New Linux Plex Server - No Remote Access

I read this as:

1. VPN to a remote machine
2. From that remote machine → RDP to PMS server
3. Test on PMS server host.

Is this correct?

If so, then you defeated the test by passing through the RDP pathway.

You must VPN out to the remote host.
The remote host must attempt to reach your PMS server’s WAN IP:forwarded-port
You should then see PMS respond (because the connection was made).

You have, what, three levels of firewall here?
– WAN/router port forward.
– IPtables
– UFW

I’m not busting your **** on this but if you have this for PMS, Isn’t that excessive ?

I’m asking because if a particular layer you have isn’t satisfying the need – do something else and drop the one which doesn’t.

I have two combined as one:

1. List of allowed remote IPs/FQDNs/DDNS names which are allowed to connect
2. NAT-port forward rule which only allows IP’s (real-time lookup) found in that list to pass.

If someone gets past that, then they’re spoofing my ISP (and getting away with it) and every other router in the internet. (they’ve broken BGP tables at the backbone core)

For things on my LAN, I use physical switching VLAN ID isolation.
If I don’t want two hosts to see each other then they’re not on the same VLAN.

( To me; VLAN is physical wiring and different than SUBNET which is addressing on that wiring. )

Test :

VPN to remote site

RDP into bastion host

Open up shell

Run commands as posted… showing pass state as a connection “from the internet” back through the Public Facing IP of the pfsense router, through the NAT forwarding service, routing to the PMS system.

“… three levels of firewall here?..” → No. .just one… the pfsense.

– WAN/ → Fireawall table and filter rules based on unbound filter sets + other filters / rules
NAT —> router port forward. IF WAN from * proto TCP Port 32400 Forward LAN_VLAN100 IP 172.16.100.110 Proto TCP Port 32400
<10Gb Switch> ===> No ACL or filters just L2 repeater
– IPtables → PMS Host. Ubuntu 22.04 running plex 4.116.1
—– UFW -. nope. none enabled as noted in systemctl and iptables -F to denote kernel tables are Allow * from * to * all Proto

And as noted in tcp session / logs… From internet… session traveled that path to PMS host. Sooo… its not a forwarding or firewall, or lack of service listening.

You have 2 layers here.

1. Pfsense –
2. IPtables on the PMS host –

If you’re keeping IPtables on the PMS host, do you have an ACCEPT statement defined for port 32400/tcp ?

Are you using the ‘-F’ option?

?

As stated:

– IPtables → PMS Host. Ubuntu 22.04 running plex 4.116.1
—– UFW -. nope. none enabled as noted in systemctl and iptables -F to denote kernel tables are Allow * from * to * all Proto

Not sure how to make it more clear…

root@pandora:/media/md0/containers# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
CILIUM_INPUT  all  --  anywhere             anywhere             /* cilium-feeder: CILIUM_INPUT */
KUBE-FIREWALL  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
CILIUM_FORWARD  all  --  anywhere             anywhere             /* cilium-feeder: CILIUM_FORWARD */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
CILIUM_OUTPUT  all  --  anywhere             anywhere             /* cilium-feeder: CILIUM_OUTPUT */
KUBE-FIREWALL  all  --  anywhere             anywhere            

Chain CILIUM_FORWARD (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* cilium: any->cluster on cilium_host forward accept */
ACCEPT     all  --  anywhere             anywhere             /* cilium: cluster->any on cilium_host forward accept (nodeport) */
ACCEPT     all  --  anywhere             anywhere             /* cilium: cluster->any on lxc+ forward accept */
ACCEPT     all  --  anywhere             anywhere             /* cilium: cluster->any on cilium_net forward accept (nodeport) */

Chain CILIUM_INPUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* cilium: ACCEPT for proxy traffic */

Chain CILIUM_OUTPUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* cilium: ACCEPT for proxy return traffic */
ACCEPT     all  --  anywhere             anywhere             /* cilium: ACCEPT for l7 proxy upstream traffic */
MARK       all  --  anywhere             anywhere             /* cilium: host->any mark as from host */ MARK xset 0xc00/0xf00

Chain KUBE-FIREWALL (2 references)
target     prot opt source               destination         
DROP       all  -- !127.0.0.0/8          127.0.0.0/8          /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT

