Server Version#: Version 1.23.6.4881
Player Version#: Version 1.33.0.2444-a220eae4
I’m hitting a wall here. I’ve tried this a couple of times because I’m attempting to start a charitable organization and I have neither the space nor the money to have multiple internet connections with multiple switches and routers, I have to pile everything onto my Juniper SSG 320M. I was running an ASUS with DD-WRT for many years but I’d gotten it to do so many things that it didn’t want to do that it kept overheating and damaged the hardware to an unstable state.
The problem I’m having is that my SSG is having problems with forwarding the necessary ports for Plex to work properly (Plex has nothing to do with the organization, I’m just running the organization at home and it requires a much better firewall than a home router (even modified) can manage). If I open up all source ports to a port range of 32400-39400, it works fine. If I try and restrict the source range to the same as the destination range, I cannot access my Plex server from outside of my intranet. My SSG is updated to the last available version and otherwise works fine, even with my PBX system, which is a notorious problem for these things but Plex is just giving me fits.
Oh man I miss operating some old ScreenOS at the company I used to work.
Back to the subject, I don’t know how your VoIP policies are, but you shouldn’t bother controlling source ports. Plex clients will randomly chose a source port, just because that’s how TCP works by default and Plex doesn’t manipulate that.
Considering that your WAN interface is part of the Untrust zone, try the following:
Create an object for your WAN IP. I’ll call it “Plex-Pub”
Create a service using a random port. I’ll call it “TCP-52674”
Change 192.168.1.100 to your Plex LAN IP
Set Plex external port manually to 52674 (Settings → Remote Access)
set address untrust Plex-Pub x.x.x.x/32
set service "TCP-52674" protocol tcp dst-port 52674-52674
set policy from untrust to untrust any Plex-Pub TCP-52674 nat dst ip 192.168.1.100 port 32400 permit
I hope it helps
Edit: also you can refer to this document in case you have your LAN segmented. It gives you the ports used for local discovery services.
Thanks, that was a huge help actually. Knowing that I don’t have to fiddle with the source ports alone was a big relief. I’m coming from DD-WRT and haven’t messed with an actual enterprise router for probably twenty years.
The way it’s configured is as a VIP with policies so I could more readily manage it through the GUI until I figure out ScreenOS over time. The next trick is to ensure that the VIP changes when my ISP changes my DHCP assigned addresses or I’ll have to go fiddle with it manually every time, I know how do to that though, it’s a hassle, not a showstopper.
I’ve worked with Operating systems from CP/M to atari dos, to SCO 3.2.4 right through to OS/2 and current operating systems and either I’m getting old or ScreenOS is cryptic in the extreme.
Enterprise firewalls bring concepts that doesn’t exist on residential routers and it can be confusing. I believe you can create an object type “FQDN” and give it a name of a DDNS that points to your WAN IP, but I’m not positive about that one.
