I recently changed my firewall over to OpnSense and have been locking down my open ports to allowed countries and other “trusted” sources. My end goal is to cut down on the amount of hackers and spam that hits my network on my NAS’s other services.
What I’m running into is when I setup port forwarding in OpnSense it is after my allowed countries firewall rule which is resulting in Plex’s attempt to connect to my PMS to determine accessibility fails.
Ideally what I want to do is setup a firewall rule that allows those specific Hosts that Plex uses for the purpose through the country block (as near as I can tell most of them are in the EU) so that my server is available when I am in hotels, etc.
Normal pfSense (default settings and also available as community version) keeps everyone out by default. Plex runs perfectly on the default rules and nobody gets in
The default operation of pfSense is:
When PMS reaches to the Plex.tv servers, they respond over the same socket.
No inbound connections unless a rule exists to allow it. Replies on such connections are also normal operation.
Yup I am aware of how tight I have my rules. I have good reason for having it set that tight. Right now the only things that are allowed to hit my servers are specifically allowed countries (US, Canada namely.)
I am more than happy to punch holes in that in order to allow specific things through which is why I want a list. I would prefer to not allow all of EU because there is no reason for people from parts of the world outside the US to hit my stuff.
So if I understand what you’re saying there is no set list of IP’s that Plex utilizes for that purpose.
Hmm I’ll have to think about this because I don’t necessarily want to allow all of the AWS domain either because there are plenty of nefarious characters using AWS servers.
@w9hdg I did that a year ago, tcpdumped the connection checking from which IP plex checks the online status, did that a few times, compiled them, resolved plex.tv and all variants and compiled everything in an ipset. That worked for a while and then stopped. Plex changes the ips too often. So i gave up on that and just allowed a few countries and the whole eu-aws ip range(yikes). It suckz, i know. If you find a better solution please let me know
@ChuckPa you guys could make it easier for us and add a hostname to the ips you use to check online status from. status-check.plex.tv or something that dynamically resolves to the ip(s) currently in use for that.
@ChuckPa one could construed your response to be an invitation to use a competitor’s piece of software. As for your dare, I hate to tell you, with port forwarding in place to allow remote access you’ve already punched a gaping hole in your firewall. Yes there are steps you can take to mitigate that and I’m glad you have faith in those steps. I am just electing to take a different route to mitigate that hole.
How about looking @Orko’s comments and realize that I’m not the only one that thinks this is a good idea. There are ways to dynamically update a domain so that it resolves to addresses quickly. That would allow Amazon to change IPs as needed and your service to update fairly quickly.
Did I say there is any port forwarding active? No there is not. I do not have sufficient upload bandwidth to stream with
Plex is an always-online, constantly connected, implementation. If this is not a desirable solution then I would be doing a disservice by not recommending another product.
@ChuckPa I think you totally misunderstood the topic here.
No one wants to break in your pfsense box or says its unsecure, also why would you argue that when you are not forwarding a port, which is @w9hdg’s issue in the first place.
All we want is a way to limit the ipranges being able to connect to the forwarded port, which plex in its current iteration makes needlessly hard. A hostname for the service which checks online status solves that problem easily.
Doesn’t have anything to do with tinfoil, or not liking amazon or your pfsense.
I have no problem with it being an always connected solution. I understand that is necessary to enable on-demand remote access via devices such as a Roku.
What I want to do is limit the number of parts of the world who have access to it (sure consider it tin-foil hatish if you want). I have a lot of things locked down with that level of restriction and I punch holes as necessary to accommodate those needs. I am willing to punch holes for this as well, the problem is I need to know where those requests are going to come from in order to punch those holes.
Keeping control of your MachineID, ProcessedMachineID, and AnnonymousID (which are how Plex.tv identifies you) are between you and Plex. Your machine is the master. PMS reads that, plus your PlexOnlineToken when it connects to plex.tv
Without being:
Remote Access enabled
Having your PlexOnlineToken
Or being an account you shared a library to
There is no way to get access unless your host itself is vulnerable.
Amazon AWS is the DOMAIN rule you must allow to reply to requests.
It must also be allowed to create incoming requests for Remote Access.
It sounds to me like you’re saying “Trust the software to protect your data”. I personally don’t subscribe to that theory of security. There are security vulnerabilities found in software all the time. Have a port exposed makes a system vulnerable unless the code is perfect which no one is capable of writing with a system as complex as Plex.
What we want is a way to keep the more nefarious characters of the web out by limiting what parts of the world (IP Ranges) can connect to that to that port.