Chain KUBE-KUBELET-CANARY (0 references)
target     prot opt source               destination         
root@pandora:/media/md0/containers# systemctl status ufw
○ ufw.service - Uncomplicated firewall
     Loaded: loaded (/lib/systemd/system/ufw.service; disabled; vendor preset: enabled)
     Active: inactive (dead)
       Docs: man:ufw(8)

PMS has no firewall enabled and … has service plex-media-server listening on tcp port 32400

root@pandora:/media/md0/containers# ss |grep 32400
u_str ESTAB      0      0                                                             /run/systemd/journal/stdout 32400                             * 50399             
u_str ESTAB      0      0                                                                                       * 50399                             * 32400             
tcp   ESTAB      0      0                                                                          172.16.100.110:32400                 75.26.219.169:62373             
tcp   ESTAB      0      0                                                                          172.16.100.110:32400               172.127.119.208:49754             
tcp   ESTAB      0      0                                                                          172.16.100.110:55312               106.234.144.117:32400             
tcp   ESTAB      0      0                                                                          172.16.100.110:32400                 172.16.100.31:11366             
tcp   ESTAB      0      0                                                                          172.16.100.110:32400               172.127.119.208:36870             
tcp   ESTAB      0      0                                                                          172.16.100.110:41206                 75.26.229.169:32400             
tcp   ESTAB      0      0                                                                          172.16.100.110:32400                 172.16.100.31:27515             
root@pandora:/media/md0/containers# 

That makes it clear. So WTF is it failing to pass on the inbound.

Here’s a test ??

put iperf3 on the host and let it run at port 5201 (it’s default).
iperf3 -s in the terminal window so you can watch for connections.

On pfsense, make a port forward rule to machine_IP:5201 TCP.
No restrictions, No VLAN tagging. Just a Pass rule to allow it into the WAN and out

Here’s mine.. which is restricted to specific source IPs (I don’t want to be an iperf server for the world). Machine IP is 192.168.0.20 (My NAS / PMS box )

Then put iperf3 on your phone / whatever and hit your WAN IP.

See what you get.

Screenshot from 2024-01-25 19-59-16719×695 73.4 KB

Go to the firewall logs and confirm Pfsense is passing in.

The firewall logs are visible in the GUI at Status > System Logs , on the Firewall tab.

Ok…

image1015×1112 64 KB

My PMS 172.16.100.110

NAT active rules

image1163×289 16.6 KB

Intranet based test

nerd@LT1l:~$ iperf3 -c 172.16.100.110 -p 5201
Connecting to host 172.16.100.110, port 5201
[  5] local 172.16.108.219 port 48536 connected to 172.16.100.110 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   113 MBytes   947 Mbits/sec    0   3.14 MBytes       
[  5]   1.00-2.00   sec   109 MBytes   912 Mbits/sec    0   3.14 MBytes       
[  5]   2.00-3.00   sec   109 MBytes   912 Mbits/sec    0   3.14 MBytes       
[  5]   3.00-4.00   sec   110 MBytes   923 Mbits/sec    0   3.14 MBytes       
[  5]   4.00-5.00   sec   110 MBytes   923 Mbits/sec    0   3.14 MBytes       

Remote / Internet test

[root@k8bastion ~]# iperf3 -c 108.234.147.234 -p 5201
Connecting to host 108.234.147.234, port 5201
[  5] local 10.89.135.190 port 56574 connected to 108.234.147.234 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  35.8 MBytes   301 Mbits/sec  141   2.56 MBytes
[  5]   1.00-2.00   sec  41.2 MBytes   346 Mbits/sec   37   1.90 MBytes
[  5]   2.00-3.00   sec  43.8 MBytes   367 Mbits/sec    8   1.40 MBytes
[  5]   3.00-4.00   sec  38.8 MBytes   325 Mbits/sec    0   1.49 MBytes
[  5]   4.00-5.00   sec  40.0 MBytes   336 Mbits/sec    0   1.56 MBytes
[  5]   5.00-6.00   sec  42.5 MBytes   357 Mbits/sec    0   1.61 MBytes
[  5]   6.00-7.00   sec  42.5 MBytes   357 Mbits/sec    0   1.64 MBytes
[  5]   7.00-8.00   sec  43.8 MBytes   367 Mbits/sec    0   1.66 MBytes
^C[  5]   8.00-8.33   sec  15.0 MBytes   387 Mbits/sec    0   1.67 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-8.33   sec   343 MBytes   346 Mbits/sec  186             sender
[  5]   0.00-8.33   sec  0.00 Bytes  0.00 bits/sec                  receiver
iperf3: interrupt - the client has terminated

