Debugging Relay

Hi,

Does anyone have any advice for debugging Relay ?
It used to work from my iPhone to my server, but for some reason now doesn’t.
I’ve tried testing over 4G and also public wifi.

My PLEX servers firewalled off on my WAN router to the general Internet, but PLEX has uninhibited access outbound.
Under Remote access it confirms that its signed into Plex, but is unreachable externally (as I would expect),

If I VPN in to my LAN, Plex on the iphone connect just fine. But now if I’m trying to relay, its just failing to connect at all.

Server version is 1.10.1.4602
iphone client is 12735

I’ve also tried from an Android app but it to fails to Relay.
From firewall logs I can see both clients try to connect to my WAN IP inbound (for Direct Play), but it seems it doesn’t fall back to Relay mode.

Did you disable ‘Secure Connections’?
Relay will only work with Secure Connections enabled.

same here; started a few days ago. now none of my clients can connect directly to the server.

Secure connections was on Preferred… I’ve also tried “Required” but neither connect even after waiting 10 mins. I can’t be sure when mine started to fail, I noticed it early last week.

I also tried using my laptop via mobile hotspot out to via app.plex.tv but no difference, so I don’t think its App side on the devices.

Relay requires connectivity to AWS datacenters. If you have a very restrictive firewall or VPN this could fail as well.

I setup a firewall rule to log the outbound connections. Its not conclusive but I did log it opening connections out to AWS from what I could see. The server also backs up some data to S3, and thats working fine. I stopped that to test Plex so there shouldn’t of been overlap in the test.

Outbound to the Internet theres no restriction at all from the firewall. For Inbound, I’ve got the server NAT’d and firewalled to allow specific remote IPs to connect in for Direct mode. But if Relays working as I thought, then for Relay the inbound setup shouldn’t matter.

So I was wanting to dig more into the server logs.

Looking in Plex Media Server.log I do see this entry after I’d restarted the server earlier today:

DEBUG - [PlexRelay] Authenticated to 178.79.186.187 ([178.79.186.187]:443).

So I think the servers registering in.

About 3 mins later I see:

Relay: cleaning up inactive relay connection to 178.79.186.187

That was about 5 hours ago, and since then I’m not seeing any more relay log entries

I think I may be onto something… It looks like it might be a DoS feature of the firewall stopping it. I’ll try to narrow down which specific one.

ok if I toggle the DoS rules I can’t get it to replicate, so it must be something that triggers over time. I’ve reset the logs and I’ll wait until it next occurs and then review the logs to see if I can tell which external IP triggered the DoS and which rule.

Well I thought I’d found the cause yesterday, when I toggled the DoS rules off and on then I could connect via Relay.

However today the DoS rules are completely off and my iphones unable to access remotely. I can see the direct connection being blocked by the firewall as I’d expect, but then the app doesn’t seem to switch to Relay. Oddly the Devices screen seems to suggest that the iphone did connect, but the app doesn’t show connected.

I’ve still not got this figured out yet. Even with all the DoS rules off.

Anyone know how we raise up a request for some support from Plex?

Just to review:

• Secure Connections is set to Required
• No outbound firewall

I’m going to try blocking the 32400 port inbound completely… see if that triggers some sort of Relay logic.

I am out of ideas, except this:
step 3a)
change the used DNS server for your local network from the one your ISP provides to Google’s public DNS (8.8.8.8 and/or 8.8.4.4)

step 3b)
define an exemption from ‘DNS rebinding protection’ (this is a feature of your router) for subdomains of the plex.direct domain.
(Not all routers allow this. If your router doesn’t, you’ll have to live with ‘Secure Connections’ at “Preferred”. read more about this: https://support.plex.tv/hc/en-us/articles/206225077-How-to-Use-Secure-Server-Connections )

Afterwards, reboot the router first,
wait 2 minutes
then reboot the Plex server
wait again a few minutes
reboot all Plex clients

Thanks Otto, I tried that too.

I also tried rebuilding my firewall config from scratch, it made no difference.
So I’m attaching some logs here, hoping someone can see whats happening.

Problem summary: PLEX is running on a QNAP, its on my LAN behind a NAT firewall. The firewall is configured to port forward however theres 2 firewall rules. The first is a whitelist allowing specific IPs to connect directly. The second rule is a block-everyone else.
Starting up on my iphone, connecting on the LAN it connects just fine. Switch to the Mobile network and it fails to connect unless I add the mobile IP to the allow rule.

iPhone version: 13313
Plex server version: 1.12.1.4885
It doesn’t switch to Relay mode
On my firewall I can see logs showing the Mobile IP keeps trying to connect, but the firewalls blocking it (as its supposed to).

@ade_m said:
The firewall is configured to port forward however theres 2 firewall rules. The first is a whitelist allowing specific IPs to connect directly. The second rule is a block-everyone else.

The above is your problem.
There is nothing in the logs to help with that.

Hi Otto,

Let me clarify: those blocking rules block inbound only because of the port-forward.
But they shouldn’t impact Relay.

Relay is initiated outbound (my plex server -> PLEX’s AWS servers) and then the connection from my mobile is hairpinned through those servers, so inbound rules shouldn’t affect Relay.
Even if I remove those rules completely and the port re-direction (so only NAT outbound), Relay should still work, but it doesn’t.

Regarding your firewall rules

allow specific remote IPs to connect in for Direct mode

How do you know what remote IPs plex uses ? That information is not published and may change between connections and from one relay connection to another

The remote IP configs mentioned here are not PLEX’s IPs, but my own remote locations - so that would enable “Remote” connections (not Relay).

What I’m struggling with is Relay. Even if I disable the firewall rules and have a very simple stock-NAT-only outbound setup (so no port forward, no inbound NATing, no inbound rules - just like most home routers do by default), then thats where Relay should natively work.

I’m trying stripping the PLEX config back and the router config (disable the specific forwarding port, then disable Remote Access, then re-enable Remote Access). The server correctly says “Your server is signed in to Plex, but is not reachable from outside your network”. So this should mean that Relay should still work, as my servers communicating with the cloud-based PLEX servers for Relay to work (its “signed in”).

Whats interesting here is that from a remote PC thats not on my LAN, with this stripped back config, I can now get an “Indirect” connection (which I assume means “Relay”). But from the mobile device I can’t connect at all. So some progress at least… I have a suspicion the PC will stop working too

If I sign into app.plex.tv from the browser on the mobile, it also works in Indirect mode like this, and even tells me I’m not directly connected (so expect the 2Mbps limit)… At the same time, the app on the iPhone (so the same data path) can’t connect.

testing from another mobile device, a Tablet, the app on that also connects using Indirect mode. So I’m wondering if its something about the iOS app thats the underlying problem. I’ll try removing/reinstalling and signing back in

ok… and after reinstalling the iOS app… and keeping it off the wifi it now recognises the Indirect connection too…

I’ll leave the PLEX/Router setup like this for a while and see if it stays stable like this using Relay.