Server Version#: 1.13.9.5456
Player Version#: various (different streaming devices, all affected the same)
I am not a firewall expert by any means, so this is probably a really easy fix for the right person.
Problem:
Requesting assistance with Plex firewall rules for segregated LAN and IOT networks at home.
Details:
I recently swapped out my home router for a DIY pfSense router/firewall. Without muddying this post up with too much detail, the pfSense box has five total ethernet ports that work as follows:
Port 1: WAN interface
Port 2: LAN interface (192.168.1.xxx)
Port 3: IoT VLAN interface (192.168.2.xxx)
Port 4: Not in use
Port 5: Not in use
My Dell C1100 server (Plex media server) is connected on the LAN interface and all of my Rokus and other streaming devices are segregated onto the IoT VLAN.
I have a firewall rule stating that anything on the 192.168.2.xxx (IoT VLAN) network CAN NOT talk to any devices on the 192.168.1.xxx (LAN) network but anything from LAN CAN talk to the IoT VLAN. This creates the issue that all of my streaming devices are going out to the internet and coming back to my Plex box and are having their speeds throttled or showing as a relay connection.
I’m looking for assistance in setting up firewall rules for Plex that would allow anything on my IoT VLAN to connect to ONLY to my media server and ONLY for Plex related ports.
Do you want EVERYTHING on your IoT network to be able to talk to your Plex server, or just certain devices? It’s very possible to limit this access to just your Plex server and just the port that Plex uses. But it’s also possible to limit the devices on your IoT network that can make that connection in the first place.
Just wondering how strict you want to be here.
A more strict posture obviously requires more management when you want to add something new later on.
Sorry for the delayed response, we have friends from out of town in for the weekend.
Eventually I plan to create static IPs/names for each streaming device and put them together as an alias so only those devices will talk to ONLY my media server and ONLY over the Plex port(s), but for now I’m just having trouble making the rule in general work. I do want to be strict eventually, for but now I just want to get this to work.
Sounds good. I have a post ready to go at home. When I get back this afternoon I’ll post it for you. The alias you’re planning to create is part of the equation, so if you want to do that in the meantime, that’ll be a good start. DHCP reservations are also recommended, to make sure IP addresses don’t change and keep a device from talking to your Plex server down the road.
I already started the DHCP reservations and static host names, I’m about to head out of the house for an hour or two (my wife has Microsoft Surface fever for some reason so we’re going to go look at them), but I’ll get the reservations completed and hopefully be ready for next steps by the time you’re able to post.
All five Roku devices have static mappings in the IoT VLAN (192.168.2.201 - x.x.x.205)
All aliased together simply as Rokus
Altered the IoT firewall rule
3A. Used to be allow all IoT VLAN via port 32400 to 192.168.1.221:3240032400
3B. Changed to allow only Rokus (selected as alias) via port 32400 to 192.168.1.221:32400
Your issue is the source port from your Rokus in the IoT firewall rule. The Roku devices will be using random port numbers to originate their requests… the destination port is the only thing that will be 32400. Set the source port to Any (that should be the default, and if you read pfSense’s note, they recommend leaving it that way for a reason) and see if that fixes things.
Ok, so I made the changes you guys mentioned (any Roku aliased source port to only media server Plex port 32400) and I still can’t get anything from my IoT network to work for Plex. I went ahead and tried to access Plex from my personal PC (via Microsoft store’s Plex app) which is on the same internal LAN as my media server and should work because anything in this LAN can talk to anything else and they’re in the same LAN.
However, when I tried that I get an error saying:
“DNS Rebinding Protection detected. Your router or ISP appears to be preventing us from accessing the Plex Media Server directly at https://192-168-0-180.27da8168cfee4a1ba4454e85848981d2.plex.direct:32400/. In many cases, this is something you can fix with a configuration change… blah blah blah”
Similarly, if you are using pfSense’s internal DNS resolver service, you’ll want to adjust that configuration. In the pfSense web UI, go to Services > DNS Resolver, click Display Custom Options, and enter the following the the text box:
server:
private-domain: "plex.direct"
then tried the Plex app on my PC from the LAN network and voila, all good, that aspect works. I then put my PC on the IoT network and tried again and get an error stating "The server “Media Server” in unavailable. I jump back again to my LAN wifi, I’m good to go.
So I feel like I’m on the cusp of getting this thing resolved, but I’m just missing something. You guys have been super helpful thus far, any other ideas?
Are you able to connect to https://192.168.1.221:32400 from your PC’s web browser when sourced from 192.168.2.0/24?
You can try a simple port probe using either of the below commands:
Linux or Windows: telnet 192.168.1.221 32400
Linux or macOS: nc -vz 192.168.1.221 32400
Hang on… so your LAN is 192.168.1.x, right? But the URL you posted seems to show that it’s trying to access 192.168.0.180 based on the Plex hostname. Does your Plex server have multiple NICs? If so, you might want to set the preferred NIC through that option in the Plex advanced network settings. That might also explain why your IoT network can’t access it.
Otherwise, it looks like you’ve done everything else right, from what I can see…
No, I can not connect to https://192.168.1.221:32400 when sourced from 192.168.2.0/24. Pinging the IP yields a time out and 100% loss. Attempting the connection via telnet yields: “Connecting To 192.168.1.221…Could not open connection to the host, on port 32400: Connect failed”
Regarding that 192.168.0.180 IP… before I switched over to my pfSense box, I was using a super high end consumer grade TP-Link router. I set up that IP as a static one for the media server. That TP-Link router now acts as just an AP in bridge mode. Between the TP-Link AP and the pfSense box I have an HP ProCurve managed switch which the media server is now connected to (but so is the TP-Link box). Is it possible that settings somehow didn’t get flushed/renewed or something? Maybe that error message was a remnant of a cached connection on my local PC’s side for the old Plex connection?
When I switch the “Preferred network interface” from any to “Ethernet 2 (192.168.1.221)” nothing changes.
(Feel free to ignore this for now and, if you guys are willing, we can circle back to it later.)
As a side note, could all of this stuff have an effect on why I can’t keep the Remote Access alive? I try to enable it and it turns green for about five seconds then it flops back to red. I’ll watch it from my Plex app on iPhone and everything just stays offline.
I believe you need to restart Plex server after changing that Preferred Network Interface setting for it to take effect. And might not hurt to restart the Plex app on the devices too after restarting the server so they get the updated hostname/address from Plex. Otherwise they might still be trying to connect with the 192.168.0.x address.