I did one layer further test

[root@k8bastion ~]# iperf3 -c 108-234-147-234.3f1010blah528243bc44ca39e.plex.direct -p 5201
Connecting to host 108-234-147-234.3f1010blah528243bc44ca39e.plex.direct, port 5201
[  5] local 10.89.135.190 port 53008 connected to 108.234.147.234 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  31.0 MBytes   260 Mbits/sec  210   1.98 MBytes
[  5]   1.00-2.00   sec  45.0 MBytes   377 Mbits/sec    0   2.10 MBytes
[  5]   2.00-3.00   sec  41.2 MBytes   346 Mbits/sec   25   1.56 MBytes
[  5]   3.00-4.00   sec  42.5 MBytes   357 Mbits/sec    0   1.64 MBytes
[  5]   4.00-5.00   sec  43.8 MBytes   367 Mbits/sec    0   1.71 MBytes
^C[  5]   5.00-5.02   sec  1.25 MBytes   434 Mbits/sec    0   1.71 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-5.02   sec   205 MBytes   342 Mbits/sec  235             sender
[  5]   0.00-5.02   sec  0.00 Bytes  0.00 bits/sec                  receiver
iperf3: interrupt - the client has terminated

and.. having built a baseline on tcp communication through to host on 5201.

Step 1: <stopped iperf3 listening service on PMS
Step 2: Update NAT to forward 5201 to host 32400

image1170×266 16.5 KB

Step 3: Change listening port on PMS to 5201

image921×543 50.7 KB

Run Test… failing.

So .. unless there is some range PMS is happy with related to TCP port.. Change to 5201 as baseline shows something… is very likely within PMS.

Ok, so that works.

The rules match ? (iperf & PMS port forward )

Do you have any regional blocks ?

( Plex has some servers in europe which check your remote access )

Screenshot from 2024-01-25 20-47-33944×684 54.4 KB

These are for me.

In your PMS logs, as PMS starts, with DEBUG logging, search for MyPlex.
You’ll see a bunch of IP addresses.

Those are your servers. Allow them.

Those are the hosts which perform the remote reachability test.

If you’d like to completely rule out Plex to confirm your port forwarding and firewall rule sanity, you could try using a simple HTTP server (with PMS stopped). Python works well for this.

On the command line, create a new empty directory. Then, create and empty file within that directory (touch test file). Inside that directory, run:
python3 -m http.server 32400

You should then be able to use something like canyouseeme.org to test reachability to your external IP:port to verify that it’s being forwarded. You should also be able to point a browser to your external IP:port to verify that it serves the contents of the directory you created (which is why it’s important that you do this in an otherwise empty directory).

(But I’d recommend following Chuck’s advice first and foremost.)

Enabled Debug
Stop PMS
Clear out all logs
Start PMS
validate services running and listening on 32400

Run attempt to enable Remote Access

Collect logs (download zip)

Log: com.plexapp.system.log → search for

Noted one set of errors at top of log… keeps failing to load from 127.0.0.1:32400

