The DNS services.
Restart the DNS resolver (aka unbound).
Given how fast PMS restarts, it’s just as easy to restart it
no change
Let me unwind a bit.
- “indirect” is coming from hosts on the LAN or remote hosts ?
- Are all LAN hosts on the same subnet ?
- PMS is on the LAN subnet with the players / clients or is it somewhere in between LAN and WAN ?
Can you give me some subnet address blocks as example for clarity ?
excuse please. need step away for a bit (real life issue). will be back ASAP
so we have my ISP router with DMZ set to the pfsense IP Address > then we have PFSense with a Surfshark vpn running and pointing to my Pi Hole, then we have the PFSense subnet which has 2 Plex Servers both of them bypassed VPN via NAT outbound records and also the two plex servers have there own manual port which they are port forwarded on PFSense so they can access outside network.
There’s no VLAN’s or nothing
Did you also create a corresponding policy route in pfSense so that the traffic is sent out of the correct interface? Outbound NAT doesn’t do that for you automatically; it only controls how the traffic is translated when it leaves a particular interface. Policy routes are needed to ensure that traffic is sent from the desired interface.
In fact, I’d guess that custom outbound NAT isn’t even required here, just the policy route. The automatic NAT rules already in-place should do the right thing ™. (That is, they’ll leave the source port intact and set the source IP address to that of the egress interface).
Also, when you make router or DNS changes, ensure you disable and then re-enable remote access in PMS. This will force it to re-register with Plex’s servers. Also completely close of of the client(s) with which you are testing and re-open them. This will force them to refresh their connection information for your Plex servers.
Manu firewall rules are already done. NAT is set to manual outbound as per VPN instructions, nothing has changed
I’m not referring to firewall rules but routing rules. Specifically policy routes:
https://docs.netgate.com/pfsense/en/latest/multiwan/concepts.html#multiwan-policyrouting
If your VPN interface is the default route, you’ll need to create a policy route for anything which should not egress it. NAT deals with translations; firewalls deal with security/access; routes deal with, well, routing. To have a well-behaving system all three have to be present. You can rely on automatic rules to an extent, but anytime you do anything even slightly more complex you need to consider all three of the above.
That makes it look as though there is indeed a policy route in place (first rule in BRIDGE_OF_LAN_PORTS).
Given that, navigate to this page in a browser:
https://plex.tv/api/resources?includeIPv6=1&includeHttps=1&X-Plex-Token=<your_plex_token>
You can find your Plex token using the information here:
https://support.plex.tv/articles/204059436-finding-an-authentication-token-x-plex-token/
Find your servers in the XML document returned and ensure the connection information looks correct. That is, it should something like:
wanip-address-of-router.abcdef1234567890fedcba0987654321.plex.direct
The WAN IP should be that of your ISP router, with the octets dash-separated. What you don’t want to see if the IP address of the exit node for your VPN.
There’ll be one of those for the LAN address of the servers as well.
This will just ensure that the correct remote access connectivity info is being published to Plex’s servers.
1 Like
So
What do u mean my public Ip will show in WAN ip area
There’ll be an FQDN for remote access in the connection info for your servers. The first part of that FQDN is the IP address, separated by dashes instead of periods. For example, it might look like:
https://203-0-113-51.xxxxxxxxxxxxxxxxxx.plex.direct:32400
That IP address should be that of the WAN interface of your router.
There will be at least one more FQDN, that for connections by clients inside your network; it will have your Plex server’s private/LAN IP address.
I tried this and it just showed a white page
The ip is showing as the ip from LAN on pfsense
If you’re using Safari, you need to enable developer options to see the XML document returned. I think most other browsers will show it.
If remote access is enabled it should show at least two “Connection” lines for each server. One for local clients’ access and the other for remote (they’ll have a ‘local=“N”’ at the end of the string; 1 equals local access, 0 equals remote access).
If the remote access connection info isn’t being successfully registered that could explain why Plex Relay is being used.
1 Like
using chrome, xml now shows when I pulled it up on my laptop, another thing when I clicked view xml my Public IP shows also I just had a look now and plex seems to have sorted itself, I don’t know what the issue was, but… it might happen again
so… I may have narrowed issue a bit further down. So my laptop connects to vpn as surfshark is installed by default. But if I turn off my vpn on my laptop it goes back to indirect. But my friend is watching something at the moment and they can manage to direct play, so the issue seems to be on my isp subnet because if I connect to surfshark it goes back to normal
We’re probably back to troubleshooting DNS in that case.
Using the connection information page from above, note both the local and remote FQDNs. Then run run the following two commands on your laptop. First with the VPN disabled, then with the VPN enabled:
nslookup <local FQDN>
nslookup <local FQDN> 1.1.1.1
So, something like:
nslookup 10-0-0-25.xxxxxxxxxxxxxxxxxx.plex.direct
and...
nslookup 10-0-0-25.xxxxxxxxxxxxxxxxxx.plex.direct 1.1.1.1
You should end up with four results (one for each run of the command). Do they match? If not, how do they differ?
Then, do the same for the remote FQDN.
so run nslookup on ISP subnet? and then nslookup on pfsense subnet?
What i’m saying is my vpn on laptop is separate to pfsense instance, but if I connect to VPN on laptop it goes to direct if I turn it off it goes back to indirect.
