That’s to be expected. Plex Media Server uses SSDP to discover HDHR network tuners; SSDP relies on multicast (to 239.255.255.250) which doesn’t cross network boundaries (at least not without some help). So it not being auto-detected by the server is completely normal.
This isn’t expected. In fact, I just tested with a spare HDHR Flex 4K. I placed it on my untrusted network and, as expected, it was not auto-detected. However, as soon as I manually entered its IP address, PMS detected it and allowed me to continue setting up the DVR.
My network (Unifi-based) is configured to allow all traffic from my trusted network to pass indiscriminately to my untrusted network. All traffic from untrusted to trusted is dropped, except for established and related (that is, traffic in response to, or related to, sessions already created by the trusted network).
Why not? I ask because a useful test would be to place it back on your trusted VLAN to ensure that it can still be detected there. Plex might have problems detecting this as a new tuner if it thinks it already exists in your previous configuration. If that’s the case it can be corrected with some minor database manipulation, but that might be challenging in your environment (presumably Docker on Truenas).
But let’s go for the low-hanging fruit first. When you manually configure the tuner, PMS is going to send an HTTP request to ipaddress:80. So ensure you allow at least that. Actually, for the time being, I’d recommend allowing all traffic to that IP address to pass. And ensure you’re allowing established/related traffic in the other direction as well.