2024-01-25 21:03:10,601 (7f21f26a5808) :  INFO (core:349) - Starting framework core - Version: 2.6.3, Build: fb6452e (Wed Nov 01 17:48:42 UTC 2023)
2024-01-25 21:03:10,601 (7f21f26a5808) :  DEBUG (core:361) - Using the elevated policy
2024-01-25 21:03:10,601 (7f21f26a5808) :  DEBUG (core:365) - Extending whitelist: ['cgi', 'tempfile']
2024-01-25 21:03:10,601 (7f21f26a5808) :  DEBUG (core:450) - Starting runtime component.
2024-01-25 21:03:10,603 (7f21f26a5808) :  DEBUG (core:450) - Starting caching component.
2024-01-25 21:03:10,604 (7f21f26a5808) :  DEBUG (core:450) - Starting data component.
2024-01-25 21:03:10,604 (7f21f26a5808) :  DEBUG (core:450) - Starting networking component.
2024-01-25 21:03:10,604 (7f21f26a5808) :  DEBUG (networking:262) - Loaded HTTP cookies
2024-01-25 21:03:10,605 (7f21f26a5808) :  DEBUG (networking:434) - Setting the default network timeout to 20.0
2024-01-25 21:03:10,605 (7f21f26a5808) :  DEBUG (core:450) - Starting localization component.
2024-01-25 21:03:10,605 (7f21f26a5808) :  INFO (localization:409) - Setting the default locale to en-us
2024-01-25 21:03:10,606 (7f21f26a5808) :  WARNING (data:179) - Error decoding with simplejson, using demjson instead (this will cause a performance hit) - Expecting property name enclosed in double quotes: line 26 column 1 (char 1078)
2024-01-25 21:03:10,608 (7f21f26a5808) :  DEBUG (localization:427) - Loaded en strings
2024-01-25 21:03:10,608 (7f21f26a5808) :  DEBUG (core:450) - Starting messaging component.
2024-01-25 21:03:10,609 (7f21f26a5808) :  DEBUG (core:450) - Starting debugging component.
2024-01-25 21:03:10,609 (7f21f26a5808) :  DEBUG (core:450) - Starting services component.
2024-01-25 21:03:10,609 (7f21f26a5808) :  DEBUG (core:450) - Starting myplex component.
2024-01-25 21:03:10,609 (7f21f26a5808) :  DEBUG (core:450) - Starting notifications component.
2024-01-25 21:03:10,757 (7f21f26a5808) :  DEBUG (accessor:68) - Creating a new model access point for provider com.plexapp.system in namespace 'metadata'
2024-01-25 21:03:10,771 (7f21ef0ffb38) :  DEBUG (services:265) - Plug-in is not daemonized - loading services from system
2024-01-25 21:03:10,771 (7f21f26a5808) :  DEBUG (runtime:1117) - Created a thread named 'load_all_services'
2024-01-25 21:03:10,772 (7f21ef0ffb38) :  DEBUG (networking:144) - Requesting 'http://127.0.0.1:32400/:/plugins/com.plexapp.system/messaging/function/X0J1bmRsZVNlcnZpY2U6QWxsU2VydmljZXM_/Y2VyZWFsMQoxCmxpc3QKMApyMAo_/Y2VyZWFsMQoxCmRpY3QKMApyMAo_'
2024-01-25 21:03:10,774 (7f21f26a5808) :  DEBUG (runtime:1117) - Created a thread named 'get_server_info'
2024-01-25 21:03:10,774 (7f21f26a5808) :  DEBUG (core:150) - Finished starting framework core
2024-01-25 21:03:10,775 (7f21ef071b38) :  DEBUG (networking:144) - Requesting 'http://127.0.0.1:32400'
2024-01-25 21:03:10,775 (7f21ef0ffb38) :  ERROR (networking:197) - Error opening URL 'http://127.0.0.1:32400/:/plugins/com.plexapp.system/messaging/function/X0J1bmRsZVNlcnZpY2U6QWxsU2VydmljZXM_/Y2VyZWFsMQoxCmxpc3QKMApyMAo_/Y2VyZWFsMQoxCmRpY3QKMApyMAo_'
2024-01-25 21:03:10,776 (7f21f26a5808) :  DEBUG (core:560) - Loading plug-in code
2024-01-25 21:03:10,776 (7f21ef0ffb38) :  ERROR (services:272) - Unable to load services from system. Loading from the current bundle only.
2024-01-25 21:03:10,795 (7f21ef071b38) :  ERROR (networking:197) - Error opening URL 'http://127.0.0.1:32400'
2024-01-25 21:03:10,796 (7f21ef071b38) :  WARNING (core:541) - Unable to retrieve the machine identifier or server version.
2024-01-25 21:03:10,799 (7f21ef0ffb38) :  DEBUG (services:362) - Loaded services
2024-01-25 21:03:10,807 (7f21ef094b38) :  DEBUG (services:438) - No shared code to load

