 60)
192.168.2.210.35569 > 192.145.126.115.17275: Flags [S], cksum 0x63f2 (correct), seq 2855169413, win 14600, options [mss 1460,sackOK,TS val 103
12:33:25.001465 IP (tos 0x0, ttl 1, id 7215, offset 0, flags [DF], proto UDP (17), length 147)
192.168.2.210.9956 > 224.0.0.113.9956: UDP, length 119
12:33:25.001561 IP (tos 0x0, ttl 64, id 37745, offset 0, flags [DF], proto UDP (17), length 147)
192.168.2.210.9956 > 192.168.2.255.9956: UDP, length 119
12:33:25.001593 IP (tos 0x0, ttl 1, id 7217, offset 0, flags [DF], proto UDP (17), length 173)
192.168.2.210.9956 > 224.0.0.113.9956: UDP, length 145
12:33:25.001634 IP (tos 0x0, ttl 64, id 37746, offset 0, flags [DF], proto UDP (17), length 173)
192.168.2.210.9956 > 192.168.2.255.9956: UDP, length 145
12:33:27.269145 IP (tos 0x0, ttl 64, id 54000, offset 0, flags [DF], proto TCP (6), length 60)
192.168.2.210.35569 > 192.145.126.115.17275: Flags [S], cksum 0x6009 (correct), seq 2855169413, win 14600, options [mss 1460,sackOK,TS val 103
^C

16 packets captured
16 packets received by filter
0 packets dropped by kernel

So i can see it attempting to contact aws, and the usual stuff. One thing i did see that i thought was key was:

12:33:20.300687 IP proto UDP (17), length 104)
192.168.2.210.34106 > 192.168.2.1.domain: 29180+ A? 192-168-1-200.9f6738043b204ee6b88510c951f00787.plex.direct. (76)
12:33:20.492119 IP proto UDP (17), length 104)
192.168.2.210.34106 > 192.168.2.1.domain: 48657+ A? 192-168-1-200.9f6738043b204ee6b88510c951f00787.plex.direct. (76)

So after looking up plex direct that appears to be the GDM function, but also this post: Local network Plex: no direct connections

Now DNS rebinding i thought may be my issue, but plex is working remotely (its run via airVPN over a specific tunnel) but given this is on my local network i’m unsure.

I did try adding the TV IP address to “List of IP addresses and networks that are allowed without auth” but that didnt do anything.

As further note to how i think this is some sort of connectivity issue, when i had this exact same box/setup/config running and plugged into the same subnet. It worked.

So, is something funky with the way the LG app wants to connect to my plex server and is there much i can do about it?

I don’t know anything about iptables, but I know this:

DNS rebinding protection is not relevant for remote connections.
Only for local connections.
So it may very well be a factor here.
https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections#toc-4

Thanks, so that could be the case, given that i am routing my DNS via VPN.

As you say, remote is ok, but it is Local i am having trouble with.

I will have a read of that link, but i’m struggling to understand why it would work ok on the PC, but not the LG telly (even though both are in the same network)

as a follow up. I tested setting my TV to Google Public DNS and it now works.

Odd really that my PC that uses the same DNS settings as the TV works, but TV doesn’t.

Either way, i’ll take another look at my setup

As a further and final follow up to this post. I finally figured it out.

Rather straightforward actually now i know.

The simple case for me was DNS rebindnig as @OttoKerner said, I solved the rebinding issue by adding the following into my unbound config:

private-domain: "plex.direct"

That is documented elsewhere properly, but thats whats fixed it for me.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.