Plex As TrueNAS Container and Indirect Connections

Server: 1.43.0.10231

Okay, need some advice here as I am at wits end.

Recently moved to new house and had to switch from AT&T Fiber to Starlink. Since Starlink uses CGNAT I had to enable the use relay option in Plex so that the users of my Plex server can get to it. They have no issues and can access just fine. The issue I’m having is on the local network as no matter what settings I set I can’t get my local client to connect directly as the container sees them as being remote and uses the relay which in turn causes insufficient bandwidth issues during playback.

My container network is 192.168.32.0/20.

My server has multiple IPs and I have Plex set to use 192.168.0.60 in the app config under network options by selecting the “Publish port on host for external access” and select the IP mentioned from the list.

I have entered my LAN network and my container network in Plex in the network settings under LAN networks.

If I check the “Host Network” option in the app settings I can get direct streaming to show but the playback errors out in the Plex app.

In the app settings under “Network Configuration”, if I select “Publish port on the host for external access”, enter the port number of 32400 and select the IP I want the app to use which is 192.168.0.60 and leave the “Host Network” option unchecked as shown in the pic below…

image553×500 27.1 KB

In the network settings for Plex it doesn’t show the 192.168.0.60 IP in the available selections for “Preferred network interface”, just the network for the container are shown. I would think defining the IP to use would allow Plex to see it however it seems this only sets up the mapping of the IP into the container.

image529×166 33.4 KB

If however I select the “Host Network” option (which is recommended on the Plex forums to check despite the app config saying not to), the options to define the IP I’d like to use for the app go away.

image615×258 31.8 KB

and all my configured network IPs show up in the Plex app to select as well as the IPs in use by my other containers.

image390×499 47.9 KB

If I select the one I want to have it use and click the save settings Plex then moves to one I didn’t select to use. I can only leave it on Any which I really don’t want to as it will use all the interfaces and advertise everywhere.

Selected 192.168.0.60 and hit save…

image616×152 20.9 KB

Plex changed it to 192.168.0.65…

image645×149 19.2 KB

Any suggestions would be appreciated as I mentioned this only started when I had to start messing with Starlink and the Relay.

Enable the “host network” check box. Otherwise you are adding yet another layer of NAT, that even your local devices must traverse.

A second thing with local devices is your local DNS resolver. If it suppresses the use of an external DNS server for internal hosts (i.e. your Plex server), clients cannot communicate with the server over an encrypted connection. But many client types now enforce encryption – even on the local network. Thus you need to make sure DNS is working.
See https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/
Keywords “DNS rebinding protection” and “DNS server”

@OttoKerner - much appreciate the response.

I should add that I’m running my own DNS server on Linux boxes (ISC BIND) and using Cloudflare as my forwarders. Given this I’m not sure the rebinding is an issue. I am reading up on how to whitelist the “plex.direct” domain but again not sure if it’s needed. All of the examples I’m finding are related to routers and such, not for BIND.

It very much is, because rebinding protection is nowadays active by default. And if it is, it will interfere with local server access and in many cases prevent it (or force the traffic through the WAN, when it should be local).
I’m sure there are instructions out there how to create exceptions in the configuration for BIND.

I have found a few, working to see about adapting them for this.

Did you follow @OttoKerner’s advice and leave the “Host Network” option selected? If not, there are other steps you’re going to need to follow to allow direct connections.

Specifically, you’ll need to set the “ADVERTISE_IP” environment variable for your container to the URL where the server can be reached on the host. For example:

ADVERTISE_IP="http://<hostIPAddress>:32400/"

But honestly, just using host networking would be the best solution. There’s no reason not to unless you think you’re running some super-critical software on your “server” that should never be exposed on your LAN.

@pshanew - Yes I did check host networking and still having some issues as noted above. I didn’t know about the ADVERTISE_IP option you mentioned. That might help with limiting it to a certain IP instead of all the ones available. I’ll give that a try as well! Thx!

@pshanew - I had that set already to http://<plex.mydnsdomain>:32400 but I added the entry for IP as well since it’s a comma separated list

Okay, for those following along and that find this thread later here is what I’ve done.

I’ve setup my internal DNS servers with an rpc.whitelist zone which should allow the needed rebinding. I found a good write up for this at the URL below that I modified for my needs and included the changes I did below.

URL: DNS Whitelist in BIND with RPZ

Added an entry to my “options” section in my config file:

response-policy { zone “rpz.whitelist”; };

Created a new zone entry in my config file:

zone “rpz.whitelist” {
type master;
file “rpz/db.rpz.whitelist”;
allow-query { none; };
};

Zone file contents:

$TTL 86400      ; 1 day
@       IN      SOA     localhost. root.localhost. (
2025111801 ; serial
900        ; refresh (15 minutes)
600        ; retry (10 minutes)
86400      ; expire (1 day)
3600       ; minimum (1 hour)
)
NS      localhost.

plex.direct     CNAME   rpz-passthru.

The above appears to have address my issues so I’m going to mark that as the solution for now. All testing appears to have gotten everything back to as it was. Thanks to all that chimed in.