No listener for PMS is on loopback

root@pandora:/# ss |grep 32400
u_str ESTAB      0      0                                                             /run/systemd/journal/stdout 32400                             * 50399             
u_str ESTAB      0      0                                                                                       * 50399                             * 32400             
tcp   ESTAB      0      0                                                                          172.16.100.110:32400                 172.16.100.32:16506             
tcp   ESTAB      0      0                                                                          172.16.100.110:44618               108.234.144.117:32400             
tcp   ESTAB      0      0                                                                          172.16.100.110:32400                 75.26.229.169:44096             
tcp   ESTAB      0      0                                                                          172.16.100.110:32400               172.127.119.208:17776             
tcp   ESTAB      0      0                                                                          172.16.100.110:37266                 75.26.229.169:32400             
root@pandora:/#

Next log I looked into was “Plex Media Server.log”

Jan 25, 2024 21:03:43.198 [139686411205432] DEBUG - Request: [172.16.100.32:16440 (Subnet)] GET /myplex/account (10 live) #b0 TLS GZIP Signed-in Token (plexnerd) (Microsoft Edge)
Jan 25, 2024 21:03:43.199 [139686538316600] DEBUG - Completed: [172.16.100.32:16440] 200 GET /myplex/account (10 live) #b0 TLS GZIP 0ms 4035 bytes (pipelined: 24)
Jan 25, 2024 21:03:43.701 [139686454483768] DEBUG - Request: [172.16.100.32:16440 (Subnet)] GET /myplex/account (10 live) #b1 TLS GZIP Signed-in Token (plexnerd) (Microsoft Edge)
Jan 25, 2024 21:03:43.703 [139686540426040] DEBUG - Completed: [172.16.100.32:16440] 200 GET /myplex/account (10 live) #b1 TLS GZIP 1ms 4035 bytes (pipelined: 25)
Jan 25, 2024 21:03:44.208 [139686413314872] DEBUG - Request: [172.16.100.32:16440 (Subnet)] GET /myplex/account (10 live) #b2 TLS GZIP Signed-in Token (plexnerd) (Microsoft Edge)
Jan 25, 2024 21:03:44.210 [139686538316600] DEBUG - Completed: [172.16.100.32:16440] 200 GET /myplex/account (10 live) #b2 TLS GZIP 1ms 4035 bytes (pipelined: 26)
Jan 25, 2024 21:03:44.213 [139686540426040] DEBUG - [EventSourceClient/pubsub/45.79.197.58:443] EventSource: Got event [data] '<Message address="108.234.147.234" port="32400" asyncIdentifier="e23c6623-68cc-4e55-94ce-2700ae283cbd" connectivity="0" command="notifyConnectivity"/>'
Jan 25, 2024 21:03:44.213 [139686540426040] DEBUG - [EventSourceClient/pubsub/45.79.197.58:443] PubSub: Got notified of reachability for async identifier e23c6623-68cc-4e55-94ce-2700ae283cbd: 0 for 106.231.147.232:32400 (responded in 5253 ms)
Jan 25, 2024 21:03:44.214 [139686540426040] DEBUG - [EventSourceClient/pubsub/45.79.197.58:443] MyPlex: reachability check - current mapping state: 'Not Mapped'.
Jan 25, 2024 21:03:44.214 [139686540426040] DEBUG - [EventSourceClient/pubsub/45.79.197.58:443] MyPlex: inaccessibility report ignored because NAT punch is still pending.
Jan 25, 2024 21:03:44.219 [139686454483768] DEBUG - Request: [172.16.100.32:16440 (Subnet)] GET /myplex/account (10 live) #b3 TLS GZIP Signed-in Token (plexnerd) (Microsoft Edge)
Jan 25, 2024 21:03:44.220 [139686538316600] DEBUG - Completed: [172.16.100.32:16440] 200 GET /myplex/account (10 live) #b3 TLS GZIP 1ms 4035 bytes (pipelined: 27)
Jan 25, 2024 21:03:44.696 [139686415424312] DEBUG - Request: [172.16.100.32:16440 (Subnet)] GET /myplex/account (10 live) #b6 TLS GZIP Signed-in Token (plexnerd) (Microsoft Edge)
Jan 25, 2024 21:03:44.698 [139686540426040] DEBUG - Completed: [172.16.100.32:16440] 200 GET /myplex/account (10 live) #b6 TLS GZIP 1ms 4035 bytes (pipelined: 28)
Jan 25, 2024 21:03:45.206 [139686413314872] DEBUG - Request: [172.16.100.32:16440 (Subnet)] GET /myplex/account (10 live) #b7 TLS GZIP Signed-in Token (plexnerd) (Microsoft Edge)
Jan 25, 2024 21:03:45.208 [139686538316600] DEBUG - Completed: [172.16.100.32:16440] 200 GET /myplex/account (10 live) #b7 TLS GZIP 1ms 4035 bytes (pipelined: 29)

<snip>

Jan 25, 2024 21:03:11.734 [139686601677456] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/server/users?auth_token=xxxxxxxxxxxxxxxxxxxx
Jan 25, 2024 21:03:11.734 [139686498638648] DEBUG - [MediaProviderManager/HCl#d] HTTP requesting GET https://plex.tv/media/providers?X-Plex-Token=xxxxxxxxxxxxxxxxxxxx
Jan 25, 2024 21:03:11.735 [139686601677456] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/server/users/subscriptions?auth_token=xxxxxxxxxxxxxxxxxxxx
Jan 25, 2024 21:03:11.735 [139686601677456] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/server/users/services?auth_token=xxxxxxxxxxxxxxxxxxxx
Jan 25, 2024 21:03:11.737 [139686601677456] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/user?includeSubscriptions=1&includeProviders=1
Jan 25, 2024 21:03:11.737 [139686601677456] DEBUG - MyPlex: username is plexnerd, login is nobody.nobody@gmail.com, home is 1, no pin
Jan 25, 2024 21:03:11.740 [139686601677456] DEBUG - MyPlex: start public ip check and mapping - current mapped state: 'Unknown'.
Jan 25, 2024 21:03:11.740 [139686601677456] DEBUG - MyPlex: mapping state set to 'Not Mapped'.
Jan 25, 2024 21:03:11.740 [139686601677456] DEBUG - PublicAddressManager: Starting.
Jan 25, 2024 21:03:11.740 [139686601677456] DEBUG - PublicAddressManager: Obtaining public address and mapping port.
Jan 25, 2024 21:03:11.740 [139686509464376] DEBUG - PublicAddressManager: Obtaining public IP.
Jan 25, 2024 21:03:11.740 [139686509464376] DEBUG - [HCl#e] HTTP requesting GET https://v4.plex.tv/pms/:/ip
Jan 25, 2024 21:03:11.740 [139686454483768] DEBUG - [HCl#f] HTTP requesting GET https://plex.tv/api/v2/user?includeSubscriptions=1&includeProviders=1
Jan 25, 2024 21:03:11.740 [139686601677456] DEBUG - NetworkInterface: Starting watch thread.

Second part of log was snip that looked like communication to public Plex system to register IP… and that… is at bottom of log. Seems ok But that is only place that jumped out as to target IP .

And as for question of blocking non-US. Yes. I block all non-US sites.

I built Aliase rule to match yours and as plex.tv host was in list… I assume this is catch all for registration hosts.

image1062×694 40.9 KB

What I am not clear in pfsense is:

1. where to attach this “firewall aliases”
2. How to know it overrides/ takes higher precedence over pfBlockerNG regional rules

Found it in : Fireall → pfBlockerNG → General Settings → Links “Firewall Aliases”

image954×818 81.2 KB

I think by just building the list it sets those targets within “allow”?

Not sure … but seems logical

I think this shows messages coming in on port and though I know some traffic is local some is internet source based

root@pandora:/# systemctl stop plexmediaserver.service 
root@pandora:/# cd /media/md0/containers/
root@pandora:/media/md0/containers# touch test
root@pandora:/media/md0/containers# python3 -m http.server 32400
Serving HTTP on 0.0.0.0 port 32400 (http://0.0.0.0:32400/) ...
172.16.100.32 - - [25/Jan/2024 21:39:57] code 400, message Bad request version ('ÚÚ\\x13\\x01\\x13\\x02\\x13\\x03À+À/À,À0̨̩À\\x13À\\x14\\x00\\x9c\\x00\\x9d\\x00/\\x005\\x01\\x00\\x030')
172.16.100.32 - - [25/Jan/2024 21:39:57] "\x16\x03\x01\x03\x9d\x01\x00\x03\x99\x03\x03´>7|Hµv['ß+\x9buWËÒÝúÛ!\x8cÈ\x11\x7f<îAp§³Ào (\x90ÿÍØ]eºUÏÛL&¼\x90MÞ?*\x90Ff[ï¥\x9dª\x8f­?¹*\x00 ÚÚ\x13\x01\x13\x02\x13\x03À+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x01\x00\x030" 400 -
172.16.100.32 - - [25/Jan/2024 21:39:57] code 400, message Bad request version ('\\x9a\\x9a\\x13\\x01\\x13\\x02\\x13\\x03À+À/À,À0̨̩À\\x13À\\x14\\x00\\x9c\\x00\\x9d\\x00/\\x005\\x01\\x00\\x03\\x10jj\\x00\\x00\\x00\\x05\\x00\\x05\\x01\\x00\\x00\\x00\\x00\\x00\\x12\\x00\\x00\\x00')
172.16.100.32 - - [25/Jan/2024 21:39:57] "\x16\x03\x01\x03}\x01\x00\x03y\x03\x03\x9a¯¬½\x07[\x90÷\x12¶Q¾;\x82\x82\x9f¥\x9dÎÜ\x90A\x14*å\x89\x89ã`\x9fJ\x89 H1X?1`ªÈÚdz\x86É\x9fÀ\x19Z²dy0bÀ\x80äElHJ\x82b{\x00 \x9a\x9a\x13\x01\x13\x02\x13\x03À+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x01\x00\x03\x10jj\x00\x00\x00\x05\x00\x05\x01\x00\x00\x00\x00\x00\x12\x00\x00\x00" 400 -
172.16.100.32 - - [25/Jan/2024 21:39:57] code 404, message File not found
172.16.100.32 - - [25/Jan/2024 21:39:57] "GET /media/providers?X-Plex-Product=Plex%20Web&X-Plex-Version=4.116.1&X-Plex-Client-Identifier=lyvx48yhbtgkxmvc9khd96h0&X-Plex-Platform=Microsoft%20Edge&X-Plex-Platform-Version=121.0&X-Plex-Features=external-media%2Cindirect-media%2Chub-style-list&X-Plex-Model=bundled&X-Plex-Device=Windows&X-Plex-Device-Name=Microsoft%20Edge&X-Plex-Device-Screen-Resolution=2552x1284%2C2560x1440&X-Plex-Token=kZpVr--BNoczFNGwUyeD&X-Plex-Language=en&X-Plex-Session-Id=617fa89c-10d7-47af-830b-1b29f7bc59e8 HTTP/1.1" 404 -
172.16.100.32 - - [25/Jan/2024 21:39:58] code 400, message Bad request version ('ë\\x1a0%[ó\\x14rÚ³üoô6°)²\\x07\\x17V\\x14\\x1bÍ<\\x94Pxêz½àI\\x00#\\x00\\x00ÿ\\x01\\x00\\x01\\x00\\x00\\x1b\\x00\\x03\\x02\\x00\\x02\\x00\\x05\\x00\\x05\\x01\\x00\\x00\\x00\\x00Di\\x00\\x05\\x00\\x03\\x02h2\\x00')
172.127.119.208 - - [25/Jan/2024 21:41:05] "\x16\x03\x01\x01e\x01\x00\x01a\x03\x03\x94ÝYp2\x88×áf\x83ß¹bØÀqÙ\x00ì¯\x88M!\x96øT<#\x8b6GB §¹·=y»¤\x07»ë·$8°7\x1fNérë\x81ÿ³s%\x11[ÜJozw\x00>\x13\x02\x13\x03\x13\x01À,À0\x00\x9f̨̩̪À+À/\x00\x9eÀ$À(\x00kÀ#À'\x00gÀ" 400 -
**75.26.229.169** - - [25/Jan/2024 21:41:06] code 400, message Bad request version ('\\x0fZmÐe\\x8a\\x11\\x8e\\x00f)â7⿸,\\x06X`ÉË\\x86¿b\\x15àú\\x9a$«"\\x00>\\x13\\x02\\x13\\x03\\x13\\x01À,À0\\x00\\x9f̨̩̪À+À/\\x00\\x9eÀ$À(\\x00kÀ#À\\'\\x00gÀ')
**75.26.229.169** - - [25/Jan/2024 21:41:06] "\x16\x03\x01\x01i\x01\x00\x01e\x03\x03Û¼0G\x09$Öù¢ä¸âL^\x97\x07Ë\x03R]\x1cu\x94î\x0f\x92\x924½\x99Ú­ \x0fZmÐe\x8a\x11\x8e\x00f)â7⿸,\x06X`ÉË\x86¿b\x15àú\x9a$«"\x00>\x13\x02\x13\x03\x13\x01À,À0\x00\x9f̨̩̪À+À/\x00\x9eÀ$À(\x00kÀ#À'\x00gÀ" 400 -

remote site test

All of those 400’s are no good.

Any idea what is causing that? ( A proxy anywhere ?)

That’s normal for the Python HTTP server when it receives a request it doesn’t understand; anything starting with “code” is it sending a response.

Does canyouseeme.org see port 32400 open when Plex Media Server is running?

Yes.

And… as noted / posted earlier.

With forwarding rule for 32400 set back to NAT to the PMS server … Remote check (aka VPN + SSH to remote host to connect through the internet).

[root@k8bastion ~]# **telnet 108-234-147-234.3f101blah49bf3bc44ca324e.plex.direct 32400**
Trying 108.234.147.234...
Connected to 108-234-147-234.3f101blah49bf3bc44ca324e..plex.direct.
Escape character is '^]'.
**GET /web/index.html**
HTTP/1.1 200 OK
X-Plex-Protocol: 1.0
Cache-Control: no-cache
Accept-Ranges: bytes
Connection: close
Content-Length: 12417
Content-Type: text/html
Date: Fri, 26 Jan 2024 12:18:37 GMT

<!DOCTYPE html>
<!--
   =======   ==
  /==////== /==
  /==   /== /==   =====   ==   ==
  /=======  /==  ==///== //== ==
  /==////   /== /=======  //===
  /==       /== /==////    ==/==
  /==       /== //======  == //==
  //        //   /////   //   //

  Credits
   * Glyphicons - http://glyphicons.com
-->
<html lang="en" data-cast-api-enabled="true">
<head>
<title>Plex</title>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-itunes-app" content="app-id=383457673">
<meta name="robots" content="noindex,nofollow">
<meta name="hash" content="d76e5d16fe30680d0bbb">
<script>window.performance.mark('client:start-start');</script>
<link rel="stylesheet" href="/web/7723-7723-62a8513ca7c1d99e5273-plex-4.116.1.34633-acaef50.css">
<link rel="stylesheet" href="/web/main-179-d655df7e0f4b1d14d605-plex-4.116.1.34633-acaef50.css">
<link rel="shortcut icon" href="/web/favicon.ico">
<link rel="mask-icon" href="/web/favicon-mask.svg" color="#cc7b19">
<link rel="apple-touch-icon-precomposed" href="/web/static/icon-iphone.png">
<link rel="apple-touch-icon-precomposed" sizes="72x72" href="/web/static/icon-ipad.png">
<link rel="apple-touch-icon-precomposed" sizes="114x114" href="/web/static/icon-iphone@2x.png">
<link rel="apple-touch-icon-precomposed" sizes="144x144" href="/web/static/icon-ipad@2x.png">
</head>
<body>
<div id="plex" class="application">
<div class="plex-preloader-container plex-image-preloader plex-logo"></div>
</div>

IMAO: Above as noted shows:

1. Internet forwarding through pfsense to PMS
2. Session connection
3. Plex is service on target 32400
4. Concept of PMS registering its “hostname” within the plex registration service is working

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